From d89a8e83aeedb1a4b070cec2c9b05e11b8410a81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 11:45:12 -0300 Subject: [PATCH 01/22] refactor(chart): reorganize controller templates into subdirectory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move all controller-specific Helm templates from the top-level templates/ directory into a templates/controller/ subdirectory. This restructuring prepares the chart for the upcoming merge of the kubewarden-crds and kubewarden-defaults charts, which will each get their own subdirectory under templates/. The webhook service name is now derived from the release name through a dedicated webhookServiceName helper, replacing the previously hardcoded value. All helm unit test references have been updated to reflect the new template paths. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../templates/_helpers.tpl | 19 ++++++++++++++++ .../templates/{ => controller}/NOTES.txt | 0 .../{ => controller}/audit-scanner-role.yaml | 0 .../audit-scanner-rolebinding.yaml | 0 .../{ => controller}/audit-scanner.yaml | 0 .../templates/{ => controller}/configmap.yaml | 0 .../controller-rbac-metrics-role.yaml | 0 .../controller-rbac-rolebinding.yaml | 0 .../controller-rbac-roles.yaml | 0 .../{ => controller}/deployment.yaml | 3 ++- .../opentelemetry-collector.yaml | 0 .../{ => controller}/post-install-hook.yaml | 0 .../{ => controller}/pre-delete-hook.yaml | 2 +- .../templates/{ => controller}/service.yaml | 2 +- .../{ => controller}/serviceaccount.yaml | 0 .../templates/{ => controller}/webhooks.yaml | 22 +++++++++---------- ...additional_environment_variables_test.yaml | 2 +- .../always_accept_admission_reviews_test.yaml | 2 +- .../tests/audit_scanner_test.yaml | 2 +- .../tests/host_network_test.yaml | 2 +- .../tests/image_pull_secrets_test.yaml | 2 +- .../tests/post_install_hook_test.yaml | 2 +- .../tests/priorityClassName_test.yaml | 2 +- .../tests/rbac_roles_test.yaml | 2 +- .../tests/service_ports_test.yaml | 2 +- .../tests/telemetry_configuration_test.yaml | 2 +- .../tests/webhooks_coverage_test.yaml | 2 +- .../webhooks_existing_certificates_test.yaml | 2 +- .../tests/webhooks_test.yaml | 2 +- 29 files changed, 47 insertions(+), 27 deletions(-) rename charts/kubewarden-controller/templates/{ => controller}/NOTES.txt (100%) rename charts/kubewarden-controller/templates/{ => controller}/audit-scanner-role.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/audit-scanner-rolebinding.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/audit-scanner.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/configmap.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/controller-rbac-metrics-role.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/controller-rbac-rolebinding.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/controller-rbac-roles.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/deployment.yaml (98%) rename charts/kubewarden-controller/templates/{ => controller}/opentelemetry-collector.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/post-install-hook.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/pre-delete-hook.yaml (89%) rename charts/kubewarden-controller/templates/{ => controller}/service.yaml (92%) rename charts/kubewarden-controller/templates/{ => controller}/serviceaccount.yaml (100%) rename charts/kubewarden-controller/templates/{ => controller}/webhooks.yaml (90%) diff --git a/charts/kubewarden-controller/templates/_helpers.tpl b/charts/kubewarden-controller/templates/_helpers.tpl index 8044d3f42..0d7217cd6 100644 --- a/charts/kubewarden-controller/templates/_helpers.tpl +++ b/charts/kubewarden-controller/templates/_helpers.tpl @@ -104,6 +104,25 @@ Create the name of the service account to use for kubewarden-controller {{- include "kubewarden-controller.fullname" . }} {{- end }} +{{/* +Create the webhook service name, ensuring it doesn't exceed 63 characters. +The service name is fullname + "-webhook-service" (16 chars), so we need to +limit fullname to 47 chars to stay under the 63 char limit. +*/}} +{{- define "kubewarden-controller.webhookServiceName" -}} +{{- if .Values.fullnameOverride }} +{{- printf "%s-webhook-service" (.Values.fullnameOverride | trunc 47 | trimSuffix "-") }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- printf "%s-webhook-service" (.Release.Name | trunc 47 | trimSuffix "-") }} +{{- else }} +{{- $fullname := printf "%s-%s" .Release.Name $name | trunc 47 | trimSuffix "-" }} +{{- printf "%s-webhook-service" $fullname }} +{{- end }} +{{- end }} +{{- end }} + {{- define "system_default_registry" -}} {{- if .Values.global.cattle.systemDefaultRegistry -}} {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} diff --git a/charts/kubewarden-controller/templates/NOTES.txt b/charts/kubewarden-controller/templates/controller/NOTES.txt similarity index 100% rename from charts/kubewarden-controller/templates/NOTES.txt rename to charts/kubewarden-controller/templates/controller/NOTES.txt diff --git a/charts/kubewarden-controller/templates/audit-scanner-role.yaml b/charts/kubewarden-controller/templates/controller/audit-scanner-role.yaml similarity index 100% rename from charts/kubewarden-controller/templates/audit-scanner-role.yaml rename to charts/kubewarden-controller/templates/controller/audit-scanner-role.yaml diff --git a/charts/kubewarden-controller/templates/audit-scanner-rolebinding.yaml b/charts/kubewarden-controller/templates/controller/audit-scanner-rolebinding.yaml similarity index 100% rename from charts/kubewarden-controller/templates/audit-scanner-rolebinding.yaml rename to charts/kubewarden-controller/templates/controller/audit-scanner-rolebinding.yaml diff --git a/charts/kubewarden-controller/templates/audit-scanner.yaml b/charts/kubewarden-controller/templates/controller/audit-scanner.yaml similarity index 100% rename from charts/kubewarden-controller/templates/audit-scanner.yaml rename to charts/kubewarden-controller/templates/controller/audit-scanner.yaml diff --git a/charts/kubewarden-controller/templates/configmap.yaml b/charts/kubewarden-controller/templates/controller/configmap.yaml similarity index 100% rename from charts/kubewarden-controller/templates/configmap.yaml rename to charts/kubewarden-controller/templates/controller/configmap.yaml diff --git a/charts/kubewarden-controller/templates/controller-rbac-metrics-role.yaml b/charts/kubewarden-controller/templates/controller/controller-rbac-metrics-role.yaml similarity index 100% rename from charts/kubewarden-controller/templates/controller-rbac-metrics-role.yaml rename to charts/kubewarden-controller/templates/controller/controller-rbac-metrics-role.yaml diff --git a/charts/kubewarden-controller/templates/controller-rbac-rolebinding.yaml b/charts/kubewarden-controller/templates/controller/controller-rbac-rolebinding.yaml similarity index 100% rename from charts/kubewarden-controller/templates/controller-rbac-rolebinding.yaml rename to charts/kubewarden-controller/templates/controller/controller-rbac-rolebinding.yaml diff --git a/charts/kubewarden-controller/templates/controller-rbac-roles.yaml b/charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml similarity index 100% rename from charts/kubewarden-controller/templates/controller-rbac-roles.yaml rename to charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/controller/deployment.yaml similarity index 98% rename from charts/kubewarden-controller/templates/deployment.yaml rename to charts/kubewarden-controller/templates/controller/deployment.yaml index 290c8e2f1..cebd65ed0 100644 --- a/charts/kubewarden-controller/templates/deployment.yaml +++ b/charts/kubewarden-controller/templates/controller/deployment.yaml @@ -56,7 +56,7 @@ spec: args: - --leader-elect - --deployments-namespace={{ .Release.Namespace }} - - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service + - --webhook-service-name={{ include "kubewarden-controller.webhookServiceName" . }} - --webhook-server-port={{ .Values.ports.webhook }} - --health-probe-bind-address=:{{ .Values.ports.healthProbe }} {{- if .Values.telemetry.metrics}} @@ -79,6 +79,7 @@ spec: {{- if .Values.hostNetwork }} - --host-network {{- end }} + - --defaults-configmap-name={{ .Values.defaultConfigMapName | default "kubewarden-defaults" }} {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }} {{- if and (eq .Values.telemetry.mode "sidecar") }} - --enable-otel-sidecar diff --git a/charts/kubewarden-controller/templates/opentelemetry-collector.yaml b/charts/kubewarden-controller/templates/controller/opentelemetry-collector.yaml similarity index 100% rename from charts/kubewarden-controller/templates/opentelemetry-collector.yaml rename to charts/kubewarden-controller/templates/controller/opentelemetry-collector.yaml diff --git a/charts/kubewarden-controller/templates/post-install-hook.yaml b/charts/kubewarden-controller/templates/controller/post-install-hook.yaml similarity index 100% rename from charts/kubewarden-controller/templates/post-install-hook.yaml rename to charts/kubewarden-controller/templates/controller/post-install-hook.yaml diff --git a/charts/kubewarden-controller/templates/pre-delete-hook.yaml b/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml similarity index 89% rename from charts/kubewarden-controller/templates/pre-delete-hook.yaml rename to charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml index 116a1f052..39e273689 100644 --- a/charts/kubewarden-controller/templates/pre-delete-hook.yaml +++ b/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml @@ -36,7 +36,7 @@ spec: containers: - name: pre-delete-job image: '{{ template "system_default_registry" . }}{{ .Values.preDeleteJob.image.repository }}:{{ .Values.preDeleteJob.image.tag }}' - command: ["kubectl", "delete", "--all", "policyservers.policies.kubewarden.io"] + command: ["kubectl", "delete", "policyservers,clusteradmissionpolicies,admissionpolicies,clusteradmissionpolicygroups,admissionpolicygroups", "-A", "-l", "kubewarden.io/managed-by=kubewarden-controller-defaults", "--ignore-not-found"] env: - name: KUBERLR_ALLOWDOWNLOAD value: "1" diff --git a/charts/kubewarden-controller/templates/service.yaml b/charts/kubewarden-controller/templates/controller/service.yaml similarity index 92% rename from charts/kubewarden-controller/templates/service.yaml rename to charts/kubewarden-controller/templates/controller/service.yaml index 8682f73de..307c68cf8 100644 --- a/charts/kubewarden-controller/templates/service.yaml +++ b/charts/kubewarden-controller/templates/controller/service.yaml @@ -21,7 +21,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "kubewarden-controller.labels" . | nindent 4 }} diff --git a/charts/kubewarden-controller/templates/serviceaccount.yaml b/charts/kubewarden-controller/templates/controller/serviceaccount.yaml similarity index 100% rename from charts/kubewarden-controller/templates/serviceaccount.yaml rename to charts/kubewarden-controller/templates/controller/serviceaccount.yaml diff --git a/charts/kubewarden-controller/templates/webhooks.yaml b/charts/kubewarden-controller/templates/controller/webhooks.yaml similarity index 90% rename from charts/kubewarden-controller/templates/webhooks.yaml rename to charts/kubewarden-controller/templates/controller/webhooks.yaml index 52e114ff1..faa11ce7f 100644 --- a/charts/kubewarden-controller/templates/webhooks.yaml +++ b/charts/kubewarden-controller/templates/controller/webhooks.yaml @@ -33,7 +33,7 @@ {{ $webhookServerKey = (index $webhookServerCertSecret.data "tls.key") }} {{ else }} # generate webhook server leaf certificate -{{ $controllerDNSName := printf "%s-webhook-service.%s.svc" (include "kubewarden-controller.fullname" .) .Release.Namespace }} +{{ $controllerDNSName := printf "%s.%s.svc" (include "kubewarden-controller.webhookServiceName" .) .Release.Namespace }} {{ $webhookServerCertKeyPair := genSignedCertWithKey $controllerDNSName nil ( list $controllerDNSName ) 365 $ca (genPrivateKey "ecdsa") }} {{ $webhookServerCert = ($webhookServerCertKeyPair.Cert | b64enc) }} {{ $webhookServerKey = ($webhookServerCertKeyPair.Key | b64enc) }} @@ -102,7 +102,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicy failurePolicy: Fail @@ -124,7 +124,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicygroup failurePolicy: Fail @@ -146,7 +146,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-policies-kubewarden-io-v1-policyserver failurePolicy: Fail @@ -168,7 +168,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-policies-kubewarden-io-v1-admissionpolicy failurePolicy: Fail @@ -190,7 +190,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /mutate-policies-kubewarden-io-v1-admissionpolicygroup failurePolicy: Fail @@ -222,7 +222,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-policies-kubewarden-io-v1-clusteradmissionpolicy failurePolicy: Fail @@ -244,7 +244,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-policies-kubewarden-io-v1-clusteradmissionpolicygroup failurePolicy: Fail @@ -266,7 +266,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-policies-kubewarden-io-v1-admissionpolicy failurePolicy: Fail @@ -288,7 +288,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-policies-kubewarden-io-v1-admissionpolicygroup failurePolicy: Fail @@ -309,7 +309,7 @@ webhooks: clientConfig: caBundle: {{ $caBundle }} service: - name: {{ include "kubewarden-controller.fullname" . }}-webhook-service + name: {{ include "kubewarden-controller.webhookServiceName" . }} namespace: {{ .Release.Namespace }} path: /validate-policies-kubewarden-io-v1-policyserver failurePolicy: Fail diff --git a/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml b/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml index 3e9a90af2..9e9670e64 100644 --- a/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml +++ b/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml @@ -1,6 +1,6 @@ suite: additionalEnvironmentVariables configuration templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should not add extra env vars when additionalEnvironmentVariables is empty (default)" asserts: diff --git a/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml b/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml index 3d398e94a..15e630784 100644 --- a/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml +++ b/charts/kubewarden-controller/tests/always_accept_admission_reviews_test.yaml @@ -1,6 +1,6 @@ suite: alwaysAcceptAdmissionReviewsOnDeploymentsNamespace flag templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should include the flag when alwaysAcceptAdmissionReviewsOnDeploymentsNamespace is true (default)" asserts: diff --git a/charts/kubewarden-controller/tests/audit_scanner_test.yaml b/charts/kubewarden-controller/tests/audit_scanner_test.yaml index 20a3684ba..b212bfa97 100644 --- a/charts/kubewarden-controller/tests/audit_scanner_test.yaml +++ b/charts/kubewarden-controller/tests/audit_scanner_test.yaml @@ -1,6 +1,6 @@ suite: Audit scanner configuration templates: - - audit-scanner.yaml + - controller/audit-scanner.yaml tests: - it: "should set report-kind properly when value is defined" set: diff --git a/charts/kubewarden-controller/tests/host_network_test.yaml b/charts/kubewarden-controller/tests/host_network_test.yaml index 0ba218f67..b52c410da 100644 --- a/charts/kubewarden-controller/tests/host_network_test.yaml +++ b/charts/kubewarden-controller/tests/host_network_test.yaml @@ -1,6 +1,6 @@ suite: host-network configuration templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should not set hostNetwork and should not pass --host-network flag by default" asserts: diff --git a/charts/kubewarden-controller/tests/image_pull_secrets_test.yaml b/charts/kubewarden-controller/tests/image_pull_secrets_test.yaml index 5a6183da3..82f9360b1 100644 --- a/charts/kubewarden-controller/tests/image_pull_secrets_test.yaml +++ b/charts/kubewarden-controller/tests/image_pull_secrets_test.yaml @@ -1,6 +1,6 @@ suite: image-pull-secrets flag templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should not include --image-pull-secrets when imagePullSecrets is empty (default)" asserts: diff --git a/charts/kubewarden-controller/tests/post_install_hook_test.yaml b/charts/kubewarden-controller/tests/post_install_hook_test.yaml index 8a56713b0..5a9461cee 100644 --- a/charts/kubewarden-controller/tests/post_install_hook_test.yaml +++ b/charts/kubewarden-controller/tests/post_install_hook_test.yaml @@ -1,6 +1,6 @@ suite: post-install hook rendering templates: - - post-install-hook.yaml + - controller/post-install-hook.yaml tests: - it: "should render post-install hook for sidecar telemetry" set: diff --git a/charts/kubewarden-controller/tests/priorityClassName_test.yaml b/charts/kubewarden-controller/tests/priorityClassName_test.yaml index 26e64ec17..f2856eb48 100644 --- a/charts/kubewarden-controller/tests/priorityClassName_test.yaml +++ b/charts/kubewarden-controller/tests/priorityClassName_test.yaml @@ -1,6 +1,6 @@ suite: priorityClassName configuration templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should set the priorityClassName when .global.priorityClassName is defined" set: diff --git a/charts/kubewarden-controller/tests/rbac_roles_test.yaml b/charts/kubewarden-controller/tests/rbac_roles_test.yaml index 57ebacbfa..f7ef80306 100644 --- a/charts/kubewarden-controller/tests/rbac_roles_test.yaml +++ b/charts/kubewarden-controller/tests/rbac_roles_test.yaml @@ -1,6 +1,6 @@ suite: controller RBAC roles templates: - - controller-rbac-roles.yaml + - controller/controller-rbac-roles.yaml release: namespace: "kubewarden" tests: diff --git a/charts/kubewarden-controller/tests/service_ports_test.yaml b/charts/kubewarden-controller/tests/service_ports_test.yaml index e05eb18a5..61f66379c 100644 --- a/charts/kubewarden-controller/tests/service_ports_test.yaml +++ b/charts/kubewarden-controller/tests/service_ports_test.yaml @@ -1,6 +1,6 @@ suite: service ports configuration templates: - - service.yaml + - controller/service.yaml tests: - it: "should use default ports in services" set: diff --git a/charts/kubewarden-controller/tests/telemetry_configuration_test.yaml b/charts/kubewarden-controller/tests/telemetry_configuration_test.yaml index 4339e11b8..4719328e4 100644 --- a/charts/kubewarden-controller/tests/telemetry_configuration_test.yaml +++ b/charts/kubewarden-controller/tests/telemetry_configuration_test.yaml @@ -1,6 +1,6 @@ suite: telemetry configuration templates: - - deployment.yaml + - controller/deployment.yaml tests: - it: "should set required configuration when connecting with remote otel collector" set: diff --git a/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml b/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml index 2f1efd638..432536052 100644 --- a/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml +++ b/charts/kubewarden-controller/tests/webhooks_coverage_test.yaml @@ -1,6 +1,6 @@ suite: webhooks Helm templating coverage templates: - - webhooks.yaml + - controller/webhooks.yaml release: namespace: "kubewarden" diff --git a/charts/kubewarden-controller/tests/webhooks_existing_certificates_test.yaml b/charts/kubewarden-controller/tests/webhooks_existing_certificates_test.yaml index 905c4b0e8..4470f6359 100644 --- a/charts/kubewarden-controller/tests/webhooks_existing_certificates_test.yaml +++ b/charts/kubewarden-controller/tests/webhooks_existing_certificates_test.yaml @@ -1,6 +1,6 @@ suite: existing certificates are not overwritten templates: - - webhooks.yaml + - controller/webhooks.yaml release: namespace: "kubewarden" kubernetesProvider: diff --git a/charts/kubewarden-controller/tests/webhooks_test.yaml b/charts/kubewarden-controller/tests/webhooks_test.yaml index afc34aaed..9cbdb5470 100644 --- a/charts/kubewarden-controller/tests/webhooks_test.yaml +++ b/charts/kubewarden-controller/tests/webhooks_test.yaml @@ -1,6 +1,6 @@ suite: certificates generation templates: - - webhooks.yaml + - controller/webhooks.yaml release: namespace: "kubewarden" tests: From a5ca13232950e5a66f57b644ca3a400e02805ba0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 11:46:58 -0300 Subject: [PATCH 02/22] feat(chart): integrate CRD templates into unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bring all Kubewarden CRD templates and the OpenReports dependency chart into the kubewarden-controller chart. This is part of merging the three separate Helm charts into one unified chart. The CRD templates include all five Kubewarden policy CRDs plus the PolicyReport and ClusterPolicyReport CRDs. The OpenReports chart is added as a conditional dependency controlled by the reportCRDs.installOpenReportsCRDs value. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-controller/Chart.lock | 7 +- charts/kubewarden-controller/Chart.yaml | 4 + .../charts/openreports-0.2.1.tgz | Bin 0 -> 4793 bytes .../templates/crds/clusterpolicyreports.yaml | 1014 ++++++++ ...icies.kubewarden.io_admissionpolicies.yaml | 842 +++++++ ...s.kubewarden.io_admissionpolicygroups.yaml | 498 ++++ ...ubewarden.io_clusteradmissionpolicies.yaml | 1057 ++++++++ ...arden.io_clusteradmissionpolicygroups.yaml | 622 +++++ .../policies.kubewarden.io_policyservers.yaml | 2183 +++++++++++++++++ .../templates/crds/policyreports.yaml | 1011 ++++++++ 10 files changed, 7236 insertions(+), 2 deletions(-) create mode 100644 charts/kubewarden-controller/charts/openreports-0.2.1.tgz create mode 100644 charts/kubewarden-controller/templates/crds/clusterpolicyreports.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicies.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policies.kubewarden.io_policyservers.yaml create mode 100644 charts/kubewarden-controller/templates/crds/policyreports.yaml diff --git a/charts/kubewarden-controller/Chart.lock b/charts/kubewarden-controller/Chart.lock index 9a5344b42..653eadd42 100644 --- a/charts/kubewarden-controller/Chart.lock +++ b/charts/kubewarden-controller/Chart.lock @@ -1,6 +1,9 @@ dependencies: +- name: openreports + repository: https://openreports.github.io/reports-api + version: 0.2.1 - name: policy-reporter repository: https://kyverno.github.io/policy-reporter version: 3.7.4 -digest: sha256:4709ffeb20dd2530d6097960f92532edb214c4a18ecafe25c7f904c74a1299b0 -generated: "2026-05-04T04:42:54.814380704Z" +digest: sha256:898483870eb2f263adea70555d61a98d1238f14238295deb834ab4f77cfa8960 +generated: "2026-05-15T11:53:15.774867266-03:00" diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml index e53ed9b26..c372e7103 100644 --- a/charts/kubewarden-controller/Chart.yaml +++ b/charts/kubewarden-controller/Chart.yaml @@ -46,6 +46,10 @@ annotations: # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. catalog.cattle.io/type: cluster-tool dependencies: + - name: openreports + version: 0.2.1 + repository: https://openreports.github.io/reports-api + condition: reportCRDs.installOpenReportsCRDs - name: policy-reporter version: 3.7.4 repository: https://kyverno.github.io/policy-reporter diff --git a/charts/kubewarden-controller/charts/openreports-0.2.1.tgz b/charts/kubewarden-controller/charts/openreports-0.2.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7f233b04fd1d595cd8f3ef6650a520d107ca94bd GIT binary patch literal 4793 zcmZvgWl$UJ(uQ#f9$bnQio0uZFB%+Dpg}`$E5$-_cdcMW3luM2EEFd|p-6Fu;#MrD z=RI@gn{Vbkvp=5Mx%b-p*Us!R#p6++{rjP~(0FV$37J5_7gN zk`mW5F%f@Z>grZ72HFdJ*^$+lLvO_@Tb zloBaAN9@cwC`CbqxfRQYoR&c_=ZHiZuC^f9-l} z;;;lz=ZYCLMUy*wiL%Z_si*IyrlTg1!}r;w9JipPs<2>W zi(CwuDFnHt;#pUhG0H>p$8ECGII(KrJGZv$dU_8-PC4_;Ks<^YY)5B9B!-#<4~^fW zcso0*(qrSVYg1O8P~ay9bzc>qY%^j0+Bhy*3J(oerowp9-j1tvJQlJqC4%m1t-lK4 z0eI1crO%RTqzZvI*zr?2+eY{NG@S^q*HJ-4L#6~(X57yyNr1XE9A4g0!mrfaW;T_) zl&E2(lsSO@s`Z|6(rHOV&<2ND3}EzN9S$#`YM;b%Mi&}ns|*WxDNBQAmnc;oc4K*J z!;H83?i7&V|A_+=9%GpXvRR@a2~>bYkCI64o?oW+GqWXCp-oWh!>R3@8FP-}VtE=_ z0v!gclzl>i{~WBn*g7qqUv{A8dIL&3+{`fnDt;5^SCk6VRBb%!$^c63 zvi;i{{IU8`vbg9o8XT82M*R-m%FGXRyY#Do1nFI83U0Dy41TicFh0&dD28T*v^~v4 zsjA#TuA~(4(krrY63DDwha$twJI+t+0kgN2iI2IS3K8Sx1Bc^S-rv?GKdHDOED&kt z+_cmiq$Z?^*yaH_xZ12NDO}M)x-n(cN=+VD8z+=4MOL8FU($1>*a_o9tXp}3?I(Lh z_eBdrafh*FzD~N#0A!$MI6FX4RYaj8Odn}H6d=4ZQ(#-H@4<{D+@uS0pf1PO_x@oZ z;#3+diUYQ`I>%A5VCq+KllvXmcXED&86)Zv=p8TmeCKV$Tk;JVV3|;nvn*!K6jK@%i*q!6w1z zx7p_Ka4@fJGqNQ2AXb$?r@(os893Bu}sZtBN_S$En(+UU>5--ZSU3})@?5)seBZ{I5yRsER zcyQ`Tne)ZGFzha?^7cfyy}toGSCo)_59q zHc-2dZi1h&T%zl~deJl?=gZ|b#O3hBew>%t05Pw_R9WsI;&UM99z8@@SY3~xi#~=q z;sExV)z#A5Qi`F+ydw%H;2O{2EF6kTD)+l(MZr|E7t5N$1UkWVj3iN2+k= zxqbddB}7OU_^E@oH&wd2unBC(`Yxcl8?%{;z`oT(X+Wa zV*jOXs#6)d{EN)~I~Pv3J#$UYj2>g8Ax_U=NjlsKyFq+~l4TfCH@U9!JLz4i3TJV; zXZvQCb$x^@orvN)0BpigO)iGK)%jh|RO%^!_E;|W{cf@F(2HbGVpYj7(#Q(%mo6&K z#W*av^ZswtVL*1ecB#duUwLQyey#+Makt1Ei<=gF0RH$8Y*hdC6>N;U-s^mZc7JzF z@~3pk^a)Md_cy$H(7JB!)VblrwQUAEL_?u^T|~ZtqLA*4(0!$7;_}#vemFk0y!2dQ z6drf*EDs1{TFAJlR6hv3rm-i>j>Z-K-AO@wW$OBF_D7*;q~{VD{L0O?Va{!$pdQbp zPhjr@GS?Efaa~&JO`H2fcXaGzLqlL2k0m!k^Ezo5HU*yknU_@LcITCYiA$%jt+U)5 zw8%Svb6oBGq`owKT7d2oi4=|$L0G*{-DfKyHf6HL_cKJ=WQD^gKbk#9m4sJ*9-J{q zMt>Rj;bzedpQd{1WWDg`(w>UoyIV-s)DyaZZw9mUF9#uvJvg23EN`9s(}fj)80esI za%mzQ4=1L|176(47I#_g&f6k92FGozo8pLXK!bXE8~qOf*&m841CoLw4vL zKg5zhU!wCAoF)1xjgr~33(^G)7+I;Gp7*%F+4aq&dNNH$*ZV~Jd+;_s!HOBVx@&pA zze}?MzPpRuPeQ&^K#Gk}ftX6Fqn#6r1+=gB9OIRl!)OVX_dKmO53&U10ej;)0=sFQ zTK?5j_BhZ{EMur1?ZE_>HvQBYthZ0WZAiumf$KNoGpE{(ntU_Gn%xlFXo=vLZF()& zAk%MF=8*7mFO*S>Fm-hm$yo&NmJ`~H+RDaC9N?*ON5 z3K1uk5Bi*k@8}}sw*Xa%j^`<|I?9(V%u1CzBrJYfjH+hAZ9#WaWkT#EsXCn!t-o~k zkKTOrOu4dH6!$VB24UJ&5Sp>vX(f4L`IDAN=fmhdEF+r5q!;OOVTr@d>JZD~y7#UI z(EYMhivafymGr>{yI(9()~OWeP){L{fNr2!Y$n^p?oiMcj^V+*2!i$7q7U^KjQ2CM z@!?N?l7<;&HxZ_Xk!xZwkj<;aU%@gu=YF=b#Xp;#P$sjKkWXe|b6)!SsUIUdc2#hiFwoI!ioTU=3QdhIa zGG#|=p?w208%>k2Z3bM6jeRH@kW{czs-R4`J7bU3`E(y3H1 z^L#PoZwR*QFevZ=#A`ZgNn-Us<9()}{9sG)<67w}^v53rX0b>sF^RMs_;)Lq)_`gB z4~Z)2fD*_Gb#dD3YN(ijeiNG}gN0A9Q2Tj$Iz3h*H!yu~aA;Epb$u=Uhoh}q7;EU+ zsr|y<-d=@-+zD|R6AAG|lHT7yf$d&A_YIY8iz!2ZnOE*~4&B8`Mm$lZcOVF~Fn2+=aq$X~nq&_{xOz}t@vf&eM3#Ft?h6gCkbRFh*`x0`)=_iChsm?!L_rL z%@&5rot6s>F5@MK&!%7e8E88-*33(o)<|Q+5Xly7rfzd63^3xTeBlfMy*GpfAP7LClmqTQUMVD^RNj~zQdt^t1&nn!e5KK2X(i~-3{@mf-{mu~- zr_+1I&}QGpVu&_dHT3<%1awKk(PfQWd2%CzC1byL{t~cXj#d@ zX#4zP+K-%(=6!kXP5PIY01LIzOI(gf%$Jar@Cav{F5tktNrleW%ixs`at+)2+zy3? zn3T~(V;I~8of|`k%fo>BgBL!UCp(V8~g&3lmeUF%xZ^-It`vaznkY4{+h)j9^ zVK84Xz1(E~4EhhocEfCs@{namR!mnnGsSwncbKsKykh}+V)Altxc%Gf@{!lFgKYaf zCvwjWn8KlVQeK{P^nzBHxQU@lDgE=2kZ{$HuR{_e17z9!RrQzBqJCQZfCX#sD>hNd z??8n8pv5x!Lx7Q!(g--e)m+YXEA?ZP6pW>`K3S){U2V?qiF?GkTJe4!CE5v(X{*e@>|4@5J^;los@;G-&r0llP3ih45ap62QuKk@U)1_>>Jd$~R%Q*7JclMH-(q?SMkFwKBRlpQEVtnC6 z*%`OZ9oQNNt|>Cbgz&Nk|ef0U};|F3?3>>td3^?!-~d=J*J z{`Sd3Z;Jze|DS@t-79-MDLb|Pcm03N{RhRE;qh;3?XCBJP5+axBA)(-9JRLpkFgaf z&m8LZwmx5ZVcONQUZtzolHK1q)l1_|Np+uP6p zrO1ARlH!E{g}<8?*FADq?_(&R@p0Zw`U==FNfsy&R0nd1y4oD`_!?IC9>&7I1ck&62={dc$cd-BwmfS#fgn`cx?mrvY_@J}gaV2D50~zW3vgeNkE{ZN=)h zCh0DdE{)7-r(>L`>Ka?hBS%8cIj|*ZtBxap)C>O6(?SG+E|92*p0=2v7#)0dj*@BWK!y7nY;yAL-DMA62}A-{q(0f zt6K+%u(mvPxnw@wL$q3L$?0&NVdUZo4HChdy literal 0 HcmV?d00001 diff --git a/charts/kubewarden-controller/templates/crds/clusterpolicyreports.yaml b/charts/kubewarden-controller/templates/crds/clusterpolicyreports.yaml new file mode 100644 index 000000000..7d0f30a3d --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/clusterpolicyreports.yaml @@ -0,0 +1,1014 @@ +{{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + helm.sh/resource-policy: keep + creationTimestamp: null + name: clusterpolicyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{ end }} diff --git a/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicies.yaml b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicies.yaml new file mode 100644 index 000000000..c52d11070 --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicies.yaml @@ -0,0 +1,842 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + helm.sh/resource-policy: keep + name: admissionpolicies.policies.kubewarden.io +spec: + group: policies.kubewarden.io + names: + kind: AdmissionPolicy + listKind: AdmissionPolicyList + plural: admissionpolicies + shortNames: + - ap + singular: admissionpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Whether the policy is used in audit checks + jsonPath: .spec.backgroundAudit + name: BackgroundAudit + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] + name: Severity + priority: 1 + type: string + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] + name: Category + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: AdmissionPolicy is the Schema for the admissionpolicies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AdmissionPolicySpec defines the desired state of AdmissionPolicy. + properties: + backgroundAudit: + default: true + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". + type: boolean + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchConditions: + description: |- + MatchConditions are a list of conditions that must be met for a request to be + validated. Match conditions filter requests that have already been matched by + the rules, namespaceSelector, and objectSelector. An empty list of + matchConditions matches all requests. There are a maximum of 64 match + conditions allowed. If a parameter object is provided, it can be accessed via + the `params` handle in the same manner as validation expressions. The exact + matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, + the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy + is evaluated. 3. If any matchCondition evaluates to an error (but none are + FALSE): - If failurePolicy=Fail, reject the request - If + failurePolicy=Ignore, the policy is skipped. + Only available if the feature gate AdmissionWebhookMatchConditions is enabled. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + message: + description: |- + Message overrides the rejection message of the policy. + When provided, the policy's rejection message can be found + inside of the `.status.details.causes` field of the + AdmissionResponse object + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. + type: string + mutating: + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. + type: boolean + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutEvalSeconds: + description: |- + TimeoutEvalSeconds specifies the timeout for the policy evaluation. After + the timeout passes, the policy evaluation call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + Default to 10 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - module + - mutating + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + deprecated: true + deprecationWarning: This version is deprecated. Please, consider using v1 + name: v1alpha2 + schema: + openAPIV3Schema: + description: AdmissionPolicy is the Schema for the admissionpolicies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AdmissionPolicySpec defines the desired state of AdmissionPolicy. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + type: string + mutating: + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. + type: boolean + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. + format: int32 + type: integer + required: + - module + - mutating + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml new file mode 100644 index 000000000..f3a00ad70 --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml @@ -0,0 +1,498 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + helm.sh/resource-policy: keep + name: admissionpolicygroups.policies.kubewarden.io +spec: + group: policies.kubewarden.io + names: + kind: AdmissionPolicyGroup + listKind: AdmissionPolicyGroupList + plural: admissionpolicygroups + shortNames: + - apg + singular: admissionpolicygroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Whether the policy is used in audit checks + jsonPath: .spec.backgroundAudit + name: BackgroundAudit + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] + name: Severity + priority: 1 + type: string + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] + name: Category + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup. + properties: + backgroundAudit: + default: true + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". + type: boolean + expression: + description: |- + Expression is the evaluation expression to accept or reject the + admission request under evaluation. This field uses CEL as the + expression language for the policy groups. Each policy in the group + will be represented as a function call in the expression with the + same name as the policy defined in the group. The expression field + should be a valid CEL expression that evaluates to a boolean value. + If the expression evaluates to true, the group policy will be + considered as accepted, otherwise, it will be considered as + rejected. This expression allows grouping policies calls and perform + logical operations on the results of the policies. See Kubewarden + documentation to learn about all the features available. + type: string + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchConditions: + description: |- + MatchConditions are a list of conditions that must be met for a request to be + validated. Match conditions filter requests that have already been matched by + the rules, namespaceSelector, and objectSelector. An empty list of + matchConditions matches all requests. There are a maximum of 64 match + conditions allowed. If a parameter object is provided, it can be accessed via + the `params` handle in the same manner as validation expressions. The exact + matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, + the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy + is evaluated. 3. If any matchCondition evaluates to an error (but none are + FALSE): - If failurePolicy=Fail, reject the request - If + failurePolicy=Ignore, the policy is skipped. + Only available if the feature gate AdmissionWebhookMatchConditions is enabled. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + message: + description: |- + Message is used to specify the message that will be returned when + the policy group is rejected. The specific policy results will be + returned in the warning field of the response. + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policies: + additionalProperties: + properties: + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. + type: string + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + timeoutEvalSeconds: + description: |- + TimeoutEvalSeconds specifies the timeout for the policy evaluation. After + the timeout passes, the policy evaluation call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - module + type: object + description: |- + Policies is a list of policies that are part of the group that will + be available to be called in the evaluation expression field. + Each policy in the group should be a Kubewarden policy. + type: object + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + Default to 10 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - expression + - message + - policies + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml new file mode 100644 index 000000000..9e2ac6f70 --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml @@ -0,0 +1,1057 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + helm.sh/resource-policy: keep + name: clusteradmissionpolicies.policies.kubewarden.io +spec: + group: policies.kubewarden.io + names: + kind: ClusterAdmissionPolicy + listKind: ClusterAdmissionPolicyList + plural: clusteradmissionpolicies + shortNames: + - cap + singular: clusteradmissionpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Whether the policy is used in audit checks + jsonPath: .spec.backgroundAudit + name: BackgroundAudit + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] + name: Severity + priority: 1 + type: string + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] + name: Category + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. + properties: + allowInsideAdmissionControllerNamespace: + description: |- + AllowInsideAdmissionControllerNamespace controls whether the policy should also be + evaluated for resources in the namespace where Kubewarden is deployed. + By default (false), an exclusion rule is added to the webhook so that the + Kubewarden namespace is never targeted, protecting against an accidental + lockout. Set this to true only if you deliberately want the policy to apply + inside the Kubewarden namespace. + Warning: setting this to true may cause a deadlock if the policy prevents + Kubewarden components from starting. + type: boolean + backgroundAudit: + default: true + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". + type: boolean + contextAwareResources: + description: |- + List of Kubernetes resources the policy is allowed to access at evaluation time. + Access to these resources is done using the `ServiceAccount` of the PolicyServer + the policy is assigned to. + items: + description: ContextAwareResource identifies a Kubernetes resource. + properties: + apiVersion: + description: apiVersion of the resource (v1 for core group, + groupName/groupVersions for other). + type: string + kind: + description: Singular PascalCase name of the resource + type: string + required: + - apiVersion + - kind + type: object + type: array + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchConditions: + description: |- + MatchConditions are a list of conditions that must be met for a request to be + validated. Match conditions filter requests that have already been matched by + the rules, namespaceSelector, and objectSelector. An empty list of + matchConditions matches all requests. There are a maximum of 64 match + conditions allowed. If a parameter object is provided, it can be accessed via + the `params` handle in the same manner as validation expressions. The exact + matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, + the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy + is evaluated. 3. If any matchCondition evaluates to an error (but none are + FALSE): - If failurePolicy=Fail, reject the request - If + failurePolicy=Ignore, the policy is skipped. + Only available if the feature gate AdmissionWebhookMatchConditions is enabled. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + message: + description: |- + Message overrides the rejection message of the policy. + When provided, the policy's rejection message can be found + inside of the `.status.details.causes` field of the + AdmissionResponse object + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. + type: string + mutating: + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. + type: boolean + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the webhook on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. +

+ For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "runlevel",

+                        "operator": "NotIn",

+                        "values": [

+                          "0",

+                          "1"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ If instead you want to only run the webhook on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "environment",

+                        "operator": "In",

+                        "values": [

+                          "prod",

+                          "staging"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + for more examples of label selectors. +

+ Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutEvalSeconds: + description: |- + TimeoutEvalSeconds specifies the timeout for the policy evaluation. After + the timeout passes, the policy evaluation call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + Default to 10 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - module + - mutating + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + deprecated: true + deprecationWarning: This version is deprecated. Please, consider using v1 + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. + properties: + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + type: string + mutating: + description: |- + Mutating indicates whether a policy has the ability to mutate + incoming requests or not. + type: boolean + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the webhook on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. +

+ For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "runlevel",

+                        "operator": "NotIn",

+                        "values": [

+                          "0",

+                          "1"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ If instead you want to only run the webhook on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "environment",

+                        "operator": "In",

+                        "values": [

+                          "prod",

+                          "staging"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + for more examples of label selectors. +

+ Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 1 and 30 seconds. + Default to 10 seconds. + format: int32 + type: integer + required: + - module + - mutating + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml new file mode 100644 index 000000000..fba6d4bf9 --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml @@ -0,0 +1,622 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + helm.sh/resource-policy: keep + name: clusteradmissionpolicygroups.policies.kubewarden.io +spec: + group: policies.kubewarden.io + names: + kind: ClusterAdmissionPolicyGroup + listKind: ClusterAdmissionPolicyGroupList + plural: clusteradmissionpolicygroups + shortNames: + - capg + singular: clusteradmissionpolicygroup + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Bound to Policy Server + jsonPath: .spec.policyServer + name: Policy Server + type: string + - description: Whether the policy is mutating + jsonPath: .spec.mutating + name: Mutating + type: boolean + - description: Whether the policy is used in audit checks + jsonPath: .spec.backgroundAudit + name: BackgroundAudit + type: boolean + - description: Policy deployment mode + jsonPath: .spec.mode + name: Mode + type: string + - description: Policy deployment mode observed on the assigned Policy Server + jsonPath: .status.mode + name: Observed mode + type: string + - description: Status of the policy + jsonPath: .status.policyStatus + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] + name: Severity + priority: 1 + type: string + - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] + name: Category + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterAdmissionPolicyGroup is the Schema for the clusteradmissionpolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ClusterAdmissionPolicyGroupSpec defines the desired state + of ClusterAdmissionPolicyGroup. + properties: + allowInsideAdmissionControllerNamespace: + description: |- + AllowInsideAdmissionControllerNamespace controls whether the policy should also be + evaluated for resources in the namespace where Kubewarden is deployed. + By default (false), an exclusion rule is added to the webhook so that the + Kubewarden namespace is never targeted, protecting against an accidental + lockout. Set this to true only if you deliberately want the policy to apply + inside the Kubewarden namespace. + Warning: setting this to true may cause a deadlock if the policy prevents + Kubewarden components from starting. + type: boolean + backgroundAudit: + default: true + description: |- + BackgroundAudit indicates whether a policy should be used or skipped when + performing audit checks. If false, the policy cannot produce meaningful + evaluation results during audit checks and will be skipped. + The default is "true". + type: boolean + expression: + description: |- + Expression is the evaluation expression to accept or reject the + admission request under evaluation. This field uses CEL as the + expression language for the policy groups. Each policy in the group + will be represented as a function call in the expression with the + same name as the policy defined in the group. The expression field + should be a valid CEL expression that evaluates to a boolean value. + If the expression evaluates to true, the group policy will be + considered as accepted, otherwise, it will be considered as + rejected. This expression allows grouping policies calls and perform + logical operations on the results of the policies. See Kubewarden + documentation to learn about all the features available. + type: string + failurePolicy: + description: |- + FailurePolicy defines how unrecognized errors and timeout errors from the + policy are handled. Allowed values are "Ignore" or "Fail". + * "Ignore" means that an error calling the webhook is ignored and the API + request is allowed to continue. + * "Fail" means that an error calling the webhook causes the admission to + fail and the API request to be rejected. + The default behaviour is "Fail" + type: string + matchConditions: + description: |- + MatchConditions are a list of conditions that must be met for a request to be + validated. Match conditions filter requests that have already been matched by + the rules, namespaceSelector, and objectSelector. An empty list of + matchConditions matches all requests. There are a maximum of 64 match + conditions allowed. If a parameter object is provided, it can be accessed via + the `params` handle in the same manner as validation expressions. The exact + matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, + the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy + is evaluated. 3. If any matchCondition evaluates to an error (but none are + FALSE): - If failurePolicy=Fail, reject the request - If + failurePolicy=Ignore, the policy is skipped. + Only available if the feature gate AdmissionWebhookMatchConditions is enabled. + items: + description: MatchCondition represents a condition which must by + fulfilled for a request to be sent to a webhook. + properties: + expression: + description: |- + expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + Required. + type: string + name: + description: |- + name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + Required. + type: string + required: + - expression + - name + type: object + type: array + matchPolicy: + description: |- + matchPolicy defines how the "rules" list is used to match incoming requests. + Allowed values are "Exact" or "Equivalent". +
    +
  • + Exact: match a request only if it exactly matches a specified rule. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. +
    • +
  • + Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. + For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, + and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, + a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. +
    • +
+ Defaults to "Equivalent" + type: string + message: + description: |- + Message is used to specify the message that will be returned when + the policy group is rejected. The specific policy results will be + returned in the warning field of the response. + type: string + mode: + default: protect + description: |- + Mode defines the execution mode of this policy. Can be set to + either "protect" or "monitor". If it's empty, it is defaulted to + "protect". + Transitioning this setting from "monitor" to "protect" is + allowed, but is disallowed to transition from "protect" to + "monitor". To perform this transition, the policy should be + recreated in "monitor" mode instead. + enum: + - protect + - monitor + type: string + namespaceSelector: + description: |- + NamespaceSelector decides whether to run the webhook on an object based + on whether the namespace for that object matches the selector. If the + object itself is a namespace, the matching is performed on + object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. +

+ For example, to run the webhook on any objects whose namespace is not + associated with "runlevel" of "0" or "1"; you will set the selector as + follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "runlevel",

+                        "operator": "NotIn",

+                        "values": [

+                          "0",

+                          "1"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ If instead you want to only run the webhook on any objects whose + namespace is associated with the "environment" of "prod" or "staging"; + you will set the selector as follows: + 
+                  "namespaceSelector": \{

+                    "matchExpressions": [

+                      \{

+                        "key": "environment",

+                        "operator": "In",

+                        "values": [

+                          "prod",

+                          "staging"

+                        ]

+                      \}

+                    ]

+                  \}
+
+ See + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels + for more examples of label selectors. +

+ Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: |- + ObjectSelector decides whether to run the webhook based on if the + object has matching labels. objectSelector is evaluated against both + the oldObject and newObject that would be sent to the webhook, and + is considered to match if either object matches the selector. A null + object (oldObject in the case of create, or newObject in the case of + delete) or an object that cannot have labels (like a + DeploymentRollback or a PodProxyOptions object) is not considered to + match. + Use the object selector only if the webhook is opt-in, because end + users may skip the admission webhook by setting the labels. + Default to the empty LabelSelector, which matches everything. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + policies: + additionalProperties: + properties: + contextAwareResources: + description: |- + List of Kubernetes resources the policy is allowed to access at evaluation time. + Access to these resources is done using the `ServiceAccount` of the PolicyServer + the policy is assigned to. + items: + description: ContextAwareResource identifies a Kubernetes + resource. + properties: + apiVersion: + description: apiVersion of the resource (v1 for core group, + groupName/groupVersions for other). + type: string + kind: + description: Singular PascalCase name of the resource + type: string + required: + - apiVersion + - kind + type: object + type: array + module: + description: |- + Module is the location of the WASM module to be loaded. Can be a + local file (file://), a remote file served by an HTTP server + (http://, https://), or an artifact served by an OCI-compatible + registry (registry://). + If prefix is missing, it will default to registry:// and use that + internally. + type: string + settings: + description: |- + Settings is a free-form object that contains the policy configuration + values. + x-kubernetes-embedded-resource: false + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + timeoutEvalSeconds: + description: |- + TimeoutEvalSeconds specifies the timeout for the policy evaluation. After + the timeout passes, the policy evaluation call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - module + type: object + description: |- + Policies is a list of policies that are part of the group that will + be available to be called in the evaluation expression field. + Each policy in the group should be a Kubewarden policy. + type: object + policyServer: + default: default + description: PolicyServer identifies an existing PolicyServer resource. + type: string + rules: + description: |- + Rules describes what operations on what resources/subresources the webhook cares about. + The webhook cares about an operation if it matches _any_ Rule. + items: + description: |- + RuleWithOperations is a tuple of Operations and Resources. It is recommended to make + sure that all the tuple expansions are valid. + properties: + apiGroups: + description: |- + apiGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + apiVersions: + description: |- + apiVersions is the API versions the resources belong to. '*' is all versions. + If '*' is present, the length of the slice must be one. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + operations: + description: |- + operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * + for all of those operations and any future admission operations that are added. + If '*' is present, the length of the slice must be one. + Required. + items: + description: OperationType specifies an operation for a request. + type: string + type: array + x-kubernetes-list-type: atomic + resources: + description: |- + resources is a list of resources this rule applies to. + + For example: + 'pods' means pods. + 'pods/log' means the log subresource of pods. + '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. + '*/scale' means all scale subresources. + '*/*' means all resources and their subresources. + + If wildcard is present, the validation rule will ensure resources do not + overlap with each other. + + Depending on the enclosing object, subresources might not be allowed. + Required. + items: + type: string + type: array + x-kubernetes-list-type: atomic + scope: + description: |- + scope specifies the scope of this rule. + Valid values are "Cluster", "Namespaced", and "*" + "Cluster" means that only cluster-scoped resources will match this rule. + Namespace API objects are cluster-scoped. + "Namespaced" means that only namespaced resources will match this rule. + "*" means that there are no scope restrictions. + Subresources match the scope of their parent resource. + Default is "*". + type: string + type: object + type: array + sideEffects: + description: |- + SideEffects states whether this webhook has side effects. + Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). + Webhooks with side effects MUST implement a reconciliation system, since a request may be + rejected by a future step in the admission change and the side effects therefore need to be undone. + Requests with the dryRun attribute will be auto-rejected if they match a webhook with + sideEffects == Unknown or Some. + type: string + timeoutSeconds: + default: 10 + description: |- + TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, + the webhook call will be ignored or the API call will fail based on the + failure policy. + The timeout value must be between 2 and 30 seconds. + Default to 10 seconds. + format: int32 + maximum: 30 + minimum: 2 + type: integer + required: + - expression + - message + - policies + - rules + type: object + status: + description: PolicyStatus defines the observed state of ClusterAdmissionPolicy + and AdmissionPolicy. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + ClusterAdmissionPolicy resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerConfigMapReconciled", + "PolicyServerDeploymentReconciled", + "PolicyServerServiceReconciled" and + "AdmissionPolicyActive" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + mode: + description: |- + PolicyMode represents the observed policy mode of this policy in + the associated PolicyServer configuration + enum: + - protect + - monitor + - unknown + type: string + policyStatus: + description: PolicyStatus represents the observed status of the policy + enum: + - unscheduled + - scheduled + - pending + - active + type: string + required: + - policyStatus + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_policyservers.yaml b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_policyservers.yaml new file mode 100644 index 000000000..725b77361 --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policies.kubewarden.io_policyservers.yaml @@ -0,0 +1,2183 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + helm.sh/resource-policy: keep + name: policyservers.policies.kubewarden.io +spec: + group: policies.kubewarden.io + names: + kind: PolicyServer + listKind: PolicyServerList + plural: policyservers + shortNames: + - ps + singular: policyserver + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Policy Server replicas + jsonPath: .spec.replicas + name: Replicas + type: string + - description: Policy Server image + jsonPath: .spec.image + name: Image + type: string + name: v1 + schema: + openAPIV3Schema: + description: PolicyServer is the Schema for the policyservers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicyServerSpec defines the desired state of PolicyServer. + properties: + affinity: + description: Affinity rules for the associated Policy Server pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + env: + description: List of environment variables to set in the container. + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Docker image name. + type: string + imagePullSecret: + description: |- + Name of ImagePullSecret secret in the same namespace, used for pulling + policies from repositories. + type: string + insecureSources: + description: |- + List of insecure URIs to policy repositories. The `insecureSources` + content format corresponds with the contents of the `insecure_sources` + key in `sources.yaml`. Reference for `sources.yaml` is found in the + Kubewarden documentation in the reference section. + items: + type: string + type: array + labels: + additionalProperties: + type: string + description: |- + Labels is a map of custom labels to be applied to the Deployment created by the + PolicyServer and to the Pods managed by that Deployment. System labels set by + the controller always take precedence over user-defined labels with the same key. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Limits describes the maximum amount of compute resources + allowed. + type: object + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + Number of policy server replicas that can be unavailable after the + eviction. The value can be an absolute number or a percentage. Only one of + MinAvailable or Max MaxUnavailable can be set. + x-kubernetes-int-or-string: true + metricsPort: + description: |- + Port exposed by the metrics Service for this policy server. + When unset, defaults to the controller-wide default + (KUBEWARDEN_POLICY_SERVER_SERVICES_METRICS_PORT env var, or 8080). + Only relevant when metrics are enabled. + + Use this field to customize which port Prometheus scrapes for this + PolicyServer's metrics Service (e.g. to match naming conventions or + avoid Service-level port collisions). + + NOTE: this field controls only the Service Port (the externally visible + scrape port). The Service TargetPort — the port the pod actually listens + on — is always the controller-wide default and is not affected by this + field. This is intentional: when the OpenTelemetry sidecar mode is + enabled, each pod gets its own injected sidecar, but the pod-side + Prometheus listener port is determined by controller-wide/injection + configuration, not per PolicyServer. Therefore, changing this field does + not change the pod listener port and will not resolve pod-port conflicts + such as those caused by hostNetwork. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + minAvailable: + anyOf: + - type: integer + - type: string + description: |- + Number of policy server replicas that must be still available after the + eviction. The value can be an absolute number or a percentage. Only one of + MinAvailable or Max MaxUnavailable can be set. + x-kubernetes-int-or-string: true + namespacedPoliciesCapabilities: + description: |- + NamespacedPoliciesCapabilities lists host capability API calls allowed + for namespaced policies running on this PolicyServer. When not set, + no host capabilities are granted to namespaced policies. + Supported wildcard patterns: + - "*": allow all host capabilities + - "category/*": allow all capabilities in a category (e.g. "oci/*") + - "category/version/*": allow all capabilities of a specific version (e.g. "oci/v1/*") + - Specific capability paths (e.g. "oci/v1/verify", "net/v1/dns_lookup_host") + items: + type: string + type: array + priorityClassName: + description: |- + PriorityClassName is the name of the PriorityClass to be used for the + policy server pods. Useful to schedule policy server pods with higher + priority to ensure their availability over other cluster workload + resources. + Note: If the referenced PriorityClass is deleted, existing pods + remain unchanged, but new pods that reference it cannot be created. + type: string + readinessProbePort: + description: |- + Port used by the policy server to expose the readiness probe endpoint. + When unset, defaults to 8081. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + replicas: + description: Replicas is the number of desired replicas. + format: int32 + type: integer + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Request is omitted for, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value + type: object + securityContexts: + description: |- + Security configuration to be used in the Policy Server workload. + The field allows different configurations for the pod and containers. + If set for the containers, this configuration will not be used in + containers added by other controllers (e.g. telemetry sidecars) + properties: + container: + description: securityContext definition to be used in the policy + server container + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by this container. If set, this profile + overrides the pod's appArmorProfile. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default value is Default which uses the container runtime defaults for + readonly paths and masked paths. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + pod: + description: podSecurityContext definition to be used in the policy + server Pod + properties: + appArmorProfile: + description: |- + appArmorProfile is the AppArmor options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile loaded on the node that should be used. + The profile must be preconfigured on the node to work. + Must match the loaded name of the profile. + Must be set if and only if type is "Localhost". + type: string + type: + description: |- + type indicates which kind of AppArmor profile will be applied. + Valid options are: + Localhost - a profile pre-loaded on the node. + RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + type: string + required: + - type + type: object + fsGroup: + description: |- + A special supplemental group that applies to all containers in a pod. + Some volume types allow the Kubelet to change the ownership of that volume + to be owned by the pod: + + 1. The owning GID will be the FSGroup + 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) + 3. The permission bits are OR'd with rw-rw---- + + If unset, the Kubelet will not modify the ownership and permissions of any volume. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + fsGroupChangePolicy: + description: |- + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume + before being exposed inside Pod. This field will only apply to + volume types which support fsGroup based ownership(and permissions). + It will have no effect on ephemeral volume types such as: secret, configmaps + and emptydir. + Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. + Note that this field cannot be set when spec.os.name is windows. + type: string + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence + for that container. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxChangePolicy: + description: |- + seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. + It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. + Valid values are "MountOption" and "Recursive". + + "Recursive" means relabeling of all files on all Pod volumes by the container runtime. + This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + + "MountOption" mounts all eligible Pod volumes with `-o context` mount option. + This requires all Pods that share the same volume to use the same SELinux label. + It is not possible to share the same volume among privileged and unprivileged Pods. + Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes + whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their + CSIDriver instance. Other volumes are always re-labelled recursively. + "MountOption" value is allowed only when SELinuxMount feature gate is enabled. + + If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. + If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes + and "Recursive" for all other volumes. + + This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. + + All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. + Note that this field cannot be set when spec.os.name is windows. + type: string + seLinuxOptions: + description: |- + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by the containers in this pod. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + supplementalGroups: + description: |- + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. + Note that this field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string + sysctls: + description: |- + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported + sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object + type: object + serviceAccountName: + description: |- + Name of the service account associated with the policy server. + Namespace service account will be used if not specified. + type: string + sigstoreTrustConfig: + description: |- + Name of SigstoreTrustConfig configmap in the kubewarden namespace (same + namespace as the controller deployment), containing Sigstore trust + configuration (ClientTrustConfig JSON). The configuration must be under a + key named sigstore-trust-config in the ConfigMap. This is used to configure + a custom Sigstore instance instead of the default public Sigstore infrastructure. + WARNING: This feature requires strict access control. Users with write access + to this ConfigMap can influence policy signature verification. + type: string + sourceAuthorities: + additionalProperties: + items: + type: string + type: array + description: |- + Key value map of registry URIs endpoints to a list of their associated + PEM encoded certificate authorities that have to be used to verify the + certificate used by the endpoint. The `sourceAuthorities` content format + corresponds with the contents of the `source_authorities` key in + `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden + documentation in the reference section. + type: object + tolerations: + description: |- + Tolerations describe the policy server pod's tolerations. It can be + used to ensure that the policy server pod is not scheduled onto a + node with a taint. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + verificationConfig: + description: |- + Name of VerificationConfig configmap in the kubewarden namespace (same + namespace as the controller deployment), containing Sigstore verification + configuration. The configuration must be under a key named + verification-config in the ConfigMap. + type: string + webhookPort: + description: |- + Port where the policy server listens for incoming webhook requests. + When unset, defaults to 8443. This is the port the Kubernetes API server + reaches when evaluating admission requests. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - image + - replicas + type: object + status: + description: PolicyServerStatus defines the observed state of PolicyServer. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + PolicyServer resource. Known .status.conditions.types are: + "CertSecretReconciled", "CARootSecretReconciled", + "ConfigMapReconciled", "DeploymentReconciled", + "ServiceReconciled", "PodDisruptionBudgetReconciled" and + "PolicyWebhooksCleanedUp" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Policy Server replicas + jsonPath: .spec.replicas + name: Replicas + type: string + - description: Policy Server image + jsonPath: .spec.image + name: Image + type: string + deprecated: true + deprecationWarning: This version is deprecated. Please, consider using v1 + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyServer is the Schema for the policyservers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicyServerSpec defines the desired state of PolicyServer. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations is an unstructured key value map stored with a resource that may be + set by external tools to store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying objects. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + env: + description: List of environment variables to set in the container. + items: + description: EnvVar represents an environment variable present in + a Container. + properties: + name: + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + image: + description: Docker image name. + type: string + imagePullSecret: + description: |- + Name of ImagePullSecret secret in the same namespace, used for pulling + policies from repositories. + type: string + insecureSources: + description: |- + List of insecure URIs to policy repositories. The `insecureSources` + content format corresponds with the contents of the `insecure_sources` + key in `sources.yaml`. Reference for `sources.yaml` is found in the + Kubewarden documentation in the reference section. + items: + type: string + type: array + replicas: + description: Replicas is the number of desired replicas. + format: int32 + type: integer + serviceAccountName: + description: |- + Name of the service account associated with the policy server. + Namespace service account will be used if not specified. + type: string + sourceAuthorities: + additionalProperties: + items: + type: string + type: array + description: |- + Key value map of registry URIs endpoints to a list of their associated + PEM encoded certificate authorities that have to be used to verify the + certificate used by the endpoint. The `sourceAuthorities` content format + corresponds with the contents of the `source_authorities` key in + `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden + documentation in the reference section. + type: object + verificationConfig: + description: |- + Name of VerificationConfig configmap in the same namespace, containing + Sigstore verification configuration. The configuration must be under a + key named verification-config in the Configmap. + type: string + required: + - image + - replicas + type: object + status: + description: PolicyServerStatus defines the observed state of PolicyServer. + properties: + conditions: + description: |- + Conditions represent the observed conditions of the + PolicyServer resource. Known .status.conditions.types + are: "PolicyServerSecretReconciled", + "PolicyServerDeploymentReconciled" and + "PolicyServerServiceReconciled" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/kubewarden-controller/templates/crds/policyreports.yaml b/charts/kubewarden-controller/templates/crds/policyreports.yaml new file mode 100644 index 000000000..2bdf78b9b --- /dev/null +++ b/charts/kubewarden-controller/templates/crds/policyreports.yaml @@ -0,0 +1,1011 @@ +{{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + helm.sh/resource-policy: keep + creationTimestamp: null + name: policyreports.wgpolicyk8s.io +spec: + group: wgpolicyk8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy + rule + type: object + message: + description: Message is a short user friendly description of the + policy rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource + checked by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .scope.kind + name: Kind + priority: 1 + type: string + - jsonPath: .scope.name + name: Name + priority: 1 + type: string + - jsonPath: .summary.pass + name: Pass + type: integer + - jsonPath: .summary.fail + name: Fail + type: integer + - jsonPath: .summary.warn + name: Warn + type: integer + - jsonPath: .summary.error + name: Error + type: integer + - jsonPath: .summary.skip + name: Skip + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + message: + description: Description is a short user friendly message for the + policy rule + type: string + policy: + description: Policy is the name or identifier of the policy + type: string + properties: + additionalProperties: + type: string + description: Properties provides additional information for the + policy rule + type: object + resourceSelector: + description: SubjectSelector is an optional label selector for checked + Kubernetes resources. For example, a policy result may apply to + all pods that match a label. Either a Subject or a SubjectSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Subjects is an optional reference to the checked Kubernetes + resources + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID + not honored" or "name must be restricted". Those cannot be well + described when embedded. 3. Inconsistent validation. Because + the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will + happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, + the dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make new + APIs embed an underspecified API type they do not control. Instead + of using this type, create a locally provided and used type + that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + result: + description: Result indicates the outcome of the policy rule execution + enum: + - pass + - fail + - warn + - error + - skip + type: string + rule: + description: Rule is the name or identifier of the rule within the + policy + type: string + scored: + description: Scored indicates if this result is scored + type: boolean + severity: + description: Severity indicates policy check result criticality + enum: + - critical + - high + - low + - medium + - info + type: string + source: + description: Source is an identifier for the policy engine that + manages this report + type: string + timestamp: + description: Timestamp indicates the time the result was found + properties: + nanos: + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. + format: int32 + type: integer + seconds: + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. + format: int64 + type: integer + required: + - nanos + - seconds + type: object + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of non-scored policies whose + requirements were not met + type: integer + type: object + type: object + served: true + storage: true + subresources: {} +{{ end }} From 08616a4e0e35cf85dab27fd5b8c5439001cea324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 11:55:27 -0300 Subject: [PATCH 03/22] refactor(chart): remove kubewarden-crds chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove the standalone kubewarden-crds Helm chart. Its CRD templates and OpenReports dependency have been integrated into the unified kubewarden-controller chart in the previous commit. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-crds/.helmignore | 26 - charts/kubewarden-crds/Chart.lock | 6 - charts/kubewarden-crds/Chart.yaml | 43 - charts/kubewarden-crds/README.md | 52 - .../charts/openreports-0.2.1.tgz | Bin 4793 -> 0 bytes charts/kubewarden-crds/docs/output.md | 2816 ----------------- charts/kubewarden-crds/templates/NOTES.txt | 21 - .../templates/clusterpolicyreports.yaml | 1013 ------ ...icies.kubewarden.io_admissionpolicies.yaml | 841 ----- ...s.kubewarden.io_admissionpolicygroups.yaml | 497 --- ...ubewarden.io_clusteradmissionpolicies.yaml | 1056 ------- ...arden.io_clusteradmissionpolicygroups.yaml | 621 ---- .../policies.kubewarden.io_policyservers.yaml | 2182 ------------- .../templates/policyreports.yaml | 1010 ------ charts/kubewarden-crds/tests/crds_test.yaml | 66 - charts/kubewarden-crds/values.schema.json | 15 - charts/kubewarden-crds/values.yaml | 12 - 17 files changed, 10277 deletions(-) delete mode 100644 charts/kubewarden-crds/.helmignore delete mode 100644 charts/kubewarden-crds/Chart.lock delete mode 100644 charts/kubewarden-crds/Chart.yaml delete mode 100644 charts/kubewarden-crds/README.md delete mode 100644 charts/kubewarden-crds/charts/openreports-0.2.1.tgz delete mode 100644 charts/kubewarden-crds/docs/output.md delete mode 100644 charts/kubewarden-crds/templates/NOTES.txt delete mode 100644 charts/kubewarden-crds/templates/clusterpolicyreports.yaml delete mode 100644 charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml delete mode 100644 charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml delete mode 100644 charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml delete mode 100644 charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml delete mode 100644 charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml delete mode 100644 charts/kubewarden-crds/templates/policyreports.yaml delete mode 100644 charts/kubewarden-crds/tests/crds_test.yaml delete mode 100644 charts/kubewarden-crds/values.schema.json delete mode 100644 charts/kubewarden-crds/values.yaml diff --git a/charts/kubewarden-crds/.helmignore b/charts/kubewarden-crds/.helmignore deleted file mode 100644 index b875eace6..000000000 --- a/charts/kubewarden-crds/.helmignore +++ /dev/null @@ -1,26 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ - -# dev files -chart-values.yaml diff --git a/charts/kubewarden-crds/Chart.lock b/charts/kubewarden-crds/Chart.lock deleted file mode 100644 index 6de8f0168..000000000 --- a/charts/kubewarden-crds/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: openreports - repository: https://openreports.github.io/reports-api - version: 0.2.1 -digest: sha256:49254513a9d7f6f34d27a55271776fb48268cee1ad0daf9fc056d7fa00649736 -generated: "2025-10-22T14:25:46.704168411-03:00" diff --git a/charts/kubewarden-crds/Chart.yaml b/charts/kubewarden-crds/Chart.yaml deleted file mode 100644 index ba3f90ed0..000000000 --- a/charts/kubewarden-crds/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: v2 -name: kubewarden-crds -description: A Helm chart for deploying the Kubewarden CRDs -icon: https://www.kubewarden.io/images/icon-kubewarden.svg -type: application -kubeVersion: ">= 1.19.0-0" -home: https://www.kubewarden.io/ -maintainers: - - name: Kubewarden Maintainers - email: cncf-kubewarden-maintainers@lists.cncf.io - url: https://github.com/orgs/kubewarden/teams/maintainers -keywords: - - Kubewarden - - Security - - Infrastructure - - Monitoring - - policies - - policy agent - - validating webhook - - admissions controller - - policy report -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.28.0-beta.1 -# This is the version of Kubewarden stack -appVersion: v1.36.0-beta.1 -annotations: - # required ones: - catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart - catalog.cattle.io/namespace: cattle-kubewarden-system # Must prefix with cattle- and suffix with -system - catalog.cattle.io/release-name: rancher-kubewarden-crds # If this is an upstream app, prefixing with rancher is the preferred naming choice. - catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation - # optional ones: - catalog.cattle.io/hidden: "true" # Hide specific charts. Only use on CRD charts. - # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template` - # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. - catalog.cattle.io/type: cluster-tool -dependencies: - - name: openreports - version: 0.2.1 - repository: https://openreports.github.io/reports-api - condition: installOpenReportsCRDs diff --git a/charts/kubewarden-crds/README.md b/charts/kubewarden-crds/README.md deleted file mode 100644 index afe16fe5f..000000000 --- a/charts/kubewarden-crds/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# kubewarden-crds - -`kubewarden-crds` is the Helm chart that installs the Custom Resources Definition -required by the Kubewarden stack. It should be installed before installing -`kubewarden-controller` and `kubewarden-defaults` charts. - -## Contents - -This chart installs Kubewarden CRDs: - `admissionpolicies.policies.kubewarden.io` - `clusteradmissionpolicies.policies.kubewarden.io` - `policyservers.policies.kubewarden.io` - -And OpenReport CRDs: - `reports.openreports.io` - `clusterreports.openreports.io` - -It also installs PolicyReports CRDs (marked as deprecated): - `policyreports.wgpolicyk8s.io` - `clusterpolicyreports.wgpolicyk8s.io` - -You can skip installing these (maybe because for example they are already installed -and owned by a different Helm Release), by configuring the appropriate chart values. - -## Installing - -For example: -```console -$ helm repo add kubewarden https://charts.kubewarden.io -$ helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds -``` - -For a more comprehensive documentation about how to install the whole Kubewarden -stack, check the `kubewarden-controller` chart documentation out. - -## Upgrading the charts - -Please refer to the release notes of each version of the helm charts. -These can be found [here](https://github.com/kubewarden/helm-charts/releases). - -## Uninstalling the charts - -To uninstall/delete kubewarden-crds use the following command: - -```console -$ helm uninstall -n kubewarden kubewarden-crds -``` - -The commands remove all the Kubernetes components associated with the chart. -Keep in mind that the chart is required by the `kubewarden-controller` chart. - -If you want to keep the history use `--keep-history` flag. diff --git a/charts/kubewarden-crds/charts/openreports-0.2.1.tgz b/charts/kubewarden-crds/charts/openreports-0.2.1.tgz deleted file mode 100644 index 7f233b04fd1d595cd8f3ef6650a520d107ca94bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4793 zcmZvgWl$UJ(uQ#f9$bnQio0uZFB%+Dpg}`$E5$-_cdcMW3luM2EEFd|p-6Fu;#MrD z=RI@gn{Vbkvp=5Mx%b-p*Us!R#p6++{rjP~(0FV$37J5_7gN zk`mW5F%f@Z>grZ72HFdJ*^$+lLvO_@Tb zloBaAN9@cwC`CbqxfRQYoR&c_=ZHiZuC^f9-l} z;;;lz=ZYCLMUy*wiL%Z_si*IyrlTg1!}r;w9JipPs<2>W zi(CwuDFnHt;#pUhG0H>p$8ECGII(KrJGZv$dU_8-PC4_;Ks<^YY)5B9B!-#<4~^fW zcso0*(qrSVYg1O8P~ay9bzc>qY%^j0+Bhy*3J(oerowp9-j1tvJQlJqC4%m1t-lK4 z0eI1crO%RTqzZvI*zr?2+eY{NG@S^q*HJ-4L#6~(X57yyNr1XE9A4g0!mrfaW;T_) zl&E2(lsSO@s`Z|6(rHOV&<2ND3}EzN9S$#`YM;b%Mi&}ns|*WxDNBQAmnc;oc4K*J z!;H83?i7&V|A_+=9%GpXvRR@a2~>bYkCI64o?oW+GqWXCp-oWh!>R3@8FP-}VtE=_ z0v!gclzl>i{~WBn*g7qqUv{A8dIL&3+{`fnDt;5^SCk6VRBb%!$^c63 zvi;i{{IU8`vbg9o8XT82M*R-m%FGXRyY#Do1nFI83U0Dy41TicFh0&dD28T*v^~v4 zsjA#TuA~(4(krrY63DDwha$twJI+t+0kgN2iI2IS3K8Sx1Bc^S-rv?GKdHDOED&kt z+_cmiq$Z?^*yaH_xZ12NDO}M)x-n(cN=+VD8z+=4MOL8FU($1>*a_o9tXp}3?I(Lh z_eBdrafh*FzD~N#0A!$MI6FX4RYaj8Odn}H6d=4ZQ(#-H@4<{D+@uS0pf1PO_x@oZ z;#3+diUYQ`I>%A5VCq+KllvXmcXED&86)Zv=p8TmeCKV$Tk;JVV3|;nvn*!K6jK@%i*q!6w1z zx7p_Ka4@fJGqNQ2AXb$?r@(os893Bu}sZtBN_S$En(+UU>5--ZSU3})@?5)seBZ{I5yRsER zcyQ`Tne)ZGFzha?^7cfyy}toGSCo)_59q zHc-2dZi1h&T%zl~deJl?=gZ|b#O3hBew>%t05Pw_R9WsI;&UM99z8@@SY3~xi#~=q z;sExV)z#A5Qi`F+ydw%H;2O{2EF6kTD)+l(MZr|E7t5N$1UkWVj3iN2+k= zxqbddB}7OU_^E@oH&wd2unBC(`Yxcl8?%{;z`oT(X+Wa zV*jOXs#6)d{EN)~I~Pv3J#$UYj2>g8Ax_U=NjlsKyFq+~l4TfCH@U9!JLz4i3TJV; zXZvQCb$x^@orvN)0BpigO)iGK)%jh|RO%^!_E;|W{cf@F(2HbGVpYj7(#Q(%mo6&K z#W*av^ZswtVL*1ecB#duUwLQyey#+Makt1Ei<=gF0RH$8Y*hdC6>N;U-s^mZc7JzF z@~3pk^a)Md_cy$H(7JB!)VblrwQUAEL_?u^T|~ZtqLA*4(0!$7;_}#vemFk0y!2dQ z6drf*EDs1{TFAJlR6hv3rm-i>j>Z-K-AO@wW$OBF_D7*;q~{VD{L0O?Va{!$pdQbp zPhjr@GS?Efaa~&JO`H2fcXaGzLqlL2k0m!k^Ezo5HU*yknU_@LcITCYiA$%jt+U)5 zw8%Svb6oBGq`owKT7d2oi4=|$L0G*{-DfKyHf6HL_cKJ=WQD^gKbk#9m4sJ*9-J{q zMt>Rj;bzedpQd{1WWDg`(w>UoyIV-s)DyaZZw9mUF9#uvJvg23EN`9s(}fj)80esI za%mzQ4=1L|176(47I#_g&f6k92FGozo8pLXK!bXE8~qOf*&m841CoLw4vL zKg5zhU!wCAoF)1xjgr~33(^G)7+I;Gp7*%F+4aq&dNNH$*ZV~Jd+;_s!HOBVx@&pA zze}?MzPpRuPeQ&^K#Gk}ftX6Fqn#6r1+=gB9OIRl!)OVX_dKmO53&U10ej;)0=sFQ zTK?5j_BhZ{EMur1?ZE_>HvQBYthZ0WZAiumf$KNoGpE{(ntU_Gn%xlFXo=vLZF()& zAk%MF=8*7mFO*S>Fm-hm$yo&NmJ`~H+RDaC9N?*ON5 z3K1uk5Bi*k@8}}sw*Xa%j^`<|I?9(V%u1CzBrJYfjH+hAZ9#WaWkT#EsXCn!t-o~k zkKTOrOu4dH6!$VB24UJ&5Sp>vX(f4L`IDAN=fmhdEF+r5q!;OOVTr@d>JZD~y7#UI z(EYMhivafymGr>{yI(9()~OWeP){L{fNr2!Y$n^p?oiMcj^V+*2!i$7q7U^KjQ2CM z@!?N?l7<;&HxZ_Xk!xZwkj<;aU%@gu=YF=b#Xp;#P$sjKkWXe|b6)!SsUIUdc2#hiFwoI!ioTU=3QdhIa zGG#|=p?w208%>k2Z3bM6jeRH@kW{czs-R4`J7bU3`E(y3H1 z^L#PoZwR*QFevZ=#A`ZgNn-Us<9()}{9sG)<67w}^v53rX0b>sF^RMs_;)Lq)_`gB z4~Z)2fD*_Gb#dD3YN(ijeiNG}gN0A9Q2Tj$Iz3h*H!yu~aA;Epb$u=Uhoh}q7;EU+ zsr|y<-d=@-+zD|R6AAG|lHT7yf$d&A_YIY8iz!2ZnOE*~4&B8`Mm$lZcOVF~Fn2+=aq$X~nq&_{xOz}t@vf&eM3#Ft?h6gCkbRFh*`x0`)=_iChsm?!L_rL z%@&5rot6s>F5@MK&!%7e8E88-*33(o)<|Q+5Xly7rfzd63^3xTeBlfMy*GpfAP7LClmqTQUMVD^RNj~zQdt^t1&nn!e5KK2X(i~-3{@mf-{mu~- zr_+1I&}QGpVu&_dHT3<%1awKk(PfQWd2%CzC1byL{t~cXj#d@ zX#4zP+K-%(=6!kXP5PIY01LIzOI(gf%$Jar@Cav{F5tktNrleW%ixs`at+)2+zy3? zn3T~(V;I~8of|`k%fo>BgBL!UCp(V8~g&3lmeUF%xZ^-It`vaznkY4{+h)j9^ zVK84Xz1(E~4EhhocEfCs@{namR!mnnGsSwncbKsKykh}+V)Altxc%Gf@{!lFgKYaf zCvwjWn8KlVQeK{P^nzBHxQU@lDgE=2kZ{$HuR{_e17z9!RrQzBqJCQZfCX#sD>hNd z??8n8pv5x!Lx7Q!(g--e)m+YXEA?ZP6pW>`K3S){U2V?qiF?GkTJe4!CE5v(X{*e@>|4@5J^;los@;G-&r0llP3ih45ap62QuKk@U)1_>>Jd$~R%Q*7JclMH-(q?SMkFwKBRlpQEVtnC6 z*%`OZ9oQNNt|>Cbgz&Nk|ef0U};|F3?3>>td3^?!-~d=J*J z{`Sd3Z;Jze|DS@t-79-MDLb|Pcm03N{RhRE;qh;3?XCBJP5+axBA)(-9JRLpkFgaf z&m8LZwmx5ZVcONQUZtzolHK1q)l1_|Np+uP6p zrO1ARlH!E{g}<8?*FADq?_(&R@p0Zw`U==FNfsy&R0nd1y4oD`_!?IC9>&7I1ck&62={dc$cd-BwmfS#fgn`cx?mrvY_@J}gaV2D50~zW3vgeNkE{ZN=)h zCh0DdE{)7-r(>L`>Ka?hBS%8cIj|*ZtBxap)C>O6(?SG+E|92*p0=2v7#)0dj*@BWK!y7nY;yAL-DMA62}A-{q(0f zt6K+%u(mvPxnw@wL$q3L$?0&NVdUZo4HChdy diff --git a/charts/kubewarden-crds/docs/output.md b/charts/kubewarden-crds/docs/output.md deleted file mode 100644 index e42f138e8..000000000 --- a/charts/kubewarden-crds/docs/output.md +++ /dev/null @@ -1,2816 +0,0 @@ -# API Reference - -Packages: - -- [policies.kubewarden.io/v1](#policieskubewardeniov1) -- [policies.kubewarden.io/v1alpha2](#policieskubewardeniov1alpha2) - -# policies.kubewarden.io/v1 - -Resource Types: - -- [AdmissionPolicy](#admissionpolicy) - -- [ClusterAdmissionPolicy](#clusteradmissionpolicy) - -- [PolicyServer](#policyserver) - - - - -## AdmissionPolicy -[↩ Parent](#policieskubewardeniov1 ) - - - - - - -AdmissionPolicy is the Schema for the admissionpolicies API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1true
kindstringAdmissionPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - AdmissionPolicySpec defines the desired state of AdmissionPolicy
- 		false
statusobject - PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy
- 		false
- - -### AdmissionPolicy.spec -[↩ Parent](#admissionpolicy) - - - -AdmissionPolicySpec defines the desired state of AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
modulestring - Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
- 		true
mutatingboolean - Mutating indicates whether a policy has the ability to mutate incoming requests or not.
- 		true
rules[]object - Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.
- 		true
failurePolicystring - FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
- 		false
matchPolicystring - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. - Defaults to "Equivalent"
- 		false
modeenum - Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
-
- Enum: protect, monitor
- Default: protect
- 		false
objectSelectorobject - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
- 		false
policyServerstring - PolicyServer identifies an existing PolicyServer resource.
-
- Default: default
- 		false
settingsobject - Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
- 		false
sideEffectsstring - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- 		false
timeoutSecondsinteger - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
-
- Format: int32
- Default: 10
- 		false
- - -### AdmissionPolicy.spec.rules[index] -[↩ Parent](#admissionpolicyspec) - - - -RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiGroups[]string - APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
- 		false
apiVersions[]string - APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
- 		false
operations[]string - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- 		false
resources[]string - Resources is a list of resources this rule applies to. - For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. - If wildcard is present, the validation rule will ensure resources do not overlap with each other. - Depending on the enclosing object, subresources might not be allowed. Required.
- 		false
scopestring - scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
- 		false
- - -### AdmissionPolicy.spec.objectSelector -[↩ Parent](#admissionpolicyspec) - - - -ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### AdmissionPolicy.spec.objectSelector.matchExpressions[index] -[↩ Parent](#admissionpolicyspecobjectselector) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### AdmissionPolicy.status -[↩ Parent](#admissionpolicy) - - - -PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
policyStatusenum - PolicyStatus represents the observed status of the policy
-
- Enum: unscheduled, scheduled, pending, active
- 		true
conditions[]object - Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" and "AdmissionPolicyActive"
- 		false
modeenum - PolicyMode represents the observed policy mode of this policy in the associated PolicyServer configuration
-
- Enum: protect, monitor, unknown
- 		false
- - -### AdmissionPolicy.status.conditions[index] -[↩ Parent](#admissionpolicystatus) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## ClusterAdmissionPolicy -[↩ Parent](#policieskubewardeniov1 ) - - - - - - -ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1true
kindstringClusterAdmissionPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
- 		false
statusobject - PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy
- 		false
- - -### ClusterAdmissionPolicy.spec -[↩ Parent](#clusteradmissionpolicy) - - - -ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
modulestring - Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://). If prefix is missing, it will default to registry:// and use that internally.
- 		true
mutatingboolean - Mutating indicates whether a policy has the ability to mutate incoming requests or not.
- 		true
rules[]object - Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.
- 		true
failurePolicystring - FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
- 		false
matchPolicystring - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. - Defaults to "Equivalent"
- 		false
modeenum - Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
-
- Enum: protect, monitor
- Default: protect
- 		false
namespaceSelectorobject - NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. - For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } - If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. - Default to the empty LabelSelector, which matches everything.
- 		false
objectSelectorobject - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
- 		false
policyServerstring - PolicyServer identifies an existing PolicyServer resource.
-
- Default: default
- 		false
settingsobject - Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
- 		false
sideEffectsstring - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- 		false
timeoutSecondsinteger - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
-
- Format: int32
- Default: 10
- 		false
- - -### ClusterAdmissionPolicy.spec.rules[index] -[↩ Parent](#clusteradmissionpolicyspec) - - - -RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiGroups[]string - APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
- 		false
apiVersions[]string - APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
- 		false
operations[]string - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- 		false
resources[]string - Resources is a list of resources this rule applies to. - For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. - If wildcard is present, the validation rule will ensure resources do not overlap with each other. - Depending on the enclosing object, subresources might not be allowed. Required.
- 		false
scopestring - scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
- 		false
- - -### ClusterAdmissionPolicy.spec.namespaceSelector -[↩ Parent](#clusteradmissionpolicyspec) - - - -NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. - For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } - If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. - Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### ClusterAdmissionPolicy.spec.namespaceSelector.matchExpressions[index] -[↩ Parent](#clusteradmissionpolicyspecnamespaceselector) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### ClusterAdmissionPolicy.spec.objectSelector -[↩ Parent](#clusteradmissionpolicyspec) - - - -ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### ClusterAdmissionPolicy.spec.objectSelector.matchExpressions[index] -[↩ Parent](#clusteradmissionpolicyspecobjectselector) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### ClusterAdmissionPolicy.status -[↩ Parent](#clusteradmissionpolicy) - - - -PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
policyStatusenum - PolicyStatus represents the observed status of the policy
-
- Enum: unscheduled, scheduled, pending, active
- 		true
conditions[]object - Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" and "AdmissionPolicyActive"
- 		false
modeenum - PolicyMode represents the observed policy mode of this policy in the associated PolicyServer configuration
-
- Enum: protect, monitor, unknown
- 		false
- - -### ClusterAdmissionPolicy.status.conditions[index] -[↩ Parent](#clusteradmissionpolicystatus) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## PolicyServer -[↩ Parent](#policieskubewardeniov1 ) - - - - - - -PolicyServer is the Schema for the policyservers API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1true
kindstringPolicyServertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - PolicyServerSpec defines the desired state of PolicyServer
- 		false
statusobject - PolicyServerStatus defines the observed state of PolicyServer
- 		false
- - -### PolicyServer.spec -[↩ Parent](#policyserver) - - - -PolicyServerSpec defines the desired state of PolicyServer - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
imagestring - Docker image name.
- 		true
replicasinteger - Replicas is the number of desired replicas.
-
- Format: int32
- 		true
annotationsmap[string]string - Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
- 		false
env[]object - List of environment variables to set in the container.
- 		false
imagePullSecretstring - Name of ImagePullSecret secret in the same namespace, used for pulling policies from repositories.
- 		false
insecureSources[]string - List of insecure URIs to policy repositories.
- 		false
serviceAccountNamestring - Name of the service account associated with the policy server. Namespace service account will be used if not specified.
- 		false
sourceAuthoritiesmap[string][]string - Key value map of registry URIs endpoints to a list of their associated PEM encoded certificate authorities that have to be used to verify the certificate used by the endpoint.
- 		false
verificationConfigstring - Name of VerificationConfig configmap in the same namespace, containing Sigstore verification configuration. The configuration must be under a key named verification-config in the Configmap.
- 		false
- - -### PolicyServer.spec.env[index] -[↩ Parent](#policyserverspec) - - - -EnvVar represents an environment variable present in a Container. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name of the environment variable. Must be a C_IDENTIFIER.
- 		true
valuestring - Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".
- 		false
valueFromobject - Source for the environment variable's value. Cannot be used if value is not empty.
- 		false
- - -### PolicyServer.spec.env[index].valueFrom -[↩ Parent](#policyserverspecenvindex) - - - -Source for the environment variable's value. Cannot be used if value is not empty. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
configMapKeyRefobject - Selects a key of a ConfigMap.
- 		false
fieldRefobject - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
- 		false
resourceFieldRefobject - Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
- 		false
secretKeyRefobject - Selects a key of a secret in the pod's namespace
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.configMapKeyRef -[↩ Parent](#policyserverspecenvindexvaluefrom) - - - -Selects a key of a ConfigMap. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - The key to select.
- 		true
namestring - Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
- 		false
optionalboolean - Specify whether the ConfigMap or its key must be defined
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.fieldRef -[↩ Parent](#policyserverspecenvindexvaluefrom) - - - -Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
fieldPathstring - Path of the field to select in the specified API version.
- 		true
apiVersionstring - Version of the schema the FieldPath is written in terms of, defaults to "v1".
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.resourceFieldRef -[↩ Parent](#policyserverspecenvindexvaluefrom) - - - -Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
resourcestring - Required: resource to select
- 		true
containerNamestring - Container name: required for volumes, optional for env vars
- 		false
divisorint or string - Specifies the output format of the exposed resources, defaults to "1"
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.secretKeyRef -[↩ Parent](#policyserverspecenvindexvaluefrom) - - - -Selects a key of a secret in the pod's namespace - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - The key of the secret to select from. Must be a valid secret key.
- 		true
namestring - Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
- 		false
optionalboolean - Specify whether the Secret or its key must be defined
- 		false
- - -### PolicyServer.status -[↩ Parent](#policyserver) - - - -PolicyServerStatus defines the observed state of PolicyServer - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the observed conditions of the PolicyServer resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerDeploymentReconciled" and "PolicyServerServiceReconciled"
- 		true
- - -### PolicyServer.status.conditions[index] -[↩ Parent](#policyserverstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -# policies.kubewarden.io/v1alpha2 - -Resource Types: - -- [AdmissionPolicy](#admissionpolicy) - -- [ClusterAdmissionPolicy](#clusteradmissionpolicy) - -- [PolicyServer](#policyserver) - - - - -## AdmissionPolicy -[↩ Parent](#policieskubewardeniov1alpha2 ) - - - - - - -AdmissionPolicy is the Schema for the admissionpolicies API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1alpha2true
kindstringAdmissionPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - AdmissionPolicySpec defines the desired state of AdmissionPolicy
- 		false
statusobject - PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy
- 		false
- - -### AdmissionPolicy.spec -[↩ Parent](#admissionpolicy-1) - - - -AdmissionPolicySpec defines the desired state of AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
modulestring - Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
- 		true
mutatingboolean - Mutating indicates whether a policy has the ability to mutate incoming requests or not.
- 		true
rules[]object - Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.
- 		true
failurePolicystring - FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
- 		false
matchPolicystring - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. - Defaults to "Equivalent"
- 		false
modeenum - Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
-
- Enum: protect, monitor
- Default: protect
- 		false
objectSelectorobject - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
- 		false
policyServerstring - PolicyServer identifies an existing PolicyServer resource.
-
- Default: default
- 		false
settingsobject - Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
- 		false
sideEffectsstring - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- 		false
timeoutSecondsinteger - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
-
- Format: int32
- Default: 10
- 		false
- - -### AdmissionPolicy.spec.rules[index] -[↩ Parent](#admissionpolicyspec-1) - - - -RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiGroups[]string - APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
- 		false
apiVersions[]string - APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
- 		false
operations[]string - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- 		false
resources[]string - Resources is a list of resources this rule applies to. - For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. - If wildcard is present, the validation rule will ensure resources do not overlap with each other. - Depending on the enclosing object, subresources might not be allowed. Required.
- 		false
scopestring - scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
- 		false
- - -### AdmissionPolicy.spec.objectSelector -[↩ Parent](#admissionpolicyspec-1) - - - -ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### AdmissionPolicy.spec.objectSelector.matchExpressions[index] -[↩ Parent](#admissionpolicyspecobjectselector-1) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### AdmissionPolicy.status -[↩ Parent](#admissionpolicy-1) - - - -PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
policyStatusenum - PolicyStatus represents the observed status of the policy
-
- Enum: unscheduled, scheduled, pending, active
- 		true
conditions[]object - Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" and "AdmissionPolicyActive"
- 		false
modeenum - PolicyMode represents the observed policy mode of this policy in the associated PolicyServer configuration
-
- Enum: protect, monitor, unknown
- 		false
- - -### AdmissionPolicy.status.conditions[index] -[↩ Parent](#admissionpolicystatus-1) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## ClusterAdmissionPolicy -[↩ Parent](#policieskubewardeniov1alpha2 ) - - - - - - -ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1alpha2true
kindstringClusterAdmissionPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
- 		false
statusobject - PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy
- 		false
- - -### ClusterAdmissionPolicy.spec -[↩ Parent](#clusteradmissionpolicy-1) - - - -ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
modulestring - Module is the location of the WASM module to be loaded. Can be a local file (file://), a remote file served by an HTTP server (http://, https://), or an artifact served by an OCI-compatible registry (registry://).
- 		true
mutatingboolean - Mutating indicates whether a policy has the ability to mutate incoming requests or not.
- 		true
rules[]object - Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.
- 		true
failurePolicystring - FailurePolicy defines how unrecognized errors and timeout errors from the policy are handled. Allowed values are "Ignore" or "Fail". * "Ignore" means that an error calling the webhook is ignored and the API request is allowed to continue. * "Fail" means that an error calling the webhook causes the admission to fail and the API request to be rejected. The default behaviour is "Fail"
- 		false
matchPolicystring - matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". - - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. - - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. - Defaults to "Equivalent"
- 		false
modeenum - Mode defines the execution mode of this policy. Can be set to either "protect" or "monitor". If it's empty, it is defaulted to "protect". Transitioning this setting from "monitor" to "protect" is allowed, but is disallowed to transition from "protect" to "monitor". To perform this transition, the policy should be recreated in "monitor" mode instead.
-
- Enum: protect, monitor
- Default: protect
- 		false
namespaceSelectorobject - NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. - For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } - If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. - Default to the empty LabelSelector, which matches everything.
- 		false
objectSelectorobject - ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
- 		false
policyServerstring - PolicyServer identifies an existing PolicyServer resource.
-
- Default: default
- 		false
settingsobject - Settings is a free-form object that contains the policy configuration values. x-kubernetes-embedded-resource: false
- 		false
sideEffectsstring - SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission change and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
- 		false
timeoutSecondsinteger - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
-
- Format: int32
- Default: 10
- 		false
- - -### ClusterAdmissionPolicy.spec.rules[index] -[↩ Parent](#clusteradmissionpolicyspec-1) - - - -RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiGroups[]string - APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
- 		false
apiVersions[]string - APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.
- 		false
operations[]string - Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.
- 		false
resources[]string - Resources is a list of resources this rule applies to. - For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. - If wildcard is present, the validation rule will ensure resources do not overlap with each other. - Depending on the enclosing object, subresources might not be allowed. Required.
- 		false
scopestring - scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".
- 		false
- - -### ClusterAdmissionPolicy.spec.namespaceSelector -[↩ Parent](#clusteradmissionpolicyspec-1) - - - -NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. - For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] } - If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] } - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. - Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### ClusterAdmissionPolicy.spec.namespaceSelector.matchExpressions[index] -[↩ Parent](#clusteradmissionpolicyspecnamespaceselector-1) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### ClusterAdmissionPolicy.spec.objectSelector -[↩ Parent](#clusteradmissionpolicyspec-1) - - - -ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
matchExpressions[]object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
- 		false
matchLabelsmap[string]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
- 		false
- - -### ClusterAdmissionPolicy.spec.objectSelector.matchExpressions[index] -[↩ Parent](#clusteradmissionpolicyspecobjectselector-1) - - - -A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - key is the label key that the selector applies to.
- 		true
operatorstring - operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- 		true
values[]string - values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
- 		false
- - -### ClusterAdmissionPolicy.status -[↩ Parent](#clusteradmissionpolicy-1) - - - -PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
policyStatusenum - PolicyStatus represents the observed status of the policy
-
- Enum: unscheduled, scheduled, pending, active
- 		true
conditions[]object - Conditions represent the observed conditions of the ClusterAdmissionPolicy resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerConfigMapReconciled", "PolicyServerDeploymentReconciled", "PolicyServerServiceReconciled" and "AdmissionPolicyActive"
- 		false
modeenum - PolicyMode represents the observed policy mode of this policy in the associated PolicyServer configuration
-
- Enum: protect, monitor, unknown
- 		false
- - -### ClusterAdmissionPolicy.status.conditions[index] -[↩ Parent](#clusteradmissionpolicystatus-1) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## PolicyServer -[↩ Parent](#policieskubewardeniov1alpha2 ) - - - - - - -PolicyServer is the Schema for the policyservers API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringpolicies.kubewarden.io/v1alpha2true
kindstringPolicyServertrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - PolicyServerSpec defines the desired state of PolicyServer
- 		false
statusobject - PolicyServerStatus defines the observed state of PolicyServer
- 		false
- - -### PolicyServer.spec -[↩ Parent](#policyserver-1) - - - -PolicyServerSpec defines the desired state of PolicyServer - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
imagestring - Docker image name.
- 		true
replicasinteger - Replicas is the number of desired replicas.
-
- Format: int32
- 		true
annotationsmap[string]string - Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
- 		false
env[]object - List of environment variables to set in the container.
- 		false
imagePullSecretstring - Name of ImagePullSecret secret in the same namespace, used for pulling policies from repositories.
- 		false
insecureSources[]string - List of insecure URIs to policy repositories.
- 		false
serviceAccountNamestring - Name of the service account associated with the policy server. Namespace service account will be used if not specified.
- 		false
sourceAuthoritiesmap[string][]string - Key value map of registry URIs endpoints to a list of their associated PEM encoded certificate authorities that have to be used to verify the certificate used by the endpoint.
- 		false
verificationConfigstring - Name of VerificationConfig configmap in the same namespace, containing Sigstore verification configuration. The configuration must be under a key named verification-config in the Configmap.
- 		false
- - -### PolicyServer.spec.env[index] -[↩ Parent](#policyserverspec-1) - - - -EnvVar represents an environment variable present in a Container. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name of the environment variable. Must be a C_IDENTIFIER.
- 		true
valuestring - Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".
- 		false
valueFromobject - Source for the environment variable's value. Cannot be used if value is not empty.
- 		false
- - -### PolicyServer.spec.env[index].valueFrom -[↩ Parent](#policyserverspecenvindex-1) - - - -Source for the environment variable's value. Cannot be used if value is not empty. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
configMapKeyRefobject - Selects a key of a ConfigMap.
- 		false
fieldRefobject - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
- 		false
resourceFieldRefobject - Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
- 		false
secretKeyRefobject - Selects a key of a secret in the pod's namespace
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.configMapKeyRef -[↩ Parent](#policyserverspecenvindexvaluefrom-1) - - - -Selects a key of a ConfigMap. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - The key to select.
- 		true
namestring - Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
- 		false
optionalboolean - Specify whether the ConfigMap or its key must be defined
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.fieldRef -[↩ Parent](#policyserverspecenvindexvaluefrom-1) - - - -Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
fieldPathstring - Path of the field to select in the specified API version.
- 		true
apiVersionstring - Version of the schema the FieldPath is written in terms of, defaults to "v1".
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.resourceFieldRef -[↩ Parent](#policyserverspecenvindexvaluefrom-1) - - - -Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
resourcestring - Required: resource to select
- 		true
containerNamestring - Container name: required for volumes, optional for env vars
- 		false
divisorint or string - Specifies the output format of the exposed resources, defaults to "1"
- 		false
- - -### PolicyServer.spec.env[index].valueFrom.secretKeyRef -[↩ Parent](#policyserverspecenvindexvaluefrom-1) - - - -Selects a key of a secret in the pod's namespace - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
keystring - The key of the secret to select from. Must be a valid secret key.
- 		true
namestring - Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
- 		false
optionalboolean - Specify whether the Secret or its key must be defined
- 		false
- - -### PolicyServer.status -[↩ Parent](#policyserver-1) - - - -PolicyServerStatus defines the observed state of PolicyServer - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the observed conditions of the PolicyServer resource. Known .status.conditions.types are: "PolicyServerSecretReconciled", "PolicyServerDeploymentReconciled" and "PolicyServerServiceReconciled"
- 		true
- - -### PolicyServer.status.conditions[index] -[↩ Parent](#policyserverstatus-1) - - - -Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` - // other fields } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
\ No newline at end of file diff --git a/charts/kubewarden-crds/templates/NOTES.txt b/charts/kubewarden-crds/templates/NOTES.txt deleted file mode 100644 index 12d59d904..000000000 --- a/charts/kubewarden-crds/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -Kubewarden CRDs now available: - clusteradmissionpolicies.policies.kubewarden.io - admissionpolicies.policies.kubewarden.io - clusteradmissionpolicygroups.policies.kubewarden.io - admissionpolicygroups.policies.kubewarden.io - policyservers.policies.kubewarden.io -{{- if .Values.installPolicyReportCRDs }} - -Policy report CRDs now available: - policyreports.wgpolicyk8s.io - clusterpolicyreports.wgpolicyk8s.io - - **WARNING**: - PolicyReport CRDs are deprecated and will be dropped in a future release. -{{- end }} -{{- if .Values.installOpenReportsCRDs }} - -OpenReport CRDs now available: - reports.openreports.io - clusterreports.openreports.io -{{- end }} diff --git a/charts/kubewarden-crds/templates/clusterpolicyreports.yaml b/charts/kubewarden-crds/templates/clusterpolicyreports.yaml deleted file mode 100644 index ddb0c1c46..000000000 --- a/charts/kubewarden-crds/templates/clusterpolicyreports.yaml +++ /dev/null @@ -1,1013 +0,0 @@ -{{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null - name: clusterpolicyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: ClusterPolicyReport - listKind: ClusterPolicyReportList - plural: clusterpolicyreports - shortNames: - - cpolr - singular: clusterpolicyreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - data: - additionalProperties: - type: string - description: Data provides additional information for the policy - rule - type: object - message: - description: Message is a short user friendly description of the - policy rule - type: string - policy: - description: Policy is the name of the policy - type: string - resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource - checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - status: - description: Status indicates the result of the policy rule check - enum: - - pass - - fail - - warn - - error - - skip - type: string - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of unscored policies whose requirements - were not met - type: integer - type: object - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} -{{ end }} diff --git a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml deleted file mode 100644 index 3483fcb88..000000000 --- a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicies.yaml +++ /dev/null @@ -1,841 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: admissionpolicies.policies.kubewarden.io -spec: - group: policies.kubewarden.io - names: - kind: AdmissionPolicy - listKind: AdmissionPolicyList - plural: admissionpolicies - shortNames: - - ap - singular: admissionpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Whether the policy is used in audit checks - jsonPath: .spec.backgroundAudit - name: BackgroundAudit - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] - name: Severity - priority: 1 - type: string - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] - name: Category - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: AdmissionPolicy is the Schema for the admissionpolicies API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AdmissionPolicySpec defines the desired state of AdmissionPolicy. - properties: - backgroundAudit: - default: true - description: |- - BackgroundAudit indicates whether a policy should be used or skipped when - performing audit checks. If false, the policy cannot produce meaningful - evaluation results during audit checks and will be skipped. - The default is "true". - type: boolean - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchConditions: - description: |- - MatchConditions are a list of conditions that must be met for a request to be - validated. Match conditions filter requests that have already been matched by - the rules, namespaceSelector, and objectSelector. An empty list of - matchConditions matches all requests. There are a maximum of 64 match - conditions allowed. If a parameter object is provided, it can be accessed via - the `params` handle in the same manner as validation expressions. The exact - matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, - the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy - is evaluated. 3. If any matchCondition evaluates to an error (but none are - FALSE): - If failurePolicy=Fail, reject the request - If - failurePolicy=Ignore, the policy is skipped. - Only available if the feature gate AdmissionWebhookMatchConditions is enabled. - items: - description: MatchCondition represents a condition which must by - fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - Required. - type: string - name: - description: |- - name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - Required. - type: string - required: - - expression - - name - type: object - type: array - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - message: - description: |- - Message overrides the rejection message of the policy. - When provided, the policy's rejection message can be found - inside of the `.status.details.causes` field of the - AdmissionResponse object - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - If prefix is missing, it will default to registry:// and use that - internally. - type: string - mutating: - description: |- - Mutating indicates whether a policy has the ability to mutate - incoming requests or not. - type: boolean - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutEvalSeconds: - description: |- - TimeoutEvalSeconds specifies the timeout for the policy evaluation. After - the timeout passes, the policy evaluation call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - Default to 10 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - module - - mutating - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - deprecated: true - deprecationWarning: This version is deprecated. Please, consider using v1 - name: v1alpha2 - schema: - openAPIV3Schema: - description: AdmissionPolicy is the Schema for the admissionpolicies API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AdmissionPolicySpec defines the desired state of AdmissionPolicy. - properties: - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - type: string - mutating: - description: |- - Mutating indicates whether a policy has the ability to mutate - incoming requests or not. - type: boolean - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 1 and 30 seconds. - Default to 10 seconds. - format: int32 - type: integer - required: - - module - - mutating - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml deleted file mode 100644 index b53e3f02f..000000000 --- a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml +++ /dev/null @@ -1,497 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: admissionpolicygroups.policies.kubewarden.io -spec: - group: policies.kubewarden.io - names: - kind: AdmissionPolicyGroup - listKind: AdmissionPolicyGroupList - plural: admissionpolicygroups - shortNames: - - apg - singular: admissionpolicygroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Whether the policy is used in audit checks - jsonPath: .spec.backgroundAudit - name: BackgroundAudit - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] - name: Severity - priority: 1 - type: string - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] - name: Category - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: AdmissionPolicyGroup is the Schema for the AdmissionPolicyGroups - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AdmissionPolicyGroupSpec defines the desired state of AdmissionPolicyGroup. - properties: - backgroundAudit: - default: true - description: |- - BackgroundAudit indicates whether a policy should be used or skipped when - performing audit checks. If false, the policy cannot produce meaningful - evaluation results during audit checks and will be skipped. - The default is "true". - type: boolean - expression: - description: |- - Expression is the evaluation expression to accept or reject the - admission request under evaluation. This field uses CEL as the - expression language for the policy groups. Each policy in the group - will be represented as a function call in the expression with the - same name as the policy defined in the group. The expression field - should be a valid CEL expression that evaluates to a boolean value. - If the expression evaluates to true, the group policy will be - considered as accepted, otherwise, it will be considered as - rejected. This expression allows grouping policies calls and perform - logical operations on the results of the policies. See Kubewarden - documentation to learn about all the features available. - type: string - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchConditions: - description: |- - MatchConditions are a list of conditions that must be met for a request to be - validated. Match conditions filter requests that have already been matched by - the rules, namespaceSelector, and objectSelector. An empty list of - matchConditions matches all requests. There are a maximum of 64 match - conditions allowed. If a parameter object is provided, it can be accessed via - the `params` handle in the same manner as validation expressions. The exact - matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, - the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy - is evaluated. 3. If any matchCondition evaluates to an error (but none are - FALSE): - If failurePolicy=Fail, reject the request - If - failurePolicy=Ignore, the policy is skipped. - Only available if the feature gate AdmissionWebhookMatchConditions is enabled. - items: - description: MatchCondition represents a condition which must by - fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - Required. - type: string - name: - description: |- - name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - Required. - type: string - required: - - expression - - name - type: object - type: array - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - message: - description: |- - Message is used to specify the message that will be returned when - the policy group is rejected. The specific policy results will be - returned in the warning field of the response. - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policies: - additionalProperties: - properties: - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - If prefix is missing, it will default to registry:// and use that - internally. - type: string - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - timeoutEvalSeconds: - description: |- - TimeoutEvalSeconds specifies the timeout for the policy evaluation. After - the timeout passes, the policy evaluation call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - module - type: object - description: |- - Policies is a list of policies that are part of the group that will - be available to be called in the evaluation expression field. - Each policy in the group should be a Kubewarden policy. - type: object - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - Default to 10 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - expression - - message - - policies - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml deleted file mode 100644 index 6444699b8..000000000 --- a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml +++ /dev/null @@ -1,1056 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: clusteradmissionpolicies.policies.kubewarden.io -spec: - group: policies.kubewarden.io - names: - kind: ClusterAdmissionPolicy - listKind: ClusterAdmissionPolicyList - plural: clusteradmissionpolicies - shortNames: - - cap - singular: clusteradmissionpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Whether the policy is used in audit checks - jsonPath: .spec.backgroundAudit - name: BackgroundAudit - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] - name: Severity - priority: 1 - type: string - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] - name: Category - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. - properties: - allowInsideAdmissionControllerNamespace: - description: |- - AllowInsideAdmissionControllerNamespace controls whether the policy should also be - evaluated for resources in the namespace where Kubewarden is deployed. - By default (false), an exclusion rule is added to the webhook so that the - Kubewarden namespace is never targeted, protecting against an accidental - lockout. Set this to true only if you deliberately want the policy to apply - inside the Kubewarden namespace. - Warning: setting this to true may cause a deadlock if the policy prevents - Kubewarden components from starting. - type: boolean - backgroundAudit: - default: true - description: |- - BackgroundAudit indicates whether a policy should be used or skipped when - performing audit checks. If false, the policy cannot produce meaningful - evaluation results during audit checks and will be skipped. - The default is "true". - type: boolean - contextAwareResources: - description: |- - List of Kubernetes resources the policy is allowed to access at evaluation time. - Access to these resources is done using the `ServiceAccount` of the PolicyServer - the policy is assigned to. - items: - description: ContextAwareResource identifies a Kubernetes resource. - properties: - apiVersion: - description: apiVersion of the resource (v1 for core group, - groupName/groupVersions for other). - type: string - kind: - description: Singular PascalCase name of the resource - type: string - required: - - apiVersion - - kind - type: object - type: array - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchConditions: - description: |- - MatchConditions are a list of conditions that must be met for a request to be - validated. Match conditions filter requests that have already been matched by - the rules, namespaceSelector, and objectSelector. An empty list of - matchConditions matches all requests. There are a maximum of 64 match - conditions allowed. If a parameter object is provided, it can be accessed via - the `params` handle in the same manner as validation expressions. The exact - matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, - the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy - is evaluated. 3. If any matchCondition evaluates to an error (but none are - FALSE): - If failurePolicy=Fail, reject the request - If - failurePolicy=Ignore, the policy is skipped. - Only available if the feature gate AdmissionWebhookMatchConditions is enabled. - items: - description: MatchCondition represents a condition which must by - fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - Required. - type: string - name: - description: |- - name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - Required. - type: string - required: - - expression - - name - type: object - type: array - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - message: - description: |- - Message overrides the rejection message of the policy. - When provided, the policy's rejection message can be found - inside of the `.status.details.causes` field of the - AdmissionResponse object - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - If prefix is missing, it will default to registry:// and use that - internally. - type: string - mutating: - description: |- - Mutating indicates whether a policy has the ability to mutate - incoming requests or not. - type: boolean - namespaceSelector: - description: |- - NamespaceSelector decides whether to run the webhook on an object based - on whether the namespace for that object matches the selector. If the - object itself is a namespace, the matching is performed on - object.metadata.labels. If the object is another cluster scoped resource, - it never skips the webhook. -

- For example, to run the webhook on any objects whose namespace is not - associated with "runlevel" of "0" or "1"; you will set the selector as - follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "runlevel",

-                        "operator": "NotIn",

-                        "values": [

-                          "0",

-                          "1"

-                        ]

-                      \}

-                    ]

-                  \}
-
- If instead you want to only run the webhook on any objects whose - namespace is associated with the "environment" of "prod" or "staging"; - you will set the selector as follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "environment",

-                        "operator": "In",

-                        "values": [

-                          "prod",

-                          "staging"

-                        ]

-                      \}

-                    ]

-                  \}
-
- See - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels - for more examples of label selectors. -

- Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutEvalSeconds: - description: |- - TimeoutEvalSeconds specifies the timeout for the policy evaluation. After - the timeout passes, the policy evaluation call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for the policy webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - Default to 10 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - module - - mutating - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - deprecated: true - deprecationWarning: This version is deprecated. Please, consider using v1 - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy. - properties: - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - type: string - mutating: - description: |- - Mutating indicates whether a policy has the ability to mutate - incoming requests or not. - type: boolean - namespaceSelector: - description: |- - NamespaceSelector decides whether to run the webhook on an object based - on whether the namespace for that object matches the selector. If the - object itself is a namespace, the matching is performed on - object.metadata.labels. If the object is another cluster scoped resource, - it never skips the webhook. -

- For example, to run the webhook on any objects whose namespace is not - associated with "runlevel" of "0" or "1"; you will set the selector as - follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "runlevel",

-                        "operator": "NotIn",

-                        "values": [

-                          "0",

-                          "1"

-                        ]

-                      \}

-                    ]

-                  \}
-
- If instead you want to only run the webhook on any objects whose - namespace is associated with the "environment" of "prod" or "staging"; - you will set the selector as follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "environment",

-                        "operator": "In",

-                        "values": [

-                          "prod",

-                          "staging"

-                        ]

-                      \}

-                    ]

-                  \}
-
- See - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels - for more examples of label selectors. -

- Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 1 and 30 seconds. - Default to 10 seconds. - format: int32 - type: integer - required: - - module - - mutating - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml deleted file mode 100644 index 558bd2748..000000000 --- a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml +++ /dev/null @@ -1,621 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: clusteradmissionpolicygroups.policies.kubewarden.io -spec: - group: policies.kubewarden.io - names: - kind: ClusterAdmissionPolicyGroup - listKind: ClusterAdmissionPolicyGroupList - plural: clusteradmissionpolicygroups - shortNames: - - capg - singular: clusteradmissionpolicygroup - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Bound to Policy Server - jsonPath: .spec.policyServer - name: Policy Server - type: string - - description: Whether the policy is mutating - jsonPath: .spec.mutating - name: Mutating - type: boolean - - description: Whether the policy is used in audit checks - jsonPath: .spec.backgroundAudit - name: BackgroundAudit - type: boolean - - description: Policy deployment mode - jsonPath: .spec.mode - name: Mode - type: string - - description: Policy deployment mode observed on the assigned Policy Server - jsonPath: .status.mode - name: Observed mode - type: string - - description: Status of the policy - jsonPath: .status.policyStatus - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.severity'] - name: Severity - priority: 1 - type: string - - jsonPath: .metadata.annotations['io\.kubewarden\.policy\.category'] - name: Category - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterAdmissionPolicyGroup is the Schema for the clusteradmissionpolicies - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterAdmissionPolicyGroupSpec defines the desired state - of ClusterAdmissionPolicyGroup. - properties: - allowInsideAdmissionControllerNamespace: - description: |- - AllowInsideAdmissionControllerNamespace controls whether the policy should also be - evaluated for resources in the namespace where Kubewarden is deployed. - By default (false), an exclusion rule is added to the webhook so that the - Kubewarden namespace is never targeted, protecting against an accidental - lockout. Set this to true only if you deliberately want the policy to apply - inside the Kubewarden namespace. - Warning: setting this to true may cause a deadlock if the policy prevents - Kubewarden components from starting. - type: boolean - backgroundAudit: - default: true - description: |- - BackgroundAudit indicates whether a policy should be used or skipped when - performing audit checks. If false, the policy cannot produce meaningful - evaluation results during audit checks and will be skipped. - The default is "true". - type: boolean - expression: - description: |- - Expression is the evaluation expression to accept or reject the - admission request under evaluation. This field uses CEL as the - expression language for the policy groups. Each policy in the group - will be represented as a function call in the expression with the - same name as the policy defined in the group. The expression field - should be a valid CEL expression that evaluates to a boolean value. - If the expression evaluates to true, the group policy will be - considered as accepted, otherwise, it will be considered as - rejected. This expression allows grouping policies calls and perform - logical operations on the results of the policies. See Kubewarden - documentation to learn about all the features available. - type: string - failurePolicy: - description: |- - FailurePolicy defines how unrecognized errors and timeout errors from the - policy are handled. Allowed values are "Ignore" or "Fail". - * "Ignore" means that an error calling the webhook is ignored and the API - request is allowed to continue. - * "Fail" means that an error calling the webhook causes the admission to - fail and the API request to be rejected. - The default behaviour is "Fail" - type: string - matchConditions: - description: |- - MatchConditions are a list of conditions that must be met for a request to be - validated. Match conditions filter requests that have already been matched by - the rules, namespaceSelector, and objectSelector. An empty list of - matchConditions matches all requests. There are a maximum of 64 match - conditions allowed. If a parameter object is provided, it can be accessed via - the `params` handle in the same manner as validation expressions. The exact - matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, - the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy - is evaluated. 3. If any matchCondition evaluates to an error (but none are - FALSE): - If failurePolicy=Fail, reject the request - If - failurePolicy=Ignore, the policy is skipped. - Only available if the feature gate AdmissionWebhookMatchConditions is enabled. - items: - description: MatchCondition represents a condition which must by - fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - Required. - type: string - name: - description: |- - name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - Required. - type: string - required: - - expression - - name - type: object - type: array - matchPolicy: - description: |- - matchPolicy defines how the "rules" list is used to match incoming requests. - Allowed values are "Exact" or "Equivalent". -
    -
  • - Exact: match a request only if it exactly matches a specified rule. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. -
    • -
  • - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. - For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, - and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, - a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. -
    • -
- Defaults to "Equivalent" - type: string - message: - description: |- - Message is used to specify the message that will be returned when - the policy group is rejected. The specific policy results will be - returned in the warning field of the response. - type: string - mode: - default: protect - description: |- - Mode defines the execution mode of this policy. Can be set to - either "protect" or "monitor". If it's empty, it is defaulted to - "protect". - Transitioning this setting from "monitor" to "protect" is - allowed, but is disallowed to transition from "protect" to - "monitor". To perform this transition, the policy should be - recreated in "monitor" mode instead. - enum: - - protect - - monitor - type: string - namespaceSelector: - description: |- - NamespaceSelector decides whether to run the webhook on an object based - on whether the namespace for that object matches the selector. If the - object itself is a namespace, the matching is performed on - object.metadata.labels. If the object is another cluster scoped resource, - it never skips the webhook. -

- For example, to run the webhook on any objects whose namespace is not - associated with "runlevel" of "0" or "1"; you will set the selector as - follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "runlevel",

-                        "operator": "NotIn",

-                        "values": [

-                          "0",

-                          "1"

-                        ]

-                      \}

-                    ]

-                  \}
-
- If instead you want to only run the webhook on any objects whose - namespace is associated with the "environment" of "prod" or "staging"; - you will set the selector as follows: - 
-                  "namespaceSelector": \{

-                    "matchExpressions": [

-                      \{

-                        "key": "environment",

-                        "operator": "In",

-                        "values": [

-                          "prod",

-                          "staging"

-                        ]

-                      \}

-                    ]

-                  \}
-
- See - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels - for more examples of label selectors. -

- Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - objectSelector: - description: |- - ObjectSelector decides whether to run the webhook based on if the - object has matching labels. objectSelector is evaluated against both - the oldObject and newObject that would be sent to the webhook, and - is considered to match if either object matches the selector. A null - object (oldObject in the case of create, or newObject in the case of - delete) or an object that cannot have labels (like a - DeploymentRollback or a PodProxyOptions object) is not considered to - match. - Use the object selector only if the webhook is opt-in, because end - users may skip the admission webhook by setting the labels. - Default to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policies: - additionalProperties: - properties: - contextAwareResources: - description: |- - List of Kubernetes resources the policy is allowed to access at evaluation time. - Access to these resources is done using the `ServiceAccount` of the PolicyServer - the policy is assigned to. - items: - description: ContextAwareResource identifies a Kubernetes - resource. - properties: - apiVersion: - description: apiVersion of the resource (v1 for core group, - groupName/groupVersions for other). - type: string - kind: - description: Singular PascalCase name of the resource - type: string - required: - - apiVersion - - kind - type: object - type: array - module: - description: |- - Module is the location of the WASM module to be loaded. Can be a - local file (file://), a remote file served by an HTTP server - (http://, https://), or an artifact served by an OCI-compatible - registry (registry://). - If prefix is missing, it will default to registry:// and use that - internally. - type: string - settings: - description: |- - Settings is a free-form object that contains the policy configuration - values. - x-kubernetes-embedded-resource: false - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - timeoutEvalSeconds: - description: |- - TimeoutEvalSeconds specifies the timeout for the policy evaluation. After - the timeout passes, the policy evaluation call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - module - type: object - description: |- - Policies is a list of policies that are part of the group that will - be available to be called in the evaluation expression field. - Each policy in the group should be a Kubewarden policy. - type: object - policyServer: - default: default - description: PolicyServer identifies an existing PolicyServer resource. - type: string - rules: - description: |- - Rules describes what operations on what resources/subresources the webhook cares about. - The webhook cares about an operation if it matches _any_ Rule. - items: - description: |- - RuleWithOperations is a tuple of Operations and Resources. It is recommended to make - sure that all the tuple expansions are valid. - properties: - apiGroups: - description: |- - apiGroups is the API groups the resources belong to. '*' is all groups. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - apiVersions: - description: |- - apiVersions is the API versions the resources belong to. '*' is all versions. - If '*' is present, the length of the slice must be one. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - operations: - description: |- - operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * - for all of those operations and any future admission operations that are added. - If '*' is present, the length of the slice must be one. - Required. - items: - description: OperationType specifies an operation for a request. - type: string - type: array - x-kubernetes-list-type: atomic - resources: - description: |- - resources is a list of resources this rule applies to. - - For example: - 'pods' means pods. - 'pods/log' means the log subresource of pods. - '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. - '*/scale' means all scale subresources. - '*/*' means all resources and their subresources. - - If wildcard is present, the validation rule will ensure resources do not - overlap with each other. - - Depending on the enclosing object, subresources might not be allowed. - Required. - items: - type: string - type: array - x-kubernetes-list-type: atomic - scope: - description: |- - scope specifies the scope of this rule. - Valid values are "Cluster", "Namespaced", and "*" - "Cluster" means that only cluster-scoped resources will match this rule. - Namespace API objects are cluster-scoped. - "Namespaced" means that only namespaced resources will match this rule. - "*" means that there are no scope restrictions. - Subresources match the scope of their parent resource. - Default is "*". - type: string - type: object - type: array - sideEffects: - description: |- - SideEffects states whether this webhook has side effects. - Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). - Webhooks with side effects MUST implement a reconciliation system, since a request may be - rejected by a future step in the admission change and the side effects therefore need to be undone. - Requests with the dryRun attribute will be auto-rejected if they match a webhook with - sideEffects == Unknown or Some. - type: string - timeoutSeconds: - default: 10 - description: |- - TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, - the webhook call will be ignored or the API call will fail based on the - failure policy. - The timeout value must be between 2 and 30 seconds. - Default to 10 seconds. - format: int32 - maximum: 30 - minimum: 2 - type: integer - required: - - expression - - message - - policies - - rules - type: object - status: - description: PolicyStatus defines the observed state of ClusterAdmissionPolicy - and AdmissionPolicy. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - ClusterAdmissionPolicy resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerConfigMapReconciled", - "PolicyServerDeploymentReconciled", - "PolicyServerServiceReconciled" and - "AdmissionPolicyActive" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - mode: - description: |- - PolicyMode represents the observed policy mode of this policy in - the associated PolicyServer configuration - enum: - - protect - - monitor - - unknown - type: string - policyStatus: - description: PolicyStatus represents the observed status of the policy - enum: - - unscheduled - - scheduled - - pending - - active - type: string - required: - - policyStatus - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml b/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml deleted file mode 100644 index 0b0bf5d2b..000000000 --- a/charts/kubewarden-crds/templates/crds/policies.kubewarden.io_policyservers.yaml +++ /dev/null @@ -1,2182 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - name: policyservers.policies.kubewarden.io -spec: - group: policies.kubewarden.io - names: - kind: PolicyServer - listKind: PolicyServerList - plural: policyservers - shortNames: - - ps - singular: policyserver - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Policy Server replicas - jsonPath: .spec.replicas - name: Replicas - type: string - - description: Policy Server image - jsonPath: .spec.image - name: Image - type: string - name: v1 - schema: - openAPIV3Schema: - description: PolicyServer is the Schema for the policyservers API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PolicyServerSpec defines the desired state of PolicyServer. - properties: - affinity: - description: Affinity rules for the associated Policy Server pods. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the - pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding - nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate - this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - env: - description: List of environment variables to set in the container. - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - description: Docker image name. - type: string - imagePullSecret: - description: |- - Name of ImagePullSecret secret in the same namespace, used for pulling - policies from repositories. - type: string - insecureSources: - description: |- - List of insecure URIs to policy repositories. The `insecureSources` - content format corresponds with the contents of the `insecure_sources` - key in `sources.yaml`. Reference for `sources.yaml` is found in the - Kubewarden documentation in the reference section. - items: - type: string - type: array - labels: - additionalProperties: - type: string - description: |- - Labels is a map of custom labels to be applied to the Deployment created by the - PolicyServer and to the Pods managed by that Deployment. System labels set by - the controller always take precedence over user-defined labels with the same key. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Limits describes the maximum amount of compute resources - allowed. - type: object - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - Number of policy server replicas that can be unavailable after the - eviction. The value can be an absolute number or a percentage. Only one of - MinAvailable or Max MaxUnavailable can be set. - x-kubernetes-int-or-string: true - metricsPort: - description: |- - Port exposed by the metrics Service for this policy server. - When unset, defaults to the controller-wide default - (KUBEWARDEN_POLICY_SERVER_SERVICES_METRICS_PORT env var, or 8080). - Only relevant when metrics are enabled. - - Use this field to customize which port Prometheus scrapes for this - PolicyServer's metrics Service (e.g. to match naming conventions or - avoid Service-level port collisions). - - NOTE: this field controls only the Service Port (the externally visible - scrape port). The Service TargetPort — the port the pod actually listens - on — is always the controller-wide default and is not affected by this - field. This is intentional: when the OpenTelemetry sidecar mode is - enabled, each pod gets its own injected sidecar, but the pod-side - Prometheus listener port is determined by controller-wide/injection - configuration, not per PolicyServer. Therefore, changing this field does - not change the pod listener port and will not resolve pod-port conflicts - such as those caused by hostNetwork. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - minAvailable: - anyOf: - - type: integer - - type: string - description: |- - Number of policy server replicas that must be still available after the - eviction. The value can be an absolute number or a percentage. Only one of - MinAvailable or Max MaxUnavailable can be set. - x-kubernetes-int-or-string: true - namespacedPoliciesCapabilities: - description: |- - NamespacedPoliciesCapabilities lists host capability API calls allowed - for namespaced policies running on this PolicyServer. When not set, - no host capabilities are granted to namespaced policies. - Supported wildcard patterns: - - "*": allow all host capabilities - - "category/*": allow all capabilities in a category (e.g. "oci/*") - - "category/version/*": allow all capabilities of a specific version (e.g. "oci/v1/*") - - Specific capability paths (e.g. "oci/v1/verify", "net/v1/dns_lookup_host") - items: - type: string - type: array - priorityClassName: - description: |- - PriorityClassName is the name of the PriorityClass to be used for the - policy server pods. Useful to schedule policy server pods with higher - priority to ensure their availability over other cluster workload - resources. - Note: If the referenced PriorityClass is deleted, existing pods - remain unchanged, but new pods that reference it cannot be created. - type: string - readinessProbePort: - description: |- - Port used by the policy server to expose the readiness probe endpoint. - When unset, defaults to 8081. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - replicas: - description: Replicas is the number of desired replicas. - format: int32 - type: integer - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Request is omitted for, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value - type: object - securityContexts: - description: |- - Security configuration to be used in the Policy Server workload. - The field allows different configurations for the pod and containers. - If set for the containers, this configuration will not be used in - containers added by other controllers (e.g. telemetry sidecars) - properties: - container: - description: securityContext definition to be used in the policy - server container - properties: - allowPrivilegeEscalation: - description: |- - AllowPrivilegeEscalation controls whether a process can gain more - privileges than its parent process. This bool directly controls if - the no_new_privs flag will be set on the container process. - AllowPrivilegeEscalation is true always when the container is: - 1) run as Privileged - 2) has CAP_SYS_ADMIN - Note that this field cannot be set when spec.os.name is windows. - type: boolean - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by this container. If set, this profile - overrides the pod's appArmorProfile. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - capabilities: - description: |- - The capabilities to add/drop when running containers. - Defaults to the default set of capabilities granted by the container runtime. - Note that this field cannot be set when spec.os.name is windows. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities - type - type: string - type: array - x-kubernetes-list-type: atomic - type: object - privileged: - description: |- - Run container in privileged mode. - Processes in privileged containers are essentially equivalent to root on the host. - Defaults to false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - procMount: - description: |- - procMount denotes the type of proc mount to use for the containers. - The default value is Default which uses the container runtime defaults for - readonly paths and masked paths. - Note that this field cannot be set when spec.os.name is windows. - type: string - readOnlyRootFilesystem: - description: |- - Whether this container has a read-only root filesystem. - Default is false. - Note that this field cannot be set when spec.os.name is windows. - type: boolean - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxOptions: - description: |- - The SELinux context to be applied to the container. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by this container. If seccomp options are - provided at both the pod & container level, the container options - override the pod options. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options from the PodSecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - pod: - description: podSecurityContext definition to be used in the policy - server Pod - properties: - appArmorProfile: - description: |- - appArmorProfile is the AppArmor options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile loaded on the node that should be used. - The profile must be preconfigured on the node to work. - Must match the loaded name of the profile. - Must be set if and only if type is "Localhost". - type: string - type: - description: |- - type indicates which kind of AppArmor profile will be applied. - Valid options are: - Localhost - a profile pre-loaded on the node. - RuntimeDefault - the container runtime's default profile. - Unconfined - no AppArmor enforcement. - type: string - required: - - type - type: object - fsGroup: - description: |- - A special supplemental group that applies to all containers in a pod. - Some volume types allow the Kubelet to change the ownership of that volume - to be owned by the pod: - - 1. The owning GID will be the FSGroup - 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) - 3. The permission bits are OR'd with rw-rw---- - - If unset, the Kubelet will not modify the ownership and permissions of any volume. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - fsGroupChangePolicy: - description: |- - fsGroupChangePolicy defines behavior of changing ownership and permission of the volume - before being exposed inside Pod. This field will only apply to - volume types which support fsGroup based ownership(and permissions). - It will have no effect on ephemeral volume types such as: secret, configmaps - and emptydir. - Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. - Note that this field cannot be set when spec.os.name is windows. - type: string - runAsGroup: - description: |- - The GID to run the entrypoint of the container process. - Uses runtime default if unset. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - runAsNonRoot: - description: |- - Indicates that the container must run as a non-root user. - If true, the Kubelet will validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start the container if it does. - If unset or false, no such validation will be performed. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: |- - The UID to run the entrypoint of the container process. - Defaults to user specified in image metadata if unspecified. - May also be set in SecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. - Note that this field cannot be set when spec.os.name is windows. - format: int64 - type: integer - seLinuxChangePolicy: - description: |- - seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod. - It has no effect on nodes that do not support SELinux or to volumes does not support SELinux. - Valid values are "MountOption" and "Recursive". - - "Recursive" means relabeling of all files on all Pod volumes by the container runtime. - This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node. - - "MountOption" mounts all eligible Pod volumes with `-o context` mount option. - This requires all Pods that share the same volume to use the same SELinux label. - It is not possible to share the same volume among privileged and unprivileged Pods. - Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes - whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their - CSIDriver instance. Other volumes are always re-labelled recursively. - "MountOption" value is allowed only when SELinuxMount feature gate is enabled. - - If not specified and SELinuxMount feature gate is enabled, "MountOption" is used. - If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes - and "Recursive" for all other volumes. - - This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers. - - All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state. - Note that this field cannot be set when spec.os.name is windows. - type: string - seLinuxOptions: - description: |- - The SELinux context to be applied to all containers. - If unspecified, the container runtime will allocate a random SELinux context for each - container. May also be set in SecurityContext. If set in - both SecurityContext and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. - Note that this field cannot be set when spec.os.name is windows. - properties: - level: - description: Level is SELinux level label that applies - to the container. - type: string - role: - description: Role is a SELinux role label that applies - to the container. - type: string - type: - description: Type is a SELinux type label that applies - to the container. - type: string - user: - description: User is a SELinux user label that applies - to the container. - type: string - type: object - seccompProfile: - description: |- - The seccomp options to use by the containers in this pod. - Note that this field cannot be set when spec.os.name is windows. - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - supplementalGroups: - description: |- - A list of groups applied to the first process run in each container, in - addition to the container's primary GID and fsGroup (if specified). If - the SupplementalGroupsPolicy feature is enabled, the - supplementalGroupsPolicy field determines whether these are in addition - to or instead of any group memberships defined in the container image. - If unspecified, no additional groups are added, though group memberships - defined in the container image may still be used, depending on the - supplementalGroupsPolicy field. - Note that this field cannot be set when spec.os.name is windows. - items: - format: int64 - type: integer - type: array - x-kubernetes-list-type: atomic - supplementalGroupsPolicy: - description: |- - Defines how supplemental groups of the first container processes are calculated. - Valid values are "Merge" and "Strict". If not specified, "Merge" is used. - (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled - and the container runtime must implement support for this feature. - Note that this field cannot be set when spec.os.name is windows. - type: string - sysctls: - description: |- - Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported - sysctls (by the container runtime) might fail to launch. - Note that this field cannot be set when spec.os.name is windows. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - windowsOptions: - description: |- - The Windows specific settings applied to all containers. - If unspecified, the options within a container's SecurityContext will be used. - If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name is linux. - properties: - gmsaCredentialSpec: - description: |- - GMSACredentialSpec is where the GMSA admission webhook - (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the - GMSA credential spec named by the GMSACredentialSpecName field. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the - GMSA credential spec to use. - type: string - hostProcess: - description: |- - HostProcess determines if a container should be run as a 'Host Process' container. - All of a Pod's containers must have the same effective HostProcess value - (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). - In addition, if HostProcess is true then HostNetwork must also be set to true. - type: boolean - runAsUserName: - description: |- - The UserName in Windows to run the entrypoint of the container process. - Defaults to the user specified in image metadata if unspecified. - May also be set in PodSecurityContext. If set in both SecurityContext and - PodSecurityContext, the value specified in SecurityContext takes precedence. - type: string - type: object - type: object - type: object - serviceAccountName: - description: |- - Name of the service account associated with the policy server. - Namespace service account will be used if not specified. - type: string - sigstoreTrustConfig: - description: |- - Name of SigstoreTrustConfig configmap in the kubewarden namespace (same - namespace as the controller deployment), containing Sigstore trust - configuration (ClientTrustConfig JSON). The configuration must be under a - key named sigstore-trust-config in the ConfigMap. This is used to configure - a custom Sigstore instance instead of the default public Sigstore infrastructure. - WARNING: This feature requires strict access control. Users with write access - to this ConfigMap can influence policy signature verification. - type: string - sourceAuthorities: - additionalProperties: - items: - type: string - type: array - description: |- - Key value map of registry URIs endpoints to a list of their associated - PEM encoded certificate authorities that have to be used to verify the - certificate used by the endpoint. The `sourceAuthorities` content format - corresponds with the contents of the `source_authorities` key in - `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden - documentation in the reference section. - type: object - tolerations: - description: |- - Tolerations describe the policy server pod's tolerations. It can be - used to ensure that the policy server pod is not scheduled onto a - node with a taint. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - verificationConfig: - description: |- - Name of VerificationConfig configmap in the kubewarden namespace (same - namespace as the controller deployment), containing Sigstore verification - configuration. The configuration must be under a key named - verification-config in the ConfigMap. - type: string - webhookPort: - description: |- - Port where the policy server listens for incoming webhook requests. - When unset, defaults to 8443. This is the port the Kubernetes API server - reaches when evaluating admission requests. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - image - - replicas - type: object - status: - description: PolicyServerStatus defines the observed state of PolicyServer. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - PolicyServer resource. Known .status.conditions.types are: - "CertSecretReconciled", "CARootSecretReconciled", - "ConfigMapReconciled", "DeploymentReconciled", - "ServiceReconciled", "PodDisruptionBudgetReconciled" and - "PolicyWebhooksCleanedUp" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: Policy Server replicas - jsonPath: .spec.replicas - name: Replicas - type: string - - description: Policy Server image - jsonPath: .spec.image - name: Image - type: string - deprecated: true - deprecationWarning: This version is deprecated. Please, consider using v1 - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyServer is the Schema for the policyservers API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PolicyServerSpec defines the desired state of PolicyServer. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is an unstructured key value map stored with a resource that may be - set by external tools to store and retrieve arbitrary metadata. They are not - queryable and should be preserved when modifying objects. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - env: - description: List of environment variables to set in the container. - items: - description: EnvVar represents an environment variable present in - a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - image: - description: Docker image name. - type: string - imagePullSecret: - description: |- - Name of ImagePullSecret secret in the same namespace, used for pulling - policies from repositories. - type: string - insecureSources: - description: |- - List of insecure URIs to policy repositories. The `insecureSources` - content format corresponds with the contents of the `insecure_sources` - key in `sources.yaml`. Reference for `sources.yaml` is found in the - Kubewarden documentation in the reference section. - items: - type: string - type: array - replicas: - description: Replicas is the number of desired replicas. - format: int32 - type: integer - serviceAccountName: - description: |- - Name of the service account associated with the policy server. - Namespace service account will be used if not specified. - type: string - sourceAuthorities: - additionalProperties: - items: - type: string - type: array - description: |- - Key value map of registry URIs endpoints to a list of their associated - PEM encoded certificate authorities that have to be used to verify the - certificate used by the endpoint. The `sourceAuthorities` content format - corresponds with the contents of the `source_authorities` key in - `sources.yaml`. Reference for `sources.yaml` is found in the Kubewarden - documentation in the reference section. - type: object - verificationConfig: - description: |- - Name of VerificationConfig configmap in the same namespace, containing - Sigstore verification configuration. The configuration must be under a - key named verification-config in the Configmap. - type: string - required: - - image - - replicas - type: object - status: - description: PolicyServerStatus defines the observed state of PolicyServer. - properties: - conditions: - description: |- - Conditions represent the observed conditions of the - PolicyServer resource. Known .status.conditions.types - are: "PolicyServerSecretReconciled", - "PolicyServerDeploymentReconciled" and - "PolicyServerServiceReconciled" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/kubewarden-crds/templates/policyreports.yaml b/charts/kubewarden-crds/templates/policyreports.yaml deleted file mode 100644 index b59c4d663..000000000 --- a/charts/kubewarden-crds/templates/policyreports.yaml +++ /dev/null @@ -1,1010 +0,0 @@ -{{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.0 - creationTimestamp: null - name: policyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: PolicyReport - listKind: PolicyReportList - plural: policyreports - shortNames: - - polr - singular: policyreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - data: - additionalProperties: - type: string - description: Data provides additional information for the policy - rule - type: object - message: - description: Message is a short user friendly description of the - policy rule - type: string - policy: - description: Policy is the name of the policy - type: string - resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Resources is an optional reference to the resource - checked by the policy and rule - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - rule: - description: Rule is the name of the policy rule - type: string - scored: - description: Scored indicates if this policy rule is scored - type: boolean - severity: - description: Severity indicates policy severity - enum: - - high - - low - - medium - type: string - status: - description: Status indicates the result of the policy rule check - enum: - - pass - - fail - - warn - - error - - skip - type: string - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of unscored policies whose requirements - were not met - type: integer - type: object - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: false - subresources: {} - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - priority: 1 - type: string - - jsonPath: .scope.name - name: Name - priority: 1 - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID - not honored" or "name must be restricted". Those cannot be well - described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. Kind - is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make new - APIs embed an underspecified API type they do not control. Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} -{{ end }} diff --git a/charts/kubewarden-crds/tests/crds_test.yaml b/charts/kubewarden-crds/tests/crds_test.yaml deleted file mode 100644 index e8e36a6c7..000000000 --- a/charts/kubewarden-crds/tests/crds_test.yaml +++ /dev/null @@ -1,66 +0,0 @@ -suite: Kubewarden CRDs -tests: - - it: "admissionpolicies CRD should be a CustomResourceDefinition" - template: templates/crds/policies.kubewarden.io_admissionpolicies.yaml - asserts: - - equal: - path: kind - value: CustomResourceDefinition - - equal: - path: metadata.name - value: admissionpolicies.policies.kubewarden.io - - equal: - path: spec.group - value: policies.kubewarden.io - - - it: "admissionpolicygroups CRD should be a CustomResourceDefinition" - template: templates/crds/policies.kubewarden.io_admissionpolicygroups.yaml - asserts: - - equal: - path: kind - value: CustomResourceDefinition - - equal: - path: metadata.name - value: admissionpolicygroups.policies.kubewarden.io - - equal: - path: spec.group - value: policies.kubewarden.io - - - it: "clusteradmissionpolicies CRD should be a CustomResourceDefinition" - template: templates/crds/policies.kubewarden.io_clusteradmissionpolicies.yaml - asserts: - - equal: - path: kind - value: CustomResourceDefinition - - equal: - path: metadata.name - value: clusteradmissionpolicies.policies.kubewarden.io - - equal: - path: spec.group - value: policies.kubewarden.io - - - it: "clusteradmissionpolicygroups CRD should be a CustomResourceDefinition" - template: templates/crds/policies.kubewarden.io_clusteradmissionpolicygroups.yaml - asserts: - - equal: - path: kind - value: CustomResourceDefinition - - equal: - path: metadata.name - value: clusteradmissionpolicygroups.policies.kubewarden.io - - equal: - path: spec.group - value: policies.kubewarden.io - - - it: "policyservers CRD should be a CustomResourceDefinition" - template: templates/crds/policies.kubewarden.io_policyservers.yaml - asserts: - - equal: - path: kind - value: CustomResourceDefinition - - equal: - path: metadata.name - value: policyservers.policies.kubewarden.io - - equal: - path: spec.group - value: policies.kubewarden.io diff --git a/charts/kubewarden-crds/values.schema.json b/charts/kubewarden-crds/values.schema.json deleted file mode 100644 index cb09b14d8..000000000 --- a/charts/kubewarden-crds/values.schema.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "installPolicyReportCRDs": { - "type": "boolean" - }, - "installOpenReportsCRDs": { - "type": "boolean" - } - }, - "required": [ - "installPolicyReportCRDs" - ] -} diff --git a/charts/kubewarden-crds/values.yaml b/charts/kubewarden-crds/values.yaml deleted file mode 100644 index b8985f7ad..000000000 --- a/charts/kubewarden-crds/values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# This file was autogenerated. - -# deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs -# Set to false if they are already defined inside of the cluster -# -# These reports are marked as DEPRECATED and its support will be removed in a -# future release, in favour of OpenReports. -installPolicyReportCRDs: false - -# deploy reports.openreports.io, clusterreports.openreports.io CRDs -# Set to false if they are already defined inside of the cluster -installOpenReportsCRDs: true From 8162bf8b95d38821c7d09f06939e49696bc99241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 11:57:19 -0300 Subject: [PATCH 04/22] feat: add defaults applier reconciler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce a new DefaultsApplierReconciler that watches a ConfigMap and applies default Kubewarden resources (PolicyServer, recommended policies) to the cluster. This replaces the old approach of having a separate kubewarden-defaults Helm chart manage these resources directly. The reconciler decodes YAML from ConfigMap data keys, creates or patches the corresponding resources with ownership labels, and automatically cleans up stale managed resources when they are removed from the ConfigMap. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- cmd/controller/main.go | 15 + internal/constants/constants.go | 8 + internal/controller/defaults_applier.go | 271 +++++++++++++++ internal/controller/defaults_applier_test.go | 337 +++++++++++++++++++ 4 files changed, 631 insertions(+) create mode 100644 internal/controller/defaults_applier.go create mode 100644 internal/controller/defaults_applier_test.go diff --git a/cmd/controller/main.go b/cmd/controller/main.go index d2ae3ad32..8e0bbe634 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -86,6 +86,7 @@ type ManagerOptions struct { type Configuration struct { AlwaysAcceptAdmissionReviewsOnDeploymentsNamespace bool ClientCAConfigMapName string + DefaultsConfigMapName string FeatureGateAdmissionWebhookMatchConditions bool WebhookServiceName string ImagePullSecrets []corev1.LocalObjectReference @@ -144,6 +145,10 @@ func main() { false, "Always accept admission reviews targeting the deployments-namespace.") flag.StringVar(&config.ClientCAConfigMapName, "client-ca-configmap-name", "", "The name of the ConfigMap containing the client CA certificate. If provided, mTLS will be enabled.") + flag.StringVar(&config.DefaultsConfigMapName, + "defaults-configmap-name", + constants.DefaultDefaultsConfigMapName, + "Name of the ConfigMap that holds the rendered default Kubewarden resources.") flag.StringVar(&imagePullSecretsFlag, "image-pull-secrets", "", @@ -446,6 +451,16 @@ func setupReconcilers(mgr ctrl.Manager, }).SetupWithManager(mgr); err != nil { return errors.Join(errors.New("unable to create ClusterAdmissionPolicyGroup controller"), err) } + + if err := (&controller.DefaultsApplierReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + Log: ctrl.Log.WithName("defaults-applier"), + DeploymentsNamespace: deploymentsNamespace, + ConfigMapName: config.DefaultsConfigMapName, + }).SetupWithManager(mgr); err != nil { + return errors.Join(errors.New("unable to create DefaultsApplier controller"), err) + } return nil } diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 586e3857d..1cca92650 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -46,6 +46,14 @@ const ( PartOfLabelValue = "kubewarden" ManagedByKey = "app.kubernetes.io/managed-by" + // DefaultsManagedByLabelKey is the label key for resources managed by DefaultsApplier. + DefaultsManagedByLabelKey = "kubewarden.io/managed-by" + // DefaultsManagedByLabelValue is the label value for resources managed by DefaultsApplier. + DefaultsManagedByLabelValue = "kubewarden-controller-defaults" + + // DefaultDefaultsConfigMapName is the default name of the ConfigMap containing default resources. + DefaultDefaultsConfigMapName = "kubewarden-defaults" + PolicyServerIndexKey = ".spec.policyServer" KubewardenFinalizerPre114 = "kubewarden" diff --git a/internal/controller/defaults_applier.go b/internal/controller/defaults_applier.go new file mode 100644 index 000000000..20b4460e9 --- /dev/null +++ b/internal/controller/defaults_applier.go @@ -0,0 +1,271 @@ +package controller + +import ( + "context" + "errors" + "fmt" + + "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/serializer" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + "sigs.k8s.io/controller-runtime/pkg/predicate" + + policiesv1 "github.com/kubewarden/adm-controller/api/policies/v1" + "github.com/kubewarden/adm-controller/internal/constants" +) + +// DefaultsApplierReconciler watches a ConfigMap containing default Kubewarden +// resources (PolicyServer, ClusterAdmissionPolicy, etc.) and applies them to +// the cluster. It injects ownership labels and cleans up stale managed resources. + +// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch,namespace=kubewarden +// +kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers;clusteradmissionpolicies;admissionpolicies;clusteradmissionpolicygroups;admissionpolicygroups,verbs=get;list;watch;create;update;patch;delete +type DefaultsApplierReconciler struct { + client.Client + Scheme *runtime.Scheme + Log logr.Logger + DeploymentsNamespace string + ConfigMapName string +} + +// Reconcile watches the defaults ConfigMap and applies the resources it contains. +func (r *DefaultsApplierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := r.Log.WithValues("configmap", req.NamespacedName) + + // Phase 1: Read ConfigMap + var cm corev1.ConfigMap + if err := r.Get(ctx, req.NamespacedName, &cm); err != nil { + if apierrors.IsNotFound(err) { + log.Info("ConfigMap not found, cleaning up all managed resources") + if cleanupErr := r.cleanupAll(ctx); cleanupErr != nil { + return ctrl.Result{}, fmt.Errorf("failed to cleanup all managed resources: %w", cleanupErr) + } + return ctrl.Result{}, nil + } + return ctrl.Result{}, fmt.Errorf("failed to get ConfigMap: %w", err) + } + + // Phase 2: Apply desired resources + decoder := serializer.NewCodecFactory(r.Scheme).UniversalDeserializer() + desired := make(map[resourceKey]bool) + + for key, yamlData := range cm.Data { + if len(key) < 5 || key[len(key)-5:] != ".yaml" { + // Skip non-YAML keys + continue + } + + obj, gvk, err := decoder.Decode([]byte(yamlData), nil, nil) + if err != nil { + log.Error(err, "failed to decode resource from ConfigMap", "key", key) + // Don't fail the whole reconciliation for one bad entry + continue + } + + clientObj, ok := obj.(client.Object) + if !ok { + log.Error(errors.New("decoded object is not a client.Object"), "skipping resource", "key", key, "gvk", gvk) + continue + } + + // Track this resource as desired + rk := resourceKey{ + gvk: gvk.String(), + name: clientObj.GetName(), + namespace: clientObj.GetNamespace(), + } + desired[rk] = true + + // Apply the resource with ownership label injected + if applyErr := r.applyResource(ctx, clientObj); applyErr != nil { + return ctrl.Result{}, fmt.Errorf("failed to apply resource %s: %w", rk, applyErr) + } + } + + // Phase 3: Clean up stale managed resources + if err := r.cleanupStale(ctx, desired); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to cleanup stale resources: %w", err) + } + + log.Info("Reconciliation complete", "appliedResources", len(desired)) + return ctrl.Result{}, nil +} + +// SetupWithManager registers the reconciler with the manager. +func (r *DefaultsApplierReconciler) SetupWithManager(mgr ctrl.Manager) error { + if err := ctrl.NewControllerManagedBy(mgr). + For(&corev1.ConfigMap{}). + WithEventFilter(predicate.NewPredicateFuncs(func(object client.Object) bool { + return object.GetName() == r.ConfigMapName && + object.GetNamespace() == r.DeploymentsNamespace + })). + Complete(r); err != nil { + return fmt.Errorf("failed to create DefaultsApplier controller: %w", err) + } + return nil +} + +// applyResource creates or updates the resource, always injecting the ownership label. +func (r *DefaultsApplierReconciler) applyResource(ctx context.Context, desired client.Object) error { + log := r.Log.WithValues("resource", client.ObjectKeyFromObject(desired), "kind", desired.GetObjectKind().GroupVersionKind().Kind) + + // CreateOrPatch GETs the existing object into desired, overwriting the + // decoded state. Save a copy so the mutate function can restore the spec. + desiredCopy, ok := desired.DeepCopyObject().(client.Object) + if !ok { + return errors.New("failed to cast deep copied object to client.Object") + } + + _, err := controllerutil.CreateOrPatch(ctx, r.Client, desired, func() error { + // Restore the spec from the decoded YAML + copySpec(desiredCopy, desired) + + // Inject the ownership label + labels := desired.GetLabels() + if labels == nil { + labels = make(map[string]string) + } + labels[constants.DefaultsManagedByLabelKey] = constants.DefaultsManagedByLabelValue + desired.SetLabels(labels) + + return nil + }) + if err != nil { + return fmt.Errorf("failed to create or patch resource: %w", err) + } + + log.V(1).Info("Resource applied successfully") + return nil +} + +// copySpec copies the Spec field from src to dst for all supported resource types. +func copySpec(src, dst client.Object) { + switch d := dst.(type) { + case *policiesv1.PolicyServer: + if s, ok := src.(*policiesv1.PolicyServer); ok { + d.Spec = s.Spec + } + case *policiesv1.ClusterAdmissionPolicy: + if s, ok := src.(*policiesv1.ClusterAdmissionPolicy); ok { + d.Spec = s.Spec + } + case *policiesv1.AdmissionPolicy: + if s, ok := src.(*policiesv1.AdmissionPolicy); ok { + d.Spec = s.Spec + } + case *policiesv1.ClusterAdmissionPolicyGroup: + if s, ok := src.(*policiesv1.ClusterAdmissionPolicyGroup); ok { + d.Spec = s.Spec + } + case *policiesv1.AdmissionPolicyGroup: + if s, ok := src.(*policiesv1.AdmissionPolicyGroup); ok { + d.Spec = s.Spec + } + } +} + +// cleanupStale removes managed resources that are not in the desired set. +func (r *DefaultsApplierReconciler) cleanupStale(ctx context.Context, desired map[resourceKey]bool) error { + managedSelector := client.MatchingLabels{ + constants.DefaultsManagedByLabelKey: constants.DefaultsManagedByLabelValue, + } + + // List all managed resource types + resourceLists := []client.ObjectList{ + &policiesv1.PolicyServerList{}, + &policiesv1.ClusterAdmissionPolicyList{}, + &policiesv1.AdmissionPolicyList{}, + &policiesv1.ClusterAdmissionPolicyGroupList{}, + &policiesv1.AdmissionPolicyGroupList{}, + } + + for _, list := range resourceLists { + if err := r.List(ctx, list, managedSelector); err != nil { + return fmt.Errorf("failed to list managed resources: %w", err) + } + + items, err := extractItems(list) + if err != nil { + return err + } + + for _, item := range items { + rk := resourceKey{ + gvk: item.GetObjectKind().GroupVersionKind().String(), + name: item.GetName(), + namespace: item.GetNamespace(), + } + + if !desired[rk] { + r.Log.Info("Deleting stale managed resource", "resource", rk) + if deleteErr := r.Delete(ctx, item); deleteErr != nil && !apierrors.IsNotFound(deleteErr) { + return fmt.Errorf("failed to delete stale resource %s: %w", rk, deleteErr) + } + } + } + } + + return nil +} + +// cleanupAll removes all managed resources (called when ConfigMap is absent). +func (r *DefaultsApplierReconciler) cleanupAll(ctx context.Context) error { + return r.cleanupStale(ctx, make(map[resourceKey]bool)) +} + +// resourceKey uniquely identifies a Kubernetes resource. +type resourceKey struct { + gvk string + name string + namespace string +} + +func (rk resourceKey) String() string { + if rk.namespace == "" { + return fmt.Sprintf("%s/%s", rk.gvk, rk.name) + } + return fmt.Sprintf("%s/%s/%s", rk.gvk, rk.namespace, rk.name) +} + +// extractItems extracts client.Objects from a typed list. +func extractItems(list client.ObjectList) ([]client.Object, error) { + switch v := list.(type) { + case *policiesv1.PolicyServerList: + items := make([]client.Object, len(v.Items)) + for i := range v.Items { + items[i] = &v.Items[i] + } + return items, nil + case *policiesv1.ClusterAdmissionPolicyList: + items := make([]client.Object, len(v.Items)) + for i := range v.Items { + items[i] = &v.Items[i] + } + return items, nil + case *policiesv1.AdmissionPolicyList: + items := make([]client.Object, len(v.Items)) + for i := range v.Items { + items[i] = &v.Items[i] + } + return items, nil + case *policiesv1.ClusterAdmissionPolicyGroupList: + items := make([]client.Object, len(v.Items)) + for i := range v.Items { + items[i] = &v.Items[i] + } + return items, nil + case *policiesv1.AdmissionPolicyGroupList: + items := make([]client.Object, len(v.Items)) + for i := range v.Items { + items[i] = &v.Items[i] + } + return items, nil + default: + return nil, fmt.Errorf("unknown list type: %T", list) + } +} diff --git a/internal/controller/defaults_applier_test.go b/internal/controller/defaults_applier_test.go new file mode 100644 index 000000000..252a2c289 --- /dev/null +++ b/internal/controller/defaults_applier_test.go @@ -0,0 +1,337 @@ +package controller + +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + + policiesv1 "github.com/kubewarden/adm-controller/api/policies/v1" + "github.com/kubewarden/adm-controller/internal/constants" +) + +var _ = Describe("DefaultsApplierReconciler", func() { + const ( + timeout = 180 * time.Second + pollInterval = 250 * time.Millisecond + ) + + var ( + ctx context.Context + configMapName string + configMapNsName types.NamespacedName + policyServerName string + policyName string + ) + + BeforeEach(func() { + ctx = context.Background() + configMapName = constants.DefaultDefaultsConfigMapName + configMapNsName = types.NamespacedName{ + Name: configMapName, + Namespace: deploymentsNamespace, + } + policyServerName = "test-default-policyserver" + policyName = "test-default-policy" + }) + + AfterEach(func() { + // Clean up ConfigMap + cm := &corev1.ConfigMap{} + err := k8sClient.Get(ctx, configMapNsName, cm) + if err == nil { + Expect(k8sClient.Delete(ctx, cm)).To(Succeed()) + } + + // Clean up any managed resources (ignore NotFound since the + // reconciler may have already deleted them after the ConfigMap removal). + psList := &policiesv1.PolicyServerList{} + Expect(k8sClient.List(ctx, psList)).To(Succeed()) + for _, ps := range psList.Items { + if ps.Labels[constants.DefaultsManagedByLabelKey] == constants.DefaultsManagedByLabelValue { + err := k8sClient.Delete(ctx, &ps) + if err != nil && !apierrors.IsNotFound(err) { + Expect(err).ToNot(HaveOccurred()) + } + } + } + + capList := &policiesv1.ClusterAdmissionPolicyList{} + Expect(k8sClient.List(ctx, capList)).To(Succeed()) + for _, cap := range capList.Items { + if cap.Labels[constants.DefaultsManagedByLabelKey] == constants.DefaultsManagedByLabelValue { + err := k8sClient.Delete(ctx, &cap) + if err != nil && !apierrors.IsNotFound(err) { + Expect(err).ToNot(HaveOccurred()) + } + } + } + }) + + Context("when ConfigMap does not exist", func() { + It("should do nothing when no managed resources exist", func() { + // No ConfigMap exists, reconciler should not error + // This is tested implicitly by the absence of errors in the controller logs + }) + + It("should delete all managed resources when they exist", func() { + // First create the ConfigMap so the reconciler creates the PolicyServer + policyServerYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:latest + replicas: 1` + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{ + "policyserver-default.yaml": policyServerYAML, + }, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait for the PolicyServer to be created + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{}) + }, timeout, pollInterval).Should(Succeed()) + + // Delete the ConfigMap to trigger cleanup + Expect(k8sClient.Delete(ctx, cm)).To(Succeed()) + + // Wait for the managed resource to be deleted + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{}) + return apierrors.IsNotFound(err) + }, timeout, pollInterval).Should(BeTrue(), "managed PolicyServer should be deleted") + }) + }) + + Context("when ConfigMap has one PolicyServer", func() { + It("should create the PolicyServer with ownership label", func() { + policyServerYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:latest + replicas: 1 + serviceAccountName: policy-server` + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{ + "policyserver-default.yaml": policyServerYAML, + }, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait for the PolicyServer to be created + ps := &policiesv1.PolicyServer{} + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + }, timeout, pollInterval).Should(Succeed()) + + // Verify ownership label + Expect(ps.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) + Expect(ps.Spec.Image).To(Equal("ghcr.io/kubewarden/policy-server:latest")) + }) + }) + + Context("when ConfigMap is updated", func() { + It("should update the PolicyServer spec", func() { + initialYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:v1.0.0 + replicas: 1` + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{ + "policyserver-default.yaml": initialYAML, + }, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait for initial creation + ps := &policiesv1.PolicyServer{} + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + }, timeout, pollInterval).Should(Succeed()) + Expect(ps.Spec.Image).To(Equal("ghcr.io/kubewarden/policy-server:v1.0.0")) + + // Update the ConfigMap + updatedYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:v2.0.0 + replicas: 2` + + Expect(k8sClient.Get(ctx, configMapNsName, cm)).To(Succeed()) + cm.Data["policyserver-default.yaml"] = updatedYAML + Expect(k8sClient.Update(ctx, cm)).To(Succeed()) + + // Wait for the PolicyServer to be updated + Eventually(func() string { + err := k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + if err != nil { + return "" + } + return ps.Spec.Image + }, timeout, pollInterval).Should(Equal("ghcr.io/kubewarden/policy-server:v2.0.0")) + + Expect(ps.Spec.Replicas).To(Equal(int32(2))) + }) + }) + + Context("when a key is removed from ConfigMap", func() { + It("should delete the corresponding managed resource", func() { + policyServerYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:latest + replicas: 1` + + policyYAML := `apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: ` + policyName + ` +spec: + module: ghcr.io/kubewarden/policies/test:v1.0.0 + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE"] + settings: {}` + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{ + "policyserver-default.yaml": policyServerYAML, + "policy.yaml": policyYAML, + }, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait for both resources to be created + ps := &policiesv1.PolicyServer{} + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + }, timeout, pollInterval).Should(Succeed()) + + policy := &policiesv1.ClusterAdmissionPolicy{} + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, policy) + }, timeout, pollInterval).Should(Succeed()) + + // Remove the policy from the ConfigMap + Expect(k8sClient.Get(ctx, configMapNsName, cm)).To(Succeed()) + delete(cm.Data, "policy.yaml") + Expect(k8sClient.Update(ctx, cm)).To(Succeed()) + + // Wait for the policy to be deleted + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, policy) + return apierrors.IsNotFound(err) + }, timeout, pollInterval).Should(BeTrue(), "managed policy should be deleted") + + // PolicyServer should still exist + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps)).To(Succeed()) + }) + }) + + Context("resource safety", func() { + It("should never delete resources without the ownership label", func() { + // Create an unmanaged PolicyServer (no ownership label) + unmanagedPS := &policiesv1.PolicyServer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "unmanaged-policyserver", + }, + Spec: policiesv1.PolicyServerSpec{ + Image: "ghcr.io/kubewarden/policy-server:latest", + Replicas: 1, + }, + } + Expect(k8sClient.Create(ctx, unmanagedPS)).To(Succeed()) + + // Create an empty ConfigMap (should trigger cleanup of all managed resources) + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{}, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait a bit to allow reconciliation + time.Sleep(2 * time.Second) + + // Unmanaged resource should still exist + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: "unmanaged-policyserver"}, &policiesv1.PolicyServer{})).To(Succeed()) + + // Clean up + Expect(k8sClient.Delete(ctx, unmanagedPS)).To(Succeed()) + }) + }) + + Context("when ConfigMap has malformed YAML", func() { + It("should skip the malformed entry and continue with others", func() { + policyServerYAML := `apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: ` + policyServerName + ` +spec: + image: ghcr.io/kubewarden/policy-server:latest + replicas: 1` + + malformedYAML := `this is not: valid: yaml: at: all` + + cm := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: deploymentsNamespace, + }, + Data: map[string]string{ + "policyserver-default.yaml": policyServerYAML, + "malformed.yaml": malformedYAML, + }, + } + Expect(k8sClient.Create(ctx, cm)).To(Succeed()) + + // Wait for the valid PolicyServer to be created (malformed entry should be skipped) + ps := &policiesv1.PolicyServer{} + Eventually(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + }, timeout, pollInterval).Should(Succeed()) + + Expect(ps.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) + }) + }) +}) From 40c14ce2c619551fd3f723bd9e04793502810b77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 13:39:38 -0300 Subject: [PATCH 05/22] feat(chart): integrate defaults templates into unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the defaults templates and related helper functions to the kubewarden-controller chart. The defaults are now delivered through a ConfigMap that gets reconciled by the DefaultsApplierReconciler added in the previous commit. The templates include the PolicyServer definition, recommended security policies (privilege escalation, capabilities, host namespaces, host paths, pod privileges, user/group), and the PolicyServer RBAC resources. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../templates/_helpers.tpl | 58 ++++++++++++ .../defaults/defaults-configmap.yaml | 41 +++++++++ .../policies/_allow-privilege-escalation.tpl | 21 +++++ .../defaults/policies/_capabilities.tpl | 21 +++++ .../defaults/policies/_host-namespace.tpl | 21 +++++ .../defaults/policies/_host-paths.tpl | 21 +++++ .../defaults/policies/_pod-privileged.tpl | 33 +++++++ .../policies/_policyserver-default.tpl | 91 +++++++++++++++++++ .../defaults/policies/_user-group.tpl | 21 +++++ .../defaults/policy-server-rbac.yaml | 52 +++++++++++ 10 files changed, 380 insertions(+) create mode 100644 charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl create mode 100644 charts/kubewarden-controller/templates/defaults/policy-server-rbac.yaml diff --git a/charts/kubewarden-controller/templates/_helpers.tpl b/charts/kubewarden-controller/templates/_helpers.tpl index 0d7217cd6..e37a66b35 100644 --- a/charts/kubewarden-controller/templates/_helpers.tpl +++ b/charts/kubewarden-controller/templates/_helpers.tpl @@ -223,6 +223,64 @@ Validate that hostNetwork and telemetry sidecar mode are not both enabled. They are incompatible because multiple OTel sidecars on the same node would cause port conflicts in host-network mode. */}} +{{/* +Labels for defaults resources (PolicyServer RBAC, etc.) +Differs from kubewarden-controller.labels: no component label, AppVersion fallback to Chart.Version. +*/}} +{{- define "kubewarden-defaults.labels" -}} +helm.sh/chart: {{ include "kubewarden-controller.chart" . }} +{{ include "kubewarden-controller.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- else }} +app.kubernetes.io/version: {{ .Chart.Version | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: kubewarden +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels }} +{{- end }} +{{- end }} + +{{/* +Annotations for defaults resources. +*/}} +{{- define "kubewarden-defaults.annotations" -}} +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations }} +{{- end }} +{{- end }} + +{{- define "policy_default_registry" -}} +{{- if .Values.recommendedPolicies.defaultPoliciesRegistry -}} +{{- printf "%s/" .Values.recommendedPolicies.defaultPoliciesRegistry -}} +{{- else -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{- define "policy_failure_policy" -}} +{{- if eq .Values.recommendedPolicies.defaultPolicyMode "protect" -}} +Fail +{{- else -}} +Ignore +{{- end -}} +{{- end -}} + +{{- define "policy-namespace-selector" -}} +namespaceSelector: + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: NotIn + values: +{{- with .Values.global.skipNamespaces }} + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.recommendedPolicies.skipAdditionalNamespaces }} + {{- toYaml . | nindent 4 }} +{{- end }} +{{- end -}} + {{- define "kubewarden-controller.validateHostNetworkSidecar" -}} {{- if and .Values.hostNetwork (eq .Values.telemetry.mode "sidecar") (or .Values.telemetry.metrics .Values.telemetry.tracing) -}} {{- fail "hostNetwork and telemetry.mode=sidecar are incompatible: OpenTelemetry sidecar injection causes port conflicts in host-network mode. Use telemetry.mode=custom with a remote collector instead." -}} diff --git a/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml b/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml new file mode 100644 index 000000000..f959a85bb --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml @@ -0,0 +1,41 @@ +{{- $hasAny := or .Values.policyServer.enabled .Values.recommendedPolicies.enabled -}} +{{- if $hasAny }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.defaultConfigMapName | default "kubewarden-defaults" }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubewarden-controller.labels" . | nindent 4 }} + annotations: + {{- include "kubewarden-controller.annotations" . | nindent 4 }} +data: + {{- if .Values.policyServer.enabled }} + policyserver-default.yaml: | + {{- include "kubewarden.defaults.policyserverDefault" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.allowPrivilegeEscalationPolicy }} + allow-privilege-escalation.yaml: | + {{- include "kubewarden.defaults.allowPrivilegeEscalation" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.capabilitiesPolicy }} + capabilities.yaml: | + {{- include "kubewarden.defaults.capabilities" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.hostNamespacePolicy }} + host-namespace.yaml: | + {{- include "kubewarden.defaults.hostNamespace" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.hostPathsPolicy }} + host-paths.yaml: | + {{- include "kubewarden.defaults.hostPaths" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.podPrivilegedPolicy }} + pod-privileged.yaml: | + {{- include "kubewarden.defaults.podPrivileged" . | nindent 4 }} + {{- end }} + {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.userGroupPolicy }} + user-group.yaml: | + {{- include "kubewarden.defaults.userGroup" . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl b/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl new file mode 100644 index 000000000..4e2f34232 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl @@ -0,0 +1,21 @@ +{{- define "kubewarden.defaults.allowPrivilegeEscalation" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }} + mutating: true + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE", "UPDATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl b/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl new file mode 100644 index 000000000..500afbdf2 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl @@ -0,0 +1,21 @@ +{{- define "kubewarden.defaults.capabilities" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.capabilitiesPolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }} + mutating: true + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE", "UPDATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.capabilitiesPolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl b/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl new file mode 100644 index 000000000..9763cdf1b --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl @@ -0,0 +1,21 @@ +{{- define "kubewarden.defaults.hostNamespace" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.hostNamespacePolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }} + mutating: false + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE", "UPDATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.hostNamespacePolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl b/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl new file mode 100644 index 000000000..d87a737d8 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl @@ -0,0 +1,21 @@ +{{- define "kubewarden.defaults.hostPaths" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.hostPathsPolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }} + mutating: false + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE", "UPDATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.hostPathsPolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl b/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl new file mode 100644 index 000000000..b63fc5240 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl @@ -0,0 +1,33 @@ +{{- define "kubewarden.defaults.podPrivileged" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.podPrivilegedPolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }} + mutating: false + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE"] + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["replicationcontrollers"] + operations: ["CREATE", "UPDATE"] + - apiGroups: ["apps"] + apiVersions: ["v1"] + resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] + operations: ["CREATE", "UPDATE"] + - apiGroups: ["batch"] + apiVersions: ["v1"] + resources: ["jobs", "cronjobs"] + operations: ["CREATE", "UPDATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.podPrivilegedPolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl b/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl new file mode 100644 index 000000000..2316e47d2 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl @@ -0,0 +1,91 @@ +{{- define "kubewarden.defaults.policyserverDefault" -}} +apiVersion: policies.kubewarden.io/v1 +kind: PolicyServer +metadata: + name: default + finalizers: + - kubewarden.io/finalizer +spec: + image: {{ template "system_default_registry" . }}{{ .Values.policyServer.image.repository }}:{{ .Values.policyServer.image.tag }} + serviceAccountName: {{ .Values.policyServer.serviceAccountName }} + replicas: {{ .Values.policyServer.replicaCount | default 1 }} + {{- if .Values.policyServer.minAvailable }} + minAvailable: {{ .Values.policyServer.minAvailable }} + {{- end }} + {{- if .Values.policyServer.maxUnavailable }} + maxUnavailable: {{ .Values.policyServer.maxUnavailable }} + {{- end }} + {{- $affinity := include "kubewarden-controller.effectiveAffinity" . -}} + {{- if $affinity }} + affinity: {{ $affinity | nindent 4 }} + {{- end }} + {{- if .Values.global.tolerations }} + tolerations: {{ .Values.global.tolerations | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.global.priorityClassName }} + priorityClassName: {{ .Values.global.priorityClassName | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.policyServer.limits }} + limits: {{ .Values.policyServer.limits | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.policyServer.requests }} + requests: {{ .Values.policyServer.requests | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.policyServer.verificationConfig }} + verificationConfig: {{ .Values.policyServer.verificationConfig }} + {{- end }} + {{- if .Values.policyServer.sigstoreTrustConfig }} + sigstoreTrustConfig: {{ .Values.policyServer.sigstoreTrustConfig }} + {{- end }} + {{- if .Values.policyServer.annotations }} + annotations: + {{- range $key, $value := .Values.policyServer.annotations }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.policyServer.env }} + env: + {{- range .Values.policyServer.env }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + {{- end }} + {{- if .Values.policyServer.imagePullSecret }} + imagePullSecret: {{ .Values.policyServer.imagePullSecret | quote }} + {{- end }} + {{- if .Values.policyServer.insecureSources }} + insecureSources: + {{- range $source := .Values.policyServer.insecureSources }} + - {{ $source | quote }} + {{- end }} + {{- end }} + {{- if .Values.policyServer.sourceAuthorities }} + sourceAuthorities: + {{- range .Values.policyServer.sourceAuthorities }} + {{- if .certs }} + {{ .uri }}: + {{- range .certs }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.policyServer.namespacedPoliciesCapabilities }} + namespacedPoliciesCapabilities: + {{- range .Values.policyServer.namespacedPoliciesCapabilities }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.policyServer.securityContexts }} + securityContexts: {{ toYaml .Values.policyServer.securityContexts | nindent 4 }} + {{- end }} + {{- if .Values.policyServer.webhookPort }} + webhookPort: {{ .Values.policyServer.webhookPort }} + {{- end }} + {{- if .Values.policyServer.readinessProbePort }} + readinessProbePort: {{ .Values.policyServer.readinessProbePort }} + {{- end }} + {{- if .Values.policyServer.metricsPort }} + metricsPort: {{ .Values.policyServer.metricsPort }} + {{- end }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl b/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl new file mode 100644 index 000000000..af3bb2e5c --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl @@ -0,0 +1,21 @@ +{{- define "kubewarden.defaults.userGroup" -}} +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicy +metadata: + name: {{ .Values.recommendedPolicies.userGroupPolicy.name }} + annotations: + io.kubewarden.policy.severity: medium + io.kubewarden.policy.category: PSP +spec: + mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} + failurePolicy: {{ include "policy_failure_policy" . | trim }} + module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }} + mutating: true + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE"] + {{- include "policy-namespace-selector" . | nindent 2 }} + settings: {{ .Values.recommendedPolicies.userGroupPolicy.settings | toYaml | nindent 4 }} +{{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policy-server-rbac.yaml b/charts/kubewarden-controller/templates/defaults/policy-server-rbac.yaml new file mode 100644 index 000000000..e2b427254 --- /dev/null +++ b/charts/kubewarden-controller/templates/defaults/policy-server-rbac.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "kubewarden-defaults.labels" . | nindent 4 }} + app.kubernetes.io/component: policy-server + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} + name: {{ .Values.policyServer.serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kubewarden-defaults.labels" . | nindent 4 }} + app.kubernetes.io/component: policy-server + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} + name: kubewarden-context-watcher +rules: +{{- range .Values.policyServer.permissions }} +- apiGroups: + - {{ .apiGroup | quote }} + resources: {{ .resources | toJson }} + verbs: + {{- if .verbs }} + {{- toYaml .verbs | nindent 2 }} + {{- else }} + - get + - list + - watch + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kubewarden-defaults.labels" . | nindent 4 }} + app.kubernetes.io/component: policy-server + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} + name: kubewarden-context-watcher +subjects: +- kind: ServiceAccount + name: {{ .Values.policyServer.serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: kubewarden-context-watcher + apiGroup: rbac.authorization.k8s.io From 6a7e67ae0c085f4b00e179db82ce7628352c8a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 13:40:42 -0300 Subject: [PATCH 06/22] refactor(chart): remove kubewarden-defaults chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove the standalone kubewarden-defaults Helm chart. Its templates have been integrated into the unified kubewarden-controller chart through a ConfigMap-based approach, and its values have been merged into the controller chart configuration. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-defaults/.helmignore | 26 -- charts/kubewarden-defaults/Chart.yaml | 41 -- charts/kubewarden-defaults/README.md | 86 ---- charts/kubewarden-defaults/app-readme.md | 9 - charts/kubewarden-defaults/questions.yaml | 381 ------------------ .../kubewarden-defaults/templates/NOTES.txt | 27 -- .../templates/_helpers.tpl | 98 ----- .../allow-privileged-escalation-policy.yaml | 26 -- .../templates/capabilities-policy.yaml | 28 -- .../templates/host-namespace-policy.yaml | 28 -- .../templates/host-path-policy.yaml | 28 -- .../templates/pod-privileged-policy.yaml | 39 -- .../templates/policy-server-rbac.yaml | 52 --- .../templates/policyserver-default.yaml | 96 ----- .../templates/user-group-policy.yaml | 26 -- .../tests/failure_policy_test.yaml | 25 -- .../tests/host_network_test.yaml | 66 --- .../namespacedPoliciesCapabilities_test.yaml | 133 ------ .../tests/priorityClassName_test.yaml | 12 - charts/kubewarden-defaults/values.schema.json | 93 ----- charts/kubewarden-defaults/values.yaml | 292 -------------- 21 files changed, 1612 deletions(-) delete mode 100644 charts/kubewarden-defaults/.helmignore delete mode 100644 charts/kubewarden-defaults/Chart.yaml delete mode 100644 charts/kubewarden-defaults/README.md delete mode 100644 charts/kubewarden-defaults/app-readme.md delete mode 100644 charts/kubewarden-defaults/questions.yaml delete mode 100644 charts/kubewarden-defaults/templates/NOTES.txt delete mode 100644 charts/kubewarden-defaults/templates/_helpers.tpl delete mode 100644 charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml delete mode 100644 charts/kubewarden-defaults/templates/capabilities-policy.yaml delete mode 100644 charts/kubewarden-defaults/templates/host-namespace-policy.yaml delete mode 100644 charts/kubewarden-defaults/templates/host-path-policy.yaml delete mode 100644 charts/kubewarden-defaults/templates/pod-privileged-policy.yaml delete mode 100644 charts/kubewarden-defaults/templates/policy-server-rbac.yaml delete mode 100644 charts/kubewarden-defaults/templates/policyserver-default.yaml delete mode 100644 charts/kubewarden-defaults/templates/user-group-policy.yaml delete mode 100644 charts/kubewarden-defaults/tests/failure_policy_test.yaml delete mode 100644 charts/kubewarden-defaults/tests/host_network_test.yaml delete mode 100644 charts/kubewarden-defaults/tests/namespacedPoliciesCapabilities_test.yaml delete mode 100644 charts/kubewarden-defaults/tests/priorityClassName_test.yaml delete mode 100644 charts/kubewarden-defaults/values.schema.json delete mode 100644 charts/kubewarden-defaults/values.yaml diff --git a/charts/kubewarden-defaults/.helmignore b/charts/kubewarden-defaults/.helmignore deleted file mode 100644 index b875eace6..000000000 --- a/charts/kubewarden-defaults/.helmignore +++ /dev/null @@ -1,26 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ - -# dev files -chart-values.yaml diff --git a/charts/kubewarden-defaults/Chart.yaml b/charts/kubewarden-defaults/Chart.yaml deleted file mode 100644 index fe7681c22..000000000 --- a/charts/kubewarden-defaults/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v2 -name: kubewarden-defaults -description: A Helm chart for deploying Kubewarden's default PolicyServer instance -icon: https://www.kubewarden.io/images/icon-kubewarden.svg -type: application -kubeVersion: ">= 1.19.0-0" -home: https://www.kubewarden.io/ -maintainers: - - name: Kubewarden Maintainers - email: cncf-kubewarden-maintainers@lists.cncf.io - url: https://github.com/orgs/kubewarden/teams/maintainers -keywords: - - Kubewarden - - Security - - Infrastructure - - Monitoring - - policy agent - - policies - - validating webhook - - admissions controller - - policy report -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 3.14.0-beta.1 -# This is the version of Kubewarden stack -appVersion: v1.36.0-beta.1 -annotations: - # required ones: - catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart - catalog.cattle.io/namespace: cattle-kubewarden-system # Must prefix with cattle- and suffix with -system - catalog.cattle.io/release-name: rancher-kubewarden-defaults # If this is an upstream app, prefixing with rancher is the preferred naming choice. - catalog.cattle.io/ui-component: kubewarden # This is added for custom UI deployment of a chart - catalog.cattle.io/display-name: Kubewarden-defaults # Only for Charts with custom UI - catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation - # optional ones: - catalog.cattle.io/hidden: "true" # Hide specific charts. Only use on CRD charts. - catalog.cattle.io/auto-install: kubewarden-crds=1.28.0-beta.1 - # Valid values for the following annotation include: `cluster-tool`, `app` or `cluster-template` - # See the Cluster Tools section to learn more about when to set this value to `cluster-tool`. - catalog.cattle.io/type: cluster-tool diff --git a/charts/kubewarden-defaults/README.md b/charts/kubewarden-defaults/README.md deleted file mode 100644 index 49409bfed..000000000 --- a/charts/kubewarden-defaults/README.md +++ /dev/null @@ -1,86 +0,0 @@ -# kubewarden-defaults - -`kubewarden-defaults` is the Helm chart that installs a default PolicyServer -required by the Kubewarden to run `ClusterAdmissionPolicy` and `AdmissionPolicy`. It should be installed -before installing any policies. - - -## Enable recommended policies - -The chart allows the user to install some recommended policies to enforce some -best practice security checks. ***By the default, the policies are disabled and the -user must enable this feature.*** The recommended policies are: - -- [`allow-privilege-escalation-psp` policy](https://github.com/kubewarden/allow-privilege-escalation-psp-policy): prevents process to gain more privileges. -- [`host-namespaces-psp` policy](https://github.com/kubewarden/host-namespaces-psp-policy): blocks pods trying to share host's IPC, networks and PID namespaces -- [`pod-privileged` policy](https://github.com/kubewarden/pod-privileged-policy): does not allow pod running in privileged mode -- [`user-group-psp` policy](https://github.com/kubewarden/user-group-psp-policy): prevents pod running with root user -- [`hostpaths-psp` policy](https://github.com/kubewarden/hostpaths-psp-policy): prevents containers from accessing host paths when hosthPath volumes are defined -- [`capabilities-psp` policy](https://github.com/kubewarden/capabilities-psp-policy): prevents containers from adding Linux capabilities - -All the policies are installed cluster wide. But they are configured to ignore -namespaces important to run the control plane and Rancher components, like -`kube-system` and `rancher-operator-system` namespaces. This list of default -ignored namespaces is in the chart values under `recommendedPolicies.skipNamespaces`, -additional namespaces can be excluded using `recommendedPolicies.skipAdditionalNamespaces`. - -Furthermore, all the policies are installed in "monitor" mode by default. This -means that the policies will **not** block requests. They will report the requests -which violates the policies rules. To change the default policy mode to "protect" mode, -the user can change the default policy mode using the Helm chart value. - -For example, if the user wants to install the policies in "protect" mode and ignore the -resources from the "devel" namespaces, the following command can be used: - -```bash -helm install \ - --set recommendedPolicies.enabled=True \ - --set recommendedPolicies.skipAdditionalNamespaces=\{devel\} \ - --set recommendedPolicies.defaultPolicyMode=protect \ - kubewarden-defaults kubewarden/kubewarden-defaults -``` - -**WARNING** -Enforcing the policies to the `kube-system` namespace could break your cluster. -Be aware that some pods could need break this rules. Therefore, the user must be -sure which namespaces the policies will be applied. Remember that when you define the `--set` command line flag the default values are overwritten. So, the -user must define the `kube-system` namespace manually. - -Check out the configuration section to see all the configuration options. -The user can also change the policies mode after the installation. See the -Kubewarden documentation to learn more. - - -## Installing - -For example: -```console -$ helm repo add kubewarden https://charts.kubewarden.io -$ helm install --create-namespace -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults -``` - -For a more comprehensive documentation about how to install the whole Kubewarden -stack, check the `kubewarden-controller` chart documentation out. - -## Upgrading the charts - -Please refer to the release notes of each version of the helm charts. -These can be found [here](https://github.com/kubewarden/helm-charts/releases). - -## Uninstalling the charts - -To uninstall/delete kubewarden-crds use the following command: - -```console -$ helm uninstall -n kubewarden kubewarden-defaults -``` - -The commands remove all the Kubernetes components associated with the chart. -**WARNING!** Keep in mind that the removal of the chart will remove all the -policies running on the `default` Policy Server. - -If you want to keep the history use `--keep-history` flag. - -## Configuration - -See the `values.yaml` file of the chart for the configuration values. diff --git a/charts/kubewarden-defaults/app-readme.md b/charts/kubewarden-defaults/app-readme.md deleted file mode 100644 index 75b8ffc55..000000000 --- a/charts/kubewarden-defaults/app-readme.md +++ /dev/null @@ -1,9 +0,0 @@ -# Kubewarden - -[Kubewarden](https://kubewarden.io) makes it very easy to write and distribute Kubernetes admission and mutation policies using your preferred languages and frameworks, and to publish them through well-known distribution methods such as OCI-artifact-enabled image registries. - -It is powered by [WebAssembly](https://webassembly.org/), so Kubewarden policies are architecture and operating system agnostic. - -Discover many policies contributed and maintained by the community in [ArtifactHub](https://artifacthub.io/). - -Download policies or build your own once, and run them everywhere, no matter what the system is. diff --git a/charts/kubewarden-defaults/questions.yaml b/charts/kubewarden-defaults/questions.yaml deleted file mode 100644 index 5e5466051..000000000 --- a/charts/kubewarden-defaults/questions.yaml +++ /dev/null @@ -1,381 +0,0 @@ -# This is a Rancher questions file ---- -questions: - # Recommended policies questions: - - variable: "recommendedPolicies.enabled" - type: boolean - default: false - required: true - label: Enable recommended policies - description: | - Whether the recommended policies are enabled or not. Recommended - policies are a minimum set of policies that secure your cluster and - Kubewarden, while leaving the system namespaces untouched. - group: "Recommended Policies" - - variable: "recommendedPolicies.defaultPolicyMode" - type: enum - options: - - "monitor" - - "protect" - default: "monitor" - show_if: recommendedPolicies.enabled=true - label: Execution mode of the recommended policies - description: | - Execution mode of the recommended policies. "protect" will reject requests, - "monitor" will log them. Transitioning from "monitor" to "protect" is - allowed, but not from "protect" to "monitor". - group: "Recommended Policies" - - variable: "recommendedPolicies.skipAdditionalNamespaces" - type: array[ - show_if: recommendedPolicies.enabled=true - label: Additional namespaces to skip from evaluation - description: | - Additional namespaces that the recommended policies will not apply to. - group: "Recommended Policies" - # Default PolicyServer questions - - variable: "policyServer.serviceAccountName" - type: string - required: true - label: Name of the ServiceAccount associated to the PolicyServer default - description: | - The ServiceAccount that is being used by the default PolicyServer to interact - with the Kubernetes API Server. - group: "Default PolicyServer" - # Default PolicyServer HA - - variable: "policyServer.replicaCount" - type: integer - default: 1 - required: true - label: Number of replicas - description: | - Number of replicas of the PolicyServer Deployment - group: "Default PolicyServer HA" - - variable: "global.priorityClassName" - type: string - default: "" - required: false - label: Name of priorityClass associated to the PolicyServer Pods - description: | - Name of the priorityClass to apply to default PolicyServer Pods. - group: "Default PolicyServer HA" - # no-privilege-escalation policy settings - - variable: recommendedPolicies.allowPrivilegeEscalationPolicy.settings.allowPrivilegeEscalation - description: >- - This policy works by inspecting the containers and init containers of a Pod. - If any of these containers have `allowPrivilegeEscalation` enabled, the Pod - will be rejected. - tooltip: >- - Used to default to disallow, while still permitting pods to request - allowPrivilegeEscalation explicitly. - label: Allow privilege escalation - required: false - type: boolean - group: "no-privilege-escalation policy settings" - # drop-capabilities policy settings - - variable: recommendedPolicies.capabilitiesPolicy.settings.allowed_capabilities - description: Provides a list of capabilities that are allowed to be added to a container - tooltip: Specified as the capability name in ALL_CAPS. (e.g. `CHOWN`, `KILL`) - group: "drop-capabilities policy settings" - label: Allowed capabilities - required: false - type: array[ - - variable: recommendedPolicies.capabilitiesPolicy.settings.required_drop_capabilities - description: The capabilities which must be dropped from containers. - tooltip: Specified as the capability name in ALL_CAPS. (e.g. `NET_ADMIN`) - group: "drop-capabilities policy settings" - label: Required drop capabilities - required: false - type: array[ - - variable: recommendedPolicies.capabilitiesPolicy.settings.default_add_capabilities - description: >- - The capabilities which are added to containers by default, in addition to - the runtime defaults. - tooltip: Specified as the capability name in ALL_CAPS. (e.g. `CHOWN`) - group: "drop-capabilities policy settings" - label: Default add capabilities - required: false - type: array[ - # no-host-namespace-sharing policy settings - # - # - default: null - # description: >- - # This policy works by defining what host namespaces can be used by a Pod. - # `allow_host_ipc`, `allow_host_network` and `allow_host_pid` are `false` by - # default. `allow_host_ports` is an empty list by default. This means that by - # default host IPC, network, pid and all host ports are disabled when this - # policy is loaded with no configuration. - # group: no-host-namespace-sharing policy settings - # label: Description - # required: false - # hide_input: true # TODO not implemented yet in rancher/dashboard - # type: string - # variable: recommendedPolicies.hostNamespacePolicy.settings.description - - variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_ipc - tooltip: Allows the pod to set .spec.HostIPC to true. - group: no-host-namespace-sharing policy settings - label: Allow host IPC - required: false - type: boolean - - variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_network - tooltip: Allows the pod to set .spec.HostNetwork to true. - group: no-host-namespace-sharing policy settings - label: Allow host network - required: false - type: boolean - - variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_pid - tooltip: Allows the pod to set .spec.HostPID to true. - group: no-host-namespace-sharing policy settings - label: Allow host PID - required: false - type: boolean - # - # TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826 - # - # - variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_ports - # description: >- - # A range of ports to allow, an example would allow host ports `80`, `443` and - # the range `8000-9000`. - # group: no-host-namespace-sharing policy settings - # label: Allow host ports - # hide_input: true - # type: sequence[ - # sequence_questions: - # - default: 0 - # tooltip: "" - # group: no-host-namespace-sharing policy settings - # label: min - # type: int - # variable: min - # - default: 0 - # tooltip: "" - # group: no-host-namespace-sharing policy settings - # label: max - # type: int - # variable: max - # no-privileged-pod policy settings - - variable: recommendedPolicies.podPrivilegedPolicy.settings.skip_init_containers - tooltip: >- - Ignore that some init container is configured as privileged - group: no-privileged-pod policy settings - label: Skip init containers - required: false - type: boolean - - variable: recommendedPolicies.podPrivilegedPolicy.settings.skip_ephemeral_containers - tooltip: >- - Ignore that some ephemeral container is configured as privileged - group: no-privileged-pod policy settings - label: Skip ephemeral containers - required: false - type: boolean - # do-not-run-as-root policy - # - # TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826 - # - # - default: null - # description: >- - # This policy is a replacement for the Kubernetes Pod Security Policy that - # controls containers user and groups. - # group: do-not-run-as-root policy settings - # label: Description - # required: false - # hide_input: true # TODO not implemented yet in rancher/dashboard - # type: string - # variable: recommendedPolicies.userGroupPolicy.settings.description - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user - # description: Controls which user ID the containers are run with. - # group: do-not-run-as-root policy settings - # label: Run as user - # hide_input: true - # type: map[ - # subquestions: - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule - # tooltip: >- - # Defines the strategy used by the policy to enforce users and groups used - # in containers. - # group: do-not-run-as-root policy settings - # label: Rule - # options: - # - MustRunAs - # - MustRunAsNonRoot - # - RunAsAny - # type: enum - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.overwrite - # group: do-not-run-as-root policy settings - # label: Overwrite - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs - # title: Overwrite - # tooltip: >- - # The overwrite attribute can be set only with the MustRunAs rule. This - # flag configures the policy to mutate the runAsUser or runAsGroup despite - # of the value present in the request - even if the value is a valid one. - # The default value of this attribute is false. - # type: boolean - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.ranges - # description: >- - # Ranges is a list of JSON objects with two attributes: min and max. Each - # range object define the user/group ID range used by the rule. - # group: do-not-run-as-root policy settings - # label: Ranges - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot - # hide_input: true - # type: sequence[ - # sequence_questions: - # - default: 0 - # group: do-not-run-as-root policy settings - # label: min - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot - # tooltip: Minimum UID or GID - # type: int - # variable: min - # - default: 0 - # group: do-not-run-as-root policy settings - # label: max - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot - # tooltip: Maximum UID or GID - # type: int - # variable: max - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group - # description: Controls which primary group ID the containers are run with. - # group: do-not-run-as-root policy settings - # label: Run as group - # hide_input: true - # type: map[ - # subquestions: - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule - # tooltip: >- - # Defines the strategy used by the policy to enforce users and groups used - # in containers. - # group: do-not-run-as-root policy settings - # label: Rule - # options: - # - MustRunAs - # - MayRunAs - # - RunAsAny - # type: enum - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.overwrite - # group: do-not-run-as-root policy settings - # label: Overwrite - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs - # type: boolean - # - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.ranges - # description: >- - # Ranges is a list of JSON objects with two attributes: min and max. Each - # range object define the user/group ID range used by the rule. - # group: do-not-run-as-root policy settings - # label: Ranges - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs - # hide_input: true - # type: sequence[ - # sequence_questions: - # - default: 0 - # group: do-not-run-as-root policy settings - # label: min - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs - # tooltip: Minimum UID or GID - # type: int - # variable: min - # - default: 0 - # group: do-not-run-as-root policy settings - # label: max - # show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs - # tooltip: Maximum UID or GID - # type: int - # variable: max - # - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups - # description: Controls which group IDs containers add. - # group: do-not-run-as-root policy settings - # label: Supplemental groups - # hide_input: true - # type: map[ - # subquestions: - # - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule - # tooltip: >- - # Defines the strategy used by the policy to enforce users and groups used - # in containers. - # group: do-not-run-as-root policy settings - # label: Rule - # options: - # - MustRunAs - # - MayRunAs - # - RunAsAny - # type: enum - # - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.overwrite - # group: do-not-run-as-root policy settings - # label: Overwrite - # show_if: >- - # recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs - # type: boolean - # - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.ranges - # description: >- - # Ranges is a list of JSON objects with two attributes: min and max. Each - # range object define the user/group ID range used by the rule. - # group: do-not-run-as-root policy settings - # label: Ranges - # show_if: >- - # recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs - # hide_input: true - # type: sequence[ - # sequence_questions: - # - default: 0 - # group: do-not-run-as-root policy settings - # label: min - # show_if: >- - # recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs - # tooltip: Minimum UID or GID - # type: int - # variable: min - # - default: 0 - # group: do-not-run-as-root policy settings - # label: max - # show_if: >- - # recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs - # tooltip: Maximum UID or GID - # type: int - # variable: max - # - variable: recommendedPolicies.userGroupPolicy.settings.validate_container_image_configuration - # default: false - # tooltip: Validate the USER directive in the container image - # label: Validate container image configuration - # description: >- - # Validate the USER directive in the container image. If set to true, the - # policy will enforce the same rules as MustRunAs and MustRunAsNonRoot for - # the run_as_user. And checks if the group of the USER directive is in the - # run_as_group range. The user and group should be defined as uid and gid. - # Container image validation is skipped if the container image is a Windows - # container. And user and groups names are not allowed. - # required: false - # type: boolean - # - # do-not-share-host-paths policy settings - # - # TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826 - # - # - variable: recommendedPolicies.hostPathsPolicy.settings.allowedHostPaths - # description: >- - # This policy is a replacement for the Kubernetes Pod Security Policy that - # controls the usage of `hostPath` volumes. The policy inspects both the - # containers and the init containers that are using `hostPath` volumes. - # `allowedHostPaths` is a list of host paths that are allowed to be used by - # hostPath volumes. An empty `allowedHostPaths` list means there is no - # restriction on host paths used. Each entry of `allowedHostPaths` must have: - # a `pathPrefix` field, which allows hostPath volumes to mount a path that - # begins with an allowed prefix, and a `readOnly` field indicating it must be - # mounted read-only. - # tooltip: A list of host paths that are allowed to be used by hostPath volumes. - # group: do-not-share-host-paths policy settings - # label: Allow host path - # hide_input: true - # type: sequence[ - # sequence_questions: - # - variable: pathPrefix - # description: >- - # Allows hostPath volumes to mount a path that begins with an allowed - # prefix. - # group: do-not-share-host-paths policy settings - # label: Path prefix - # type: string - # - variable: readOnly - # tooltip: Indicates if the volume must be mounted read-only. - # group: do-not-share-host-paths policy settings - # label: Read only - # type: boolean diff --git a/charts/kubewarden-defaults/templates/NOTES.txt b/charts/kubewarden-defaults/templates/NOTES.txt deleted file mode 100644 index 03ad8527c..000000000 --- a/charts/kubewarden-defaults/templates/NOTES.txt +++ /dev/null @@ -1,27 +0,0 @@ -You now have a `PolicyServer` named `default` running in your cluster. -It is ready to run any `clusteradmissionpolicies.policies.kubewarden.io` or -`admissionpolicies.policies.kubewarden.io` resources. -{{ if .Values.recommendedPolicies.enabled }} -Installed recommended policies: -- {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }} -- {{ .Values.recommendedPolicies.hostNamespacePolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }} -- {{ .Values.recommendedPolicies.podPrivilegedPolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }} -- {{ .Values.recommendedPolicies.userGroupPolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }} -- {{ .Values.recommendedPolicies.hostPathsPolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }} -- {{ .Values.recommendedPolicies.capabilitiesPolicy.name }} - module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }} -{{- if eq .Values.recommendedPolicies.defaultPolicyMode "monitor" }} - -Note: all these policies have been installed in `monitor` mode, you can enforce them -by changing their `mode` to `protect`. - -{{- end }} -{{- end }} - -For more information check out https://docs.kubewarden.io/quick-start. -Discover ready to use policies at https://artifacthub.io/packages/search?kind=13. diff --git a/charts/kubewarden-defaults/templates/_helpers.tpl b/charts/kubewarden-defaults/templates/_helpers.tpl deleted file mode 100644 index f6cd48b7b..000000000 --- a/charts/kubewarden-defaults/templates/_helpers.tpl +++ /dev/null @@ -1,98 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "kubewarden-defaults.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kubewarden-defaults.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "kubewarden-defaults.labels" -}} -helm.sh/chart: {{ include "kubewarden-defaults.chart" . }} -{{ include "kubewarden-defaults.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- else }} -app.kubernetes.io/version: {{ .Chart.Version | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: kubewarden -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels }} -{{- end }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "kubewarden-defaults.selectorLabels" -}} -app.kubernetes.io/name: {{ include "kubewarden-defaults.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Annotations -*/}} -{{- define "kubewarden-defaults.annotations" -}} -{{- if .Values.additionalAnnotations }} -{{ toYaml .Values.additionalAnnotations }} -{{- end }} -{{- end }} - -{{- define "policy-namespace-selector" -}} -namespaceSelector: - matchExpressions: - - key: "kubernetes.io/metadata.name" - operator: NotIn - values: -{{- with .Values.global.skipNamespaces }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- with .Values.recommendedPolicies.skipAdditionalNamespaces }} - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{- define "policy_default_registry" -}} -{{- if .Values.recommendedPolicies.defaultPoliciesRegistry -}} -{{- printf "%s/" .Values.recommendedPolicies.defaultPoliciesRegistry -}} -{{- else -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- end -}} -{{- end -}} - -{{- define "policy_failure_policy" -}} -{{- if eq .Values.recommendedPolicies.defaultPolicyMode "protect" -}} -Fail -{{- else -}} -Ignore -{{- end -}} -{{- end -}} - -{{/* -Effective affinity for the default PolicyServer. -Uses policyServer.affinity if set, otherwise falls back to global.affinity. -*/}} -{{- define "kubewarden-defaults.effectiveAffinity" -}} -{{- if .Values.policyServer.affinity -}} - {{- toYaml .Values.policyServer.affinity -}} -{{- else if .Values.global.affinity -}} - {{- toYaml .Values.global.affinity -}} -{{- end -}} -{{- end -}} diff --git a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml b/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml deleted file mode 100644 index 16d844251..000000000 --- a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.severity: medium - io.kubewarden.policy.category: PSP - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }} -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod - mutating: true - settings: - {{- toYaml .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/templates/capabilities-policy.yaml b/charts/kubewarden-defaults/templates/capabilities-policy.yaml deleted file mode 100644 index 0012198dd..000000000 --- a/charts/kubewarden-defaults/templates/capabilities-policy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.category: PSP - io.kubewarden.policy.severity: medium - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.capabilitiesPolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }} -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - - UPDATE - mutating: true - settings: - {{- toYaml .Values.recommendedPolicies.capabilitiesPolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml b/charts/kubewarden-defaults/templates/host-namespace-policy.yaml deleted file mode 100644 index abe3ab249..000000000 --- a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.category: PSP - io.kubewarden.policy.severity: medium - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.hostNamespacePolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }} -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - - UPDATE - mutating: false - settings: - {{- toYaml .Values.recommendedPolicies.hostNamespacePolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/templates/host-path-policy.yaml b/charts/kubewarden-defaults/templates/host-path-policy.yaml deleted file mode 100644 index c84a680c9..000000000 --- a/charts/kubewarden-defaults/templates/host-path-policy.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.category: PSP - io.kubewarden.policy.severity: medium - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.hostPathsPolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }} -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: - - CREATE - - UPDATE - mutating: false - settings: - {{- toYaml .Values.recommendedPolicies.hostPathsPolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml b/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml deleted file mode 100644 index 51c7122a4..000000000 --- a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.category: PSP - io.kubewarden.policy.severity: medium - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }} - -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["replicationcontrollers"] - operations: ["CREATE", "UPDATE"] - - apiGroups: ["apps"] - apiVersions: ["v1"] - resources: ["deployments","replicasets","statefulsets","daemonsets"] - operations: ["CREATE", "UPDATE"] - - apiGroups: ["batch"] - apiVersions: ["v1"] - resources: ["jobs","cronjobs"] - operations: ["CREATE", "UPDATE"] - mutating: false - settings: - {{- toYaml .Values.recommendedPolicies.podPrivilegedPolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/templates/policy-server-rbac.yaml b/charts/kubewarden-defaults/templates/policy-server-rbac.yaml deleted file mode 100644 index e2b427254..000000000 --- a/charts/kubewarden-defaults/templates/policy-server-rbac.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy-server - annotations: - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ .Values.policyServer.serviceAccountName }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy-server - annotations: - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: kubewarden-context-watcher -rules: -{{- range .Values.policyServer.permissions }} -- apiGroups: - - {{ .apiGroup | quote }} - resources: {{ .resources | toJson }} - verbs: - {{- if .verbs }} - {{- toYaml .verbs | nindent 2 }} - {{- else }} - - get - - list - - watch - {{- end }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy-server - annotations: - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: kubewarden-context-watcher -subjects: -- kind: ServiceAccount - name: {{ .Values.policyServer.serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: kubewarden-context-watcher - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubewarden-defaults/templates/policyserver-default.yaml b/charts/kubewarden-defaults/templates/policyserver-default.yaml deleted file mode 100644 index bb1256dc9..000000000 --- a/charts/kubewarden-defaults/templates/policyserver-default.yaml +++ /dev/null @@ -1,96 +0,0 @@ -{{- if .Values.policyServer.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: PolicyServer -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy-server - annotations: - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: default - finalizers: - - kubewarden.io/finalizer -spec: - image: {{ template "system_default_registry" . }}{{ .Values.policyServer.image.repository }}:{{ .Values.policyServer.image.tag }} - serviceAccountName: {{ .Values.policyServer.serviceAccountName }} - replicas: {{ .Values.policyServer.replicaCount | default 1 }} - {{- if .Values.policyServer.minAvailable }} - minAvailable: {{ .Values.policyServer.minAvailable }} - {{- end }} - {{- if .Values.policyServer.maxUnavailable }} - maxUnavailable: {{ .Values.policyServer.maxUnavailable }} - {{- end }} - {{- $affinity := include "kubewarden-defaults.effectiveAffinity" . -}} - {{- if $affinity }} - affinity: {{ $affinity | nindent 4 }} - {{- end }} - {{- if .Values.global.tolerations }} - tolerations: {{ .Values.global.tolerations | toYaml | nindent 4 }} - {{- end }} - {{- if .Values.global.priorityClassName }} - priorityClassName: {{ .Values.global.priorityClassName | toYaml | nindent 4 }} - {{- end }} - {{- if .Values.policyServer.limits }} - limits: {{ .Values.policyServer.limits | toYaml | nindent 4 }} - {{- end }} - {{- if .Values.policyServer.requests }} - requests: {{ .Values.policyServer.requests | toYaml | nindent 4 }} - {{- end }} - {{- if .Values.policyServer.verificationConfig }} - verificationConfig: {{ .Values.policyServer.verificationConfig }} - {{- end }} - {{- if .Values.policyServer.sigstoreTrustConfig }} - sigstoreTrustConfig: {{ .Values.policyServer.sigstoreTrustConfig }} - {{- end }} - {{- if .Values.policyServer.annotations }} - annotations: - {{- range $key, $value := .Values.policyServer.annotations }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if .Values.policyServer.env }} - env: - {{- range .Values.policyServer.env }} - - name: {{ .name | quote }} - value: {{ .value | quote }} - {{- end }} - {{- end }} - {{- if .Values.policyServer.imagePullSecret }} - imagePullSecret: {{ .Values.policyServer.imagePullSecret | quote }} - {{- end }} - {{- if .Values.policyServer.insecureSources }} - insecureSources: - {{- range $source := .Values.policyServer.insecureSources }} - - {{ $source | quote }} - {{- end }} - {{- end }} - {{- if .Values.policyServer.sourceAuthorities }} - sourceAuthorities: - {{- range .Values.policyServer.sourceAuthorities }} - {{- if .certs }} - {{ .uri }}: - {{- range .certs }} - - {{ . | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.policyServer.namespacedPoliciesCapabilities }} - namespacedPoliciesCapabilities: - {{- range .Values.policyServer.namespacedPoliciesCapabilities }} - - {{ . | quote }} - {{- end }} - {{- end }} - {{- if .Values.policyServer.securityContexts }} - securityContexts: {{ toYaml .Values.policyServer.securityContexts | nindent 4 }} - {{- end }} - {{- if .Values.policyServer.webhookPort }} - webhookPort: {{ .Values.policyServer.webhookPort }} - {{- end }} - {{- if .Values.policyServer.readinessProbePort }} - readinessProbePort: {{ .Values.policyServer.readinessProbePort }} - {{- end }} - {{- if .Values.policyServer.metricsPort }} - metricsPort: {{ .Values.policyServer.metricsPort }} - {{- end }} -{{- end }} diff --git a/charts/kubewarden-defaults/templates/user-group-policy.yaml b/charts/kubewarden-defaults/templates/user-group-policy.yaml deleted file mode 100644 index 1020e2a96..000000000 --- a/charts/kubewarden-defaults/templates/user-group-policy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if .Values.recommendedPolicies.enabled }} -apiVersion: {{ $.Values.crdVersion }} -kind: ClusterAdmissionPolicy -metadata: - labels: - {{- include "kubewarden-defaults.labels" . | nindent 4 }} - app.kubernetes.io/component: policy - annotations: - io.kubewarden.policy.category: PSP - io.kubewarden.policy.severity: medium - {{- include "kubewarden-defaults.annotations" . | nindent 4 }} - name: {{ $.Values.recommendedPolicies.userGroupPolicy.name }} -spec: - mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} - failurePolicy: {{ template "policy_failure_policy" . }} - module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }} -{{ include "policy-namespace-selector" . | indent 2}} - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod - mutating: true - settings: - {{- toYaml .Values.recommendedPolicies.userGroupPolicy.settings | replace "|\n" "" | nindent 4 }} -{{ end }} diff --git a/charts/kubewarden-defaults/tests/failure_policy_test.yaml b/charts/kubewarden-defaults/tests/failure_policy_test.yaml deleted file mode 100644 index 56e0eafdb..000000000 --- a/charts/kubewarden-defaults/tests/failure_policy_test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -suite: set failurePolicy based upon mode -templates: - - allow-privileged-escalation-policy.yaml - - capabilities-policy.yaml - - host-namespace-policy.yaml - - host-path-policy.yaml - - pod-privileged-policy.yaml - - user-group-policy.yaml -tests: - - it: "should ignore on webhook failures if in monitor mode" - set: - recommendedPolicies.enabled: true - recommendedPolicies.defaultPolicyMode: "monitor" - asserts: - - equal: - path: spec.failurePolicy - value: Ignore - - it: "should reject on webhook failures if in protect mode" - set: - recommendedPolicies.enabled: true - recommendedPolicies.defaultPolicyMode: "protect" - asserts: - - equal: - path: spec.failurePolicy - value: Fail diff --git a/charts/kubewarden-defaults/tests/host_network_test.yaml b/charts/kubewarden-defaults/tests/host_network_test.yaml deleted file mode 100644 index d6a465e9f..000000000 --- a/charts/kubewarden-defaults/tests/host_network_test.yaml +++ /dev/null @@ -1,66 +0,0 @@ -suite: host-network port configuration for default PolicyServer -templates: - - policyserver-default.yaml -tests: - - it: "should not set port fields by default (zero values are omitted)" - asserts: - - notExists: - path: spec.webhookPort - - notExists: - path: spec.readinessProbePort - - notExists: - path: spec.metricsPort - - - it: "should set all port fields when all are overridden" - set: - policyServer.webhookPort: 9443 - policyServer.readinessProbePort: 9081 - policyServer.metricsPort: 9080 - asserts: - - equal: - path: spec.webhookPort - value: 9443 - - equal: - path: spec.readinessProbePort - value: 9081 - - equal: - path: spec.metricsPort - value: 9080 - - - it: "should not set affinity by default" - asserts: - - notExists: - path: spec.affinity - - - it: "should use policyServer.affinity when set" - set: - policyServer.affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - kubewarden/policy-server: default - topologyKey: kubernetes.io/hostname - asserts: - - equal: - path: spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey - value: kubernetes.io/hostname - - equal: - path: spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["kubewarden/policy-server"] - value: default - - - it: "should fall back to global.affinity when policyServer.affinity is not set" - set: - global.affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - asserts: - - equal: - path: spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key - value: kubernetes.io/os diff --git a/charts/kubewarden-defaults/tests/namespacedPoliciesCapabilities_test.yaml b/charts/kubewarden-defaults/tests/namespacedPoliciesCapabilities_test.yaml deleted file mode 100644 index 3a76706e5..000000000 --- a/charts/kubewarden-defaults/tests/namespacedPoliciesCapabilities_test.yaml +++ /dev/null @@ -1,133 +0,0 @@ -suite: namespacedPoliciesCapabilities schema validation -templates: - - policyserver-default.yaml -tests: - # --- Valid inputs --- - - it: "should accept the global wildcard (*)" - set: - policyServer.namespacedPoliciesCapabilities: - - "*" - asserts: - - notFailedTemplate: {} - - - it: "should accept a category wildcard (oci/*)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/*" - asserts: - - notFailedTemplate: {} - - - it: "should accept a sub-category wildcard (oci/v1/*)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1/*" - asserts: - - notFailedTemplate: {} - - - it: "should accept a fully-qualified path (oci/v1/bla)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1/bla" - asserts: - - notFailedTemplate: {} - - - it: "should accept the exact values from the bug report (oci/v1/bla and oci/*)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1/bla" - - "oci/*" - asserts: - - notFailedTemplate: {} - - - it: "should accept hyphens and underscores in path segments (my-cat/sub_path/leaf-node)" - set: - policyServer.namespacedPoliciesCapabilities: - - "my-cat/sub_path/leaf-node" - asserts: - - notFailedTemplate: {} - - - it: "should accept a deeply nested sub-category wildcard (oci/v1/sub/*)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1/sub/*" - asserts: - - notFailedTemplate: {} - - - it: "should accept null (feature disabled)" - set: - policyServer.namespacedPoliciesCapabilities: null - asserts: - - notFailedTemplate: {} - - - it: "should accept an empty array" - set: - policyServer.namespacedPoliciesCapabilities: [] - asserts: - - notFailedTemplate: {} - - - it: "should accept a mix of all valid forms" - set: - policyServer.namespacedPoliciesCapabilities: - - "*" - - "oci/*" - - "oci/v1/*" - - "oci/v1/bla" - asserts: - - notFailedTemplate: {} - - # --- Invalid inputs --- - - it: "should reject a path with a leading slash (/oci/v1/bla)" - set: - policyServer.namespacedPoliciesCapabilities: - - "/oci/v1/bla" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject a single segment with no slash (oci)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject uppercase letters in segments (OCI/v1/bla)" - set: - policyServer.namespacedPoliciesCapabilities: - - "OCI/v1/bla" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject dots in segments (oci/v1.0/bla)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1.0/bla" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject an empty string entry" - set: - policyServer.namespacedPoliciesCapabilities: - - "" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject a trailing slash (oci/v1/)" - set: - policyServer.namespacedPoliciesCapabilities: - - "oci/v1/" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" - - - it: "should reject a bare slash (/)" - set: - policyServer.namespacedPoliciesCapabilities: - - "/" - asserts: - - failedTemplate: - errorPattern: "namespacedPoliciesCapabilities" diff --git a/charts/kubewarden-defaults/tests/priorityClassName_test.yaml b/charts/kubewarden-defaults/tests/priorityClassName_test.yaml deleted file mode 100644 index 06f14776b..000000000 --- a/charts/kubewarden-defaults/tests/priorityClassName_test.yaml +++ /dev/null @@ -1,12 +0,0 @@ -suite: priorityClassName configuration -templates: - - policyserver-default.yaml -tests: - - it: "should set the priorityClassName when .global.priorityClassName is defined" - set: - global: - priorityClassName: "high-priority" - asserts: - - equal: - path: spec.priorityClassName - value: "high-priority" diff --git a/charts/kubewarden-defaults/values.schema.json b/charts/kubewarden-defaults/values.schema.json deleted file mode 100644 index 97f8ccd9b..000000000 --- a/charts/kubewarden-defaults/values.schema.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "type": "object", - "properties": { - "policyServer": { - "type": "object", - "properties": { - "maxUnavailable": { - "type": "string", - "minLength": 1 - }, - "minAvailable": { - "type": "string", - "minLength": 1 - }, - "webhookPort": { - "type": "integer", - "minimum": 1, - "maximum": 65535, - "description": "Port for the PolicyServer webhook listener. When omitted, the controller uses the default (8443)." - }, - "readinessProbePort": { - "type": "integer", - "minimum": 1, - "maximum": 65535, - "description": "Port for the PolicyServer readiness probe. When omitted, the controller uses the default (8081)." - }, - "metricsPort": { - "type": "integer", - "minimum": 1, - "maximum": 65535, - "description": "Port for the PolicyServer metrics endpoint. When omitted, the controller uses the default (8080)." - }, - "affinity": { - "type": "object", - "description": "Affinity rules for the default PolicyServer. Takes precedence over global.affinity." - }, - "namespacedPoliciesCapabilities": { - "description": "Host capability paths allowed for namespaced policies on this PolicyServer. Catch obvious errors", - "type": ["array", "null"], - "items": { - "type": "string", - "minLength": 1, - "anyOf": [ - { - "description": "Global wildcard", - "const": "*" - }, - { - "description": "Category wildcard: /*", - "pattern": "^[a-z0-9_-]+/\\*$" - }, - { - "description": "Sub-category wildcard: //*", - "pattern": "^[a-z0-9_-]+(/[a-z0-9_-]+)+/\\*$" - }, - { - "description": "Fully-qualified capability path: /", - "pattern": "^[a-z0-9_-]+(/[a-z0-9_-]+)+$" - } - ] - } - } - }, - "anyOf": [ - { - "oneOf": [ - { - "required": ["minAvailable"] - }, - { - "required": ["maxUnavailable"] - } - ] - }, - { - "not": { - "allOf": [ - { - "required": ["minAvailable"] - }, - { - "required": ["maxUnavailable"] - } - ] - } - } - ], - "additionalProperties": true - } - }, - "additionalProperties": true -} diff --git a/charts/kubewarden-defaults/values.yaml b/charts/kubewarden-defaults/values.yaml deleted file mode 100644 index f2c364a4e..000000000 --- a/charts/kubewarden-defaults/values.yaml +++ /dev/null @@ -1,292 +0,0 @@ -# This file was autogenerated. -# Common settings across multiple charts. These settings will be used -# by more than one chart and they ideally need to match during the -# installation of the charts consuming this values. -global: - # affinity: - # podAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S1 - # topologyKey: topology.kubernetes.io/zone - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S2 - # topologyKey: topology.kubernetes.io/zone - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/os - # operator: In - # values: - # - linux - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 1 - # preference: - # matchExpressions: - # - key: label-1 - # operator: In - # values: - # - key-1 - # - weight: 50 - # preference: - # matchExpressions: - # - key: label-2 - # operator: In - # values: - # - key-2 - affinity: {} - # tolerations: - # - key: "key1" - # operator: "Equal" - # value: "value1" - # effect: "NoSchedule" - # - key: "key1" - # operator: "Equal" - # value: "value1" - # effect: "NoExecute" - tolerations: [] - # priorityClassName: "" - cattle: - systemDefaultRegistry: ghcr.io - skipNamespaces: - - calico-apiserver - - calico-system - - capi-system - - cattle-capi-system - - cattle-alerting - - cattle-csp-adapter-system - - cattle-elemental-system - - cattle-epinio-system - - cattle-externalip-system - - cattle-fleet-local-system - - cattle-fleet-system - - cattle-gatekeeper-system - - cattle-global-data - - cattle-global-nt - - cattle-impersonation-system - - cattle-istio - - cattle-istio-system - - cattle-logging - - cattle-logging-system - - cattle-monitoring-system - - cattle-neuvector-system - - cattle-prometheus - - cattle-provisioning-capi-system - - cattle-resources-system - - cattle-sriov-system - - cattle-system - - cattle-turtles-system - - cattle-ui-plugin-system - - cattle-windows-gmsa-system - - cert-manager - - cis-operator-system - - fleet-default - - ingress-nginx - - istio-system - - kube-node-lease - - kube-public - - kube-system - - longhorn-system - - rancher-alerting-drivers - - security-scan - - tigera-operator -# -- Additional labels to add to all resources -additionalLabels: {} -# app: kubewarden-defaults -# -- Additional annotations to add to all resources -additionalAnnotations: {} -# owner: IT-group1 -# Policy Server settings -policyServer: - enabled: true - replicaCount: 1 - # Only one of minAvailable,maxUnavailable can be enabled: - # minAvailable: 30% - # maxUnavailable: 1 - image: - # The registry is defined in the global.cattle.systemDefaultRegistry value - repository: "kubewarden/adm-controller/policy-server" - tag: v1.36.0-beta.1 - serviceAccountName: policy-server - # Configmap containing a Sigstore verification configuration under a key - # named `verification-config`. Must be on the same ns as the PolicyServer. - # verificationConfig: your_configmap - - # Configmap containing a Sigstore trust configuration (ClientTrustConfig JSON) - # under a key named `sigstore-trust-config`. Must be on the same ns as the - # PolicyServer. This is used to configure a custom Sigstore instance. - # sigstoreTrustConfig: your_configmap - - permissions: - # All permissions are cluster-wide. Even namespaced resources are - # granted access in all namespaces at this time. - # By default, permissions are given for get,list,watch unless verbs - # are specified. - - apiGroup: "" - resources: - - namespaces - - pods - - services - - apiGroup: "networking.k8s.io" - resources: - - ingresses - - apiGroup: "authorization.k8s.io" - resources: - - "subjectaccessreviews" - verbs: - - create - env: - - name: KUBEWARDEN_LOG_LEVEL - value: info - annotations: {} - # follows the format of https://docs.kubewarden.io/reference/CRDs#policyserversecurity - securityContexts: {} - # imagePullSecret stores the secret name used to pull images from repositories. - # The secret should be in the same namespace of the Policy Server - # - # Example of usage: - # imagePullSecret: "mysecret" - imagePullSecret: null - # insecureSources stores a list of allowed insecure registries. - # - # Example of usage: - #insecureSources: - # - "source1" - # - "source2" - insecureSources: null - # sourceAuthorities is a list of the URIs and their PEM encoded certificates - # used to authenticate them - # - # Example of usage: - # sourceAuthorities: - # - uri: "uri1" - # certs: - # - "cert1" - # - "cert2" - # - uri: "uri2" - # certs: - # - "cert3" - # - uri: "uri3" - # certs: - # - "cert4" - sourceAuthorities: {} - # namespacedPoliciesCapabilities lists host capability API calls allowed - # for namespaced policies running on this PolicyServer. - # Supported patterns: [] (none), "*" (all), "category/*", - # "category/version/*", or specific paths. - # Example: - # namespacedPoliciesCapabilities: - # - "oci/*" - # - "net/v1/dns_lookup_host" - namespacedPoliciesCapabilities: - - "*" # all host capabilities are granted - # limits and requests, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - limits: {} - requests: {} - # Port configuration for the policy server. - # These ports are used for the webhook, readiness probe, and metrics endpoints. - # Important when hostNetwork is enabled or when running multiple PolicyServers - # on the same node, as they must not conflict. - # - # Default values (if not specified): - # - webhookPort: 8443 - # - readinessProbePort: 8081 - # - metricsPort: default value defined in the controller (8080) - # - # webhookPort: 9443 - # readinessProbePort: 9081 - # metricsPort: 9080 - - # affinity configures affinity rules for the default PolicyServer. - # This takes precedence over global.affinity when set. - # When hostNetwork is enabled, users should set appropriate podAntiAffinity - # rules here to prevent host-port conflicts between PolicyServer replicas. - # affinity: - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchLabels: - # kubewarden/policy-server: default - # topologyKey: kubernetes.io/hostname - affinity: {} -crdVersion: "policies.kubewarden.io/v1" -recommendedPolicies: - enabled: False - # Used to define the registry where the Kubewarden policies are mirrored. - # This can be useful if the registry used to mirror container images does - # not support OCI artifacts. - # If this field is not defined, the systemDefaultRegistry is used by default. - defaultPoliciesRegistry: "" - # Additional namespaces that recommended policies will not apply to: - skipAdditionalNamespaces: [] - defaultPolicyMode: "monitor" - allowPrivilegeEscalationPolicy: - module: - repository: "kubewarden/policies/allow-privilege-escalation-psp" - tag: v1.0.10 - name: "no-privilege-escalation" - settings: - allowPrivilegeEscalation: false - hostNamespacePolicy: - module: - repository: "kubewarden/policies/host-namespaces-psp" - tag: v1.1.8 - name: "no-host-namespace-sharing" - settings: - allow_host_ipc: false - allow_host_network: false - allow_host_pid: false - allow_host_ports: [] - podPrivilegedPolicy: - module: - repository: "kubewarden/policies/pod-privileged" - tag: v1.0.10 - name: "no-privileged-pod" - settings: - skip_init_containers: false - skip_ephemeral_containers: false - userGroupPolicy: - module: - repository: "kubewarden/policies/user-group-psp" - tag: v1.1.5 - name: "do-not-run-as-root" - settings: - run_as_user: - rule: "MustRunAsNonRoot" - run_as_group: - rule: "RunAsAny" - supplemental_groups: - rule: "RunAsAny" - validate_container_image_configuration: false - hostPathsPolicy: - module: - repository: "kubewarden/policies/hostpaths-psp" - tag: v1.1.7 - name: "do-not-share-host-paths" - settings: - allowedHostPaths: - - pathPrefix: "/tmp" - readOnly: true - capabilitiesPolicy: - module: - repository: "kubewarden/policies/capabilities-psp" - tag: v1.0.10 - name: "drop-capabilities" - settings: - allowed_capabilities: [] - required_drop_capabilities: - - ALL - default_add_capabilities: [] From 5869bce6a943e45566e83f0ef80651d9390268c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 13:41:12 -0300 Subject: [PATCH 07/22] feat(chart): update chart configuration for unified deployment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump the chart version to 6.0.0-alpha.1 and appVersion to v2.0.0-alpha.1 to reflect the major restructuring. Remove the auto-install annotation for kubewarden-crds since CRDs are now managed within this chart. Merge values, schema, and questions from the former kubewarden-crds and kubewarden-defaults charts into the unified configuration. This includes the reportCRDs, policyServer, and recommendedPolicies sections. The README has been rewritten to document the unified chart and provide migration guidance. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-controller/Chart.yaml | 5 +- charts/kubewarden-controller/README.md | 289 ++++++--------- charts/kubewarden-controller/questions.yaml | 94 +++++ .../kubewarden-controller/values.schema.json | 344 ++++++++++++++++++ charts/kubewarden-controller/values.yaml | 199 ++++++++++ 5 files changed, 752 insertions(+), 179 deletions(-) diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml index c372e7103..10b6e3f47 100644 --- a/charts/kubewarden-controller/Chart.yaml +++ b/charts/kubewarden-controller/Chart.yaml @@ -23,9 +23,9 @@ maintainers: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 5.14.0-beta.1 +version: 6.0.0-alpha.1 # This is the version of Kubewarden stack -appVersion: v1.36.0-beta.1 +appVersion: v2.0.0-alpha.1 annotations: # required ones: catalog.cattle.io/certified: rancher # Any application we are adding as a helm chart @@ -35,7 +35,6 @@ annotations: catalog.cattle.io/display-name: Kubewarden # Only for Charts with custom UI catalog.cattle.io/os: linux # this means linux only, other choice here is "windows". For charts that support both, don't add this annotation # optional ones: - catalog.cattle.io/auto-install: kubewarden-crds=1.28.0-beta.1 catalog.cattle.io/provides-gvr: "policyservers.policies.kubewarden.io/v1" # Declare that this chart provides a type, which other charts may use in `requires-gvr`. Only add to parent, not CRD chart. # The following two will create a UI warning if the request is not available in cluster # Assume the most standard setup for your chart. These can be strings with amounts, ie 64Mi or 2Gi are both valid. diff --git a/charts/kubewarden-controller/README.md b/charts/kubewarden-controller/README.md index 680d2e32a..82a464f4a 100644 --- a/charts/kubewarden-controller/README.md +++ b/charts/kubewarden-controller/README.md @@ -1,202 +1,139 @@ -[![Kubewarden Core Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-core.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#core-scope) -[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable) -[![Artifact HUB](https://img.shields.io/badge/ArtifactHub-Helm_Charts-blue?style=flat&logo=artifacthub&link=https%3A%2F%2Fartifacthub.io%2Fpackages%2Fsearch%3Frepo%3Dkubewarden%26kind%3D0%26verified_publisher%3Dtrue%26official%3Dtrue%26cncf%3Dtrue%26sort%3Drelevance%26page%3D1)](https://artifacthub.io/packages/search?repo=kubewarden&kind=0&verified_publisher=true&official=true&cncf=true&sort=relevance&page=1) -[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6502/badge)](https://www.bestpractices.dev/projects/6502) -[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fadm-controller.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B25850%2Fgithub.com%2Fkubewarden%2Fadm-controller?ref=badge_shield&issueType=license) -[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kubewarden/adm-controller/badge)](https://scorecard.dev/viewer/?uri=github.com/kubewarden/adm-controller) -[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kubewarden/badge)](https://clomonitor.io/projects/cncf/kubewarden) +# Kubewarden Admission Controller -Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written -in WebAssembly. +Unified Helm chart for deploying the complete Kubewarden admission control stack. -For more information refer to the [official Kubewarden website](https://kubewarden.io/). +> **Note:** This chart combines what were previously three separate charts: +> `kubewarden-crds` (CRDs), `kubewarden-controller` (controller), and +> `kubewarden-defaults` (default PolicyServer and recommended policies). -# Kubewarden Admission Controller - Monorepo +## Installation + +```sh +helm install kubewarden kubewarden/kubewarden-controller -n kubewarden --create-namespace +``` -This repository is a monorepo containing the source code for all the different -components of the Kubewarden Admission Controller: +## Migration from Three-Chart Setup -- **adm-controller**: A Kubernetes controller that allows you to dynamically register Kubewarden admission policies and reconcile them with the Kubernetes webhooks of the cluster where it's deployed -- **policy-server**: The runtime component that evaluates admission policies written in WebAssembly -- **audit-scanner**: A component that scans existing resources in the cluster against registered policies -- **kwctl**: A CLI tool for testing and managing Kubewarden policies +If you're currently running the legacy three-chart setup (`kubewarden-crds`, `kubewarden-controller`, `kubewarden-defaults`), follow these steps to migrate to the unified chart. -## Documentation +**⚠️ Important**: There will be a brief window during migration where no admission control is active. Plan accordingly. -The full and exhaustive documentation is available at [docs.kubewarden.io](https://docs.kubewarden.io). +### Prerequisites -The [`docs/`](./docs) folder contains README files for each component: +- Access to your cluster with `kubectl` and `helm` +- Backup tool or `kubectl` configured -- [Controller](./docs/controller) -- [Policy Server](./docs/policy-server) -- [Audit Scanner](./docs/audit-scanner) -- [kwctl](./docs/kwctl) -- [CRDs](./docs/crds) +### Migration Steps -## Installation +#### 1. Backup All Policies and PolicyServers -The adm-controller can be deployed using a Helm chart. For instructions, -see https://charts.kubewarden.io. - -Please refer to our [quickstart](https://docs.kubewarden.io/quick-start) for more details. - -# Software bill of materials & provenance - -All Kubewarden components has its software bill of materials (SBOM) and build -[Provenance](https://slsa.dev/spec/v1.0/provenance) information published every -release. It follows the [SPDX](https://spdx.dev/) format and -[SLSA](https://slsa.dev/provenance/v0.2#schema) provenance schema. -Both of the files are generated by [Docker -buildx](https://docs.docker.com/build/metadata/attestations/) during the build -process and stored in the container registry together with the container image -as well as upload in the release page. - -You can find them together with the signature and certificate used to sign it -in the [release -assets](https://github.com/kubewarden/adm-controller/releases), and -attached to the image as JSON-encoded documents following the [in-toto SPDX -predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md) -format. You can obtain them with -[`crane`](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md) -or [`docker buildx imagetools -inspect`](https://docs.docker.com/reference/cli/docker/buildx/imagetools/inspect). - -You can verify the container image with: - -```shell -cosign verify-blob --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@" \ - --bundle controller-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore \ - controller-attestation-amd64-provenance.intoto.jsonl +Uninstalling `kubewarden-crds` cascade-deletes **all** custom resources, so every policy and PolicyServer must be backed up: + +```sh +kubectl get clusteradmissionpolicies -A -o yaml > clusteradmissionpolicies-backup.yaml +kubectl get admissionpolicies -A -o yaml > admissionpolicies-backup.yaml +kubectl get clusteradmissionpolicygroups -A -o yaml > clusteradmissionpolicygroups-backup.yaml +kubectl get admissionpolicygroups -A -o yaml > admissionpolicygroups-backup.yaml +kubectl get policyservers -o yaml > policyservers-backup.yaml ``` -To verify the attestation manifest and its layer signatures: +#### 2. Uninstall Old Charts + +Uninstall in reverse order: -```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@" \ - ghcr.io/kubewarden/adm-controller/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e +```sh +helm uninstall kubewarden-defaults -n kubewarden +helm uninstall kubewarden-controller -n kubewarden +helm uninstall kubewarden-crds -n kubewarden ``` -> [!NOTE] -> All the commands and file locations used in this section to validate the -> controller components can be used to verify all the others Kubewarden -> components as well. - -That sha256 hash is the digest of the attestation manifest or its layers. -Therefore, you need to find this hash in the registry using the UI or tools -like `crane`. For example, the following command will show you all the -attestation manifests of the `latest` tag: - -```shell -crane manifest ghcr.io/kubewarden/adm-controller/controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")' -{ - "mediaType": "application/vnd.oci.image.manifest.v1+json", - "digest": "sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8", - "size": 1655, - "annotations": { - "vnd.docker.reference.digest": "sha256:611d499ec9a26034463f09fa4af4efe2856086252d233b38e3fc31b0b982d369", - "vnd.docker.reference.type": "attestation-manifest" - }, - "platform": { - "architecture": "unknown", - "os": "unknown" - } -} -{ - "mediaType": "application/vnd.oci.image.manifest.v1+json", - "digest": "sha256:e0cd736c2241407114256e09a4cdeef55eb81dcd374c5785c4e5c9362a0088a2", - "size": 1655, - "annotations": { - "vnd.docker.reference.digest": "sha256:03e5db83a25ea2ac498cf81226ab8db8eb53a74a2c9102e4a1da922d5f68b70f", - "vnd.docker.reference.type": "attestation-manifest" - }, - "platform": { - "architecture": "unknown", - "os": "unknown" - } -} +This removes all CRDs and cascades deletion of all CRs (PolicyServers and policies). + +#### 3. Install the Unified Chart + +```sh +helm install kubewarden kubewarden/kubewarden-controller -n kubewarden ``` -Then you can use the `digest` field to verify the attestation manifest and its -layers signatures. - -```shell -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@" \ - ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8 - -crane manifest ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8 -{ - "schemaVersion": 2, - "mediaType": "application/vnd.oci.image.manifest.v1+json", - "config": { - "mediaType": "application/vnd.oci.image.config.v1+json", - "digest": "sha256:eda788a0e94041a443eca7286a9ef7fce40aa2832263f7d76c597186f5887f6a", - "size": 463 - }, - "layers": [ - { - "mediaType": "application/vnd.in-toto+json", - "digest": "sha256:563689cdee407ab514d057fe2f8f693189279e10bfe4f31f277e24dee00793ea", - "size": 94849, - "annotations": { - "in-toto.io/predicate-type": "https://spdx.dev/Document" - } - }, - { - "mediaType": "application/vnd.in-toto+json", - "digest": "sha256:7ce0572628290373e17ba0bbb44a9ec3c94ba36034124931d322ca3fbfb768d9", - "size": 7363045, - "annotations": { - "in-toto.io/predicate-type": "https://spdx.dev/Document" - } - }, - { - "mediaType": "application/vnd.in-toto+json", - "digest": "sha256:dacf511c5ec7fd87e8692bd08c3ced2c46f4da72e7271b82f1b3720d5b0a8877", - "size": 71331, - "annotations": { - "in-toto.io/predicate-type": "https://spdx.dev/Document" - } - }, - { - "mediaType": "application/vnd.in-toto+json", - "digest": "sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d", - "size": 980, - "annotations": { - "in-toto.io/predicate-type": "https://spdx.dev/Document" - } - }, - { - "mediaType": "application/vnd.in-toto+json", - "digest": "sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca", - "size": 13838, - "annotations": { - "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2" - } - } - ] -} - -cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@" \ - ghcr.io/kubewarden/adm-controller/controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d +This creates: +- CRDs in `templates/crds/` (with `helm.sh/resource-policy: keep` to prevent deletion on uninstall) +- The controller +- The default PolicyServer and recommended policies (if enabled) + +#### 4. Restore User Policies + +Once the default PolicyServer is ready, re-apply all backed-up resources: + +```sh +kubectl apply -f policyservers-backup.yaml +kubectl apply -f clusteradmissionpolicies-backup.yaml +kubectl apply -f admissionpolicies-backup.yaml +kubectl apply -f clusteradmissionpolicygroups-backup.yaml +kubectl apply -f admissionpolicygroups-backup.yaml ``` -Note that each attestation manifest (for each architecture) has its own layers. -Each layer is a different SBOM SPDX or provenance file generated by Docker -Buildx during the multi stage build process. You can also use `crane` to -download the attestation file: +The controller's DefaultsApplier will overwrite any managed defaults with the correct ownership labels on the next reconciliation. + +## Configuration + +### Defaults + +The chart can deploy a default PolicyServer and recommended policies managed by the controller: -```shell -crane blob ghcr.io/kubewarden/adm-controller/controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca +```yaml +defaultConfigMapName: kubewarden-defaults + +policyServer: + enabled: true + replicaCount: 1 + # ... (see values.yaml for full options) + +recommendedPolicies: + enabled: false # Disabled by default + defaultPolicyMode: "monitor" + allowPrivilegeEscalationPolicy: + # ... (see values.yaml) ``` -## Security disclosure +When `policyServer.enabled: false` and `recommendedPolicies.enabled: false`, the defaults ConfigMap is not rendered and the controller cleans up all managed resources. + +### CRDs + +CRDs are installed in `templates/crds/` with the `helm.sh/resource-policy: keep` annotation. This means: +- `helm upgrade` will update CRDs +- `helm uninstall` will **not** delete CRDs (preventing catastrophic cascade-deletion of all cluster resources) + +To fully remove CRDs after uninstall: + +```sh +kubectl delete crd policyservers.policies.kubewarden.io +kubectl delete crd clusteradmissionpolicies.policies.kubewarden.io +kubectl delete crd admissionpolicies.policies.kubewarden.io +kubectl delete crd clusteradmissionpolicygroups.policies.kubewarden.io +kubectl delete crd admissionpolicygroups.policies.kubewarden.io +``` + +## Uninstall + +```sh +helm uninstall kubewarden -n kubewarden +``` + +This removes: +- The controller deployment +- Managed defaults (resources with `kubewarden.io/managed-by=kubewarden-controller-defaults` label) +- ConfigMaps, Secrets, Services + +It does **not** remove: +- CRDs (due to `helm.sh/resource-policy: keep`) +- User-managed PolicyServers and policies + +## Version -See [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo. +- Chart version: 6.0.0-alpha.1 +- App version: v2.0.0-alpha.1 -# Changelog +## References -See [GitHub Releases content](https://github.com/kubewarden/adm-controller/releases). +- [Kubewarden Documentation](https://docs.kubewarden.io/) +- [RFC 0026: Unified Admission Controller Chart](https://github.com/kubewarden/rfc/blob/main/rfc/0026-unified-admission-controller-chart.md) diff --git a/charts/kubewarden-controller/questions.yaml b/charts/kubewarden-controller/questions.yaml index ab33c6924..5b9eb5e0f 100644 --- a/charts/kubewarden-controller/questions.yaml +++ b/charts/kubewarden-controller/questions.yaml @@ -212,3 +212,97 @@ questions: The secret should contain the keys `tls.crt` and `tls.key`. group: "OpenTelemetry" show_if: "telemetry.mode=custom && telemetry.custom.insecure=false" + # CRD Settings: + - variable: "reportCRDs.installPolicyReportCRDs" + type: boolean + default: false + required: false + label: Install PolicyReport CRDs + description: | + Install the PolicyReport and ClusterPolicyReport CRDs. + group: "CRD Settings" + - variable: "reportCRDs.installOpenReportsCRDs" + type: boolean + default: true + required: false + label: Install OpenReports CRDs + description: | + Install the OpenReports CRDs via the openreports subchart. + group: "CRD Settings" + # Defaults: + - variable: "defaultConfigMapName" + type: string + default: "kubewarden-defaults" + required: false + label: Defaults ConfigMap name + description: | + Name of the ConfigMap used by the controller to apply default resources + (PolicyServer, recommended policies). + group: "Defaults" + # Default PolicyServer: + - variable: "policyServer.enabled" + type: boolean + default: true + required: true + label: Enable default PolicyServer + description: | + Deploy a default PolicyServer instance managed by the controller. + group: "Default PolicyServer" + - variable: "policyServer.replicaCount" + type: integer + default: 1 + required: false + show_if: policyServer.enabled=true + label: Number of replicas + description: | + Number of replicas for the default PolicyServer. + group: "Default PolicyServer" + - variable: "policyServer.image.repository" + type: string + default: "kubewarden/adm-controller/policy-server" + show_if: policyServer.enabled=true + label: PolicyServer image repository + description: | + Container image repository for the default PolicyServer. + group: "Default PolicyServer" + - variable: "policyServer.image.tag" + type: string + default: "v1.36.0-beta.1" + show_if: policyServer.enabled=true + label: PolicyServer image tag + description: | + Container image tag for the default PolicyServer. + group: "Default PolicyServer" + - variable: "policyServer.serviceAccountName" + type: string + default: "policy-server" + show_if: policyServer.enabled=true + label: ServiceAccount name + description: | + ServiceAccount used by the default PolicyServer. + group: "Default PolicyServer" + # Recommended Policies: + - variable: "recommendedPolicies.enabled" + type: boolean + default: false + required: true + label: Enable recommended policies + description: | + Deploy recommended Kubewarden policies via the defaults ConfigMap. + These policies enforce security best practices such as preventing + privilege escalation, blocking host namespace sharing, and dropping + capabilities. + group: "Recommended Policies" + - variable: "recommendedPolicies.defaultPolicyMode" + type: enum + options: + - "monitor" + - "protect" + default: "monitor" + show_if: recommendedPolicies.enabled=true + label: Default policy mode + description: | + Default mode for recommended policies. + Monitor mode logs policy violations without blocking requests. + Protect mode blocks requests that violate the policy. + group: "Recommended Policies" diff --git a/charts/kubewarden-controller/values.schema.json b/charts/kubewarden-controller/values.schema.json index 07d6ce874..56f86b84e 100644 --- a/charts/kubewarden-controller/values.schema.json +++ b/charts/kubewarden-controller/values.schema.json @@ -108,6 +108,9 @@ } } }, + "defaultConfigMapName": { + "type": "string" + }, "fullnameOverride": { "type": "string" }, @@ -240,6 +243,101 @@ } } }, + "policyServer": { + "type": "object", + "properties": { + "affinity": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "env": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "imagePullSecret": { + "type": "string" + }, + "insecureSources": { + "type": "array", + "items": { + "type": "string" + } + }, + "limits": { + "type": "object" + }, + "namespacedPoliciesCapabilities": { + "type": "array", + "items": { + "type": "string" + } + }, + "permissions": { + "type": "array", + "items": { + "type": "object", + "properties": { + "apiGroup": { + "type": "string" + }, + "resources": { + "type": "array", + "items": { + "type": "string" + } + }, + "verbs": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + }, + "replicaCount": { + "type": "integer" + }, + "requests": { + "type": "object" + }, + "securityContexts": { + "type": "object" + }, + "serviceAccountName": { + "type": "string" + }, + "sourceAuthorities": { + "type": "object" + } + } + }, "ports": { "type": "object", "properties": { @@ -316,9 +414,255 @@ } } }, + "recommendedPolicies": { + "type": "object", + "properties": { + "allowPrivilegeEscalationPolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + } + } + } + } + }, + "capabilitiesPolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "allowed_capabilities": { + "type": "array" + }, + "default_add_capabilities": { + "type": "array" + }, + "required_drop_capabilities": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + }, + "defaultPoliciesRegistry": { + "type": "string" + }, + "defaultPolicyMode": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "hostNamespacePolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "allow_host_ipc": { + "type": "boolean" + }, + "allow_host_network": { + "type": "boolean" + }, + "allow_host_pid": { + "type": "boolean" + }, + "allow_host_ports": { + "type": "array" + } + } + } + } + }, + "hostPathsPolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "allowedHostPaths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "pathPrefix": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + } + } + } + } + } + } + }, + "podPrivilegedPolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "skip_ephemeral_containers": { + "type": "boolean" + }, + "skip_init_containers": { + "type": "boolean" + } + } + } + } + }, + "skipAdditionalNamespaces": { + "type": "array" + }, + "userGroupPolicy": { + "type": "object", + "properties": { + "module": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "settings": { + "type": "object", + "properties": { + "run_as_group": { + "type": "object", + "properties": { + "rule": { + "type": "string" + } + } + }, + "run_as_user": { + "type": "object", + "properties": { + "rule": { + "type": "string" + } + } + }, + "supplemental_groups": { + "type": "object", + "properties": { + "rule": { + "type": "string" + } + } + }, + "validate_container_image_configuration": { + "type": "boolean" + } + } + } + } + } + } + }, "replicas": { "type": "integer" }, + "reportCRDs": { + "type": "object", + "properties": { + "installOpenReportsCRDs": { + "type": "boolean" + }, + "installPolicyReportCRDs": { + "type": "boolean" + } + } + }, "resources": { "type": "object", "properties": { diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 81d1a63d3..9c53cdf49 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -387,3 +387,202 @@ policy-reporter: sourceFilters: - selector: source: kubewarden + +# Defaults applier configuration +defaultConfigMapName: kubewarden-defaults + +# CRD installation toggles +reportCRDs: + # deploy policyreports.wgpolicyk8s.io, clusterpolicyreports.wgpolicyk8s.io CRDs + # Set to false if they are already defined inside of the cluster + # + # These reports are marked as DEPRECATED and its support will be removed in a + # future release, in favour of OpenReports. + installPolicyReportCRDs: false + # deploy reports.openreports.io, clusterreports.openreports.io CRDs + # Set to false if they are already defined inside of the cluster + installOpenReportsCRDs: true + + +# Policy Server settings +policyServer: + enabled: true + replicaCount: 1 + # Only one of minAvailable,maxUnavailable can be enabled: + # minAvailable: 30% + # maxUnavailable: 1 + image: + # The registry is defined in the global.cattle.systemDefaultRegistry value + repository: "kubewarden/adm-controller/policy-server" + tag: v1.36.0-beta.1 + serviceAccountName: policy-server + # Configmap containing a Sigstore verification configuration under a key + # named `verification-config`. Must be on the same ns as the PolicyServer. + # verificationConfig: your_configmap + + # Configmap containing a Sigstore trust configuration (ClientTrustConfig JSON) + # under a key named `sigstore-trust-config`. Must be on the same ns as the + # PolicyServer. This is used to configure a custom Sigstore instance. + # sigstoreTrustConfig: your_configmap + + permissions: + # All permissions are cluster-wide. Even namespaced resources are + # granted access in all namespaces at this time. + # By default, permissions are given for get,list,watch unless verbs + # are specified. + - apiGroup: "" + resources: + - namespaces + - pods + - services + - apiGroup: "networking.k8s.io" + resources: + - ingresses + - apiGroup: "authorization.k8s.io" + resources: + - "subjectaccessreviews" + verbs: + - create + env: + - name: KUBEWARDEN_LOG_LEVEL + value: info + annotations: {} + # follows the format of https://docs.kubewarden.io/reference/CRDs#policyserversecurity + securityContexts: {} + # imagePullSecret stores the secret name used to pull images from repositories. + # The secret should be in the same namespace of the Policy Server + # + # Example of usage: + # imagePullSecret: "mysecret" + imagePullSecret: "" + # insecureSources stores a list of allowed insecure registries. + # + # Example of usage: + #insecureSources: + # - "source1" + # - "source2" + insecureSources: [] # @schema item: string + # sourceAuthorities is a list of the URIs and their PEM encoded certificates + # used to authenticate them + # + # Example of usage: + # sourceAuthorities: + # - uri: "uri1" + # certs: + # - "cert1" + # - "cert2" + # - uri: "uri2" + # certs: + # - "cert3" + # - uri: "uri3" + # certs: + # - "cert4" + sourceAuthorities: {} + # namespacedPoliciesCapabilities lists host capability API calls allowed + # for namespaced policies running on this PolicyServer. + # Supported patterns: [] (none), "*" (all), "category/*", + # "category/version/*", or specific paths. + # Example: + # namespacedPoliciesCapabilities: + # - "oci/*" + # - "net/v1/dns_lookup_host" + namespacedPoliciesCapabilities: + - "*" # all host capabilities are granted + # limits and requests, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + limits: {} + requests: {} + # Port configuration for the policy server. + # These ports are used for the webhook, readiness probe, and metrics endpoints. + # Important when hostNetwork is enabled or when running multiple PolicyServers + # on the same node, as they must not conflict. + # + # Default values (if not specified): + # - webhookPort: 8443 + # - readinessProbePort: 8081 + # - metricsPort: default value defined in the controller (8080) + # + # webhookPort: 9443 + # readinessProbePort: 9081 + # metricsPort: 9080 + + # affinity configures affinity rules for the default PolicyServer. + # This takes precedence over global.affinity when set. + # When hostNetwork is enabled, users should set appropriate podAntiAffinity + # rules here to prevent host-port conflicts between PolicyServer replicas. + # affinity: + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # kubewarden/policy-server: default + # topologyKey: kubernetes.io/hostname + affinity: {} + +# Recommended policies configuration +recommendedPolicies: + enabled: false + # Used to define the registry where the Kubewarden policies are mirrored. + # This can be useful if the registry used to mirror container images does + # not support OCI artifacts. + # If this field is not defined, the systemDefaultRegistry is used by default. + defaultPoliciesRegistry: "" + # Additional namespaces that recommended policies will not apply to: + skipAdditionalNamespaces: [] + defaultPolicyMode: "monitor" + allowPrivilegeEscalationPolicy: + module: + repository: "kubewarden/policies/allow-privilege-escalation-psp" + tag: v1.0.10 + name: "no-privilege-escalation" + settings: + allowPrivilegeEscalation: false + hostNamespacePolicy: + module: + repository: "kubewarden/policies/host-namespaces-psp" + tag: v1.1.8 + name: "no-host-namespace-sharing" + settings: + allow_host_ipc: false + allow_host_network: false + allow_host_pid: false + allow_host_ports: [] + podPrivilegedPolicy: + module: + repository: "kubewarden/policies/pod-privileged" + tag: v1.0.10 + name: "no-privileged-pod" + settings: + skip_init_containers: false + skip_ephemeral_containers: false + userGroupPolicy: + module: + repository: "kubewarden/policies/user-group-psp" + tag: v1.1.5 + name: "do-not-run-as-root" + settings: + run_as_user: + rule: "MustRunAsNonRoot" + run_as_group: + rule: "RunAsAny" + supplemental_groups: + rule: "RunAsAny" + validate_container_image_configuration: false + hostPathsPolicy: + module: + repository: "kubewarden/policies/hostpaths-psp" + tag: v1.1.7 + name: "do-not-share-host-paths" + settings: + allowedHostPaths: + - pathPrefix: "/tmp" + readOnly: true + capabilitiesPolicy: + module: + repository: "kubewarden/policies/capabilities-psp" + tag: v1.0.10 + name: "drop-capabilities" + settings: + allowed_capabilities: [] + required_drop_capabilities: + - ALL + default_add_capabilities: [] From 7bd0dd3f3e9be4be9c95172a3254f494c3680fa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 20 May 2026 13:41:56 -0300 Subject: [PATCH 08/22] chore: update build, tooling, and tests for unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adapt all build tooling, development environment, and test infrastructure for the single-chart deployment model. The Makefile now generates CRDs and RBAC into the new template subdirectories and runs helm-unittest against the unified chart only. The Tiltfile deploys a single Helm release instead of separate installs for CRDs, controller, and defaults. All shell scripts have been updated to reference the unified chart paths. The e2e tests install a single Helm release with policyServer configuration. The controller test suite loads CRDs programmatically from the chart templates and sets up the DefaultsApplierReconciler. Go module dependencies have been updated accordingly. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .gitignore | 1 + Makefile | 11 ++-- Tiltfile | 64 ++++++++-------------- e2e/main_test.go | 32 ++++------- go.mod | 2 +- go.sum | 20 ------- internal/controller/suite_test.go | 58 +++++++++++++++++++- internal/controller/utils_test.go | 9 ++- scripts/charts-check-common-values.sh | 5 -- scripts/charts-extract-images.sh | 2 +- scripts/charts-generate-changelog-files.sh | 2 - scripts/test-sigstore-e2e.sh | 49 ++++++++--------- scripts/validate-hauler-manifest.sh | 53 +++++++----------- 13 files changed, 148 insertions(+), 160 deletions(-) diff --git a/.gitignore b/.gitignore index eeb33179e..53c89d4cf 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ fulcio.pem rekor.pub tsa.pem ctfe.pub +charts/kubewarden-admission-controller/charts/ diff --git a/Makefile b/Makefile index 956c1cb11..e6806bb6c 100644 --- a/Makefile +++ b/Makefile @@ -46,9 +46,7 @@ test-rust: .PHONY: helm-unittest helm-unittest: - helm unittest charts/kubewarden-crds --file "tests/**/*_test.yaml" helm unittest charts/kubewarden-controller --file "tests/**/*_test.yaml" - helm unittest charts/kubewarden-defaults --file "tests/**/*_test.yaml" .PHONY: test-e2e test-e2e: controller-image audit-scanner-image policy-server-image @@ -162,13 +160,14 @@ manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefin $(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=kubewarden-controller-manager,fileName=controller-rbac-roles.yaml crd webhook \ paths="./api/policies/v1" paths="./api/policies/v1alpha2" \ paths="./internal/controller" paths="./cmd/controller" \ - output:crd:artifacts:config=charts/kubewarden-crds/templates/crds \ - output:rbac:artifacts:config=charts/kubewarden-controller/templates \ + output:crd:artifacts:config=charts/kubewarden-controller/templates/crds \ + output:rbac:artifacts:config=charts/kubewarden-controller/templates/controller \ output:webhook:artifacts:config=charts + sed -i '/controller-gen.kubebuilder.io\/version:/a\ helm.sh/resource-policy: keep' charts/kubewarden-controller/templates/crds/policies.kubewarden.io_*.yaml echo "# to be merged manually into kubewarden-controller/templates/webhooks.yaml" | cat - charts/manifests.yaml > temp && mv temp charts/manifests.yaml mv charts/manifests.yaml charts/generated-webhooks-manifests.yaml - sed -i '/^metadata:/a\ labels:\n {{- include "kubewarden-controller.labels" . | nindent 4 }}\n annotations:\n {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller-rbac-roles.yaml - sed -i 's/ namespace: kubewarden/ namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller-rbac-roles.yaml + sed -i '/^metadata:/a\ labels:\n {{- include "kubewarden-controller.labels" . | nindent 4 }}\n annotations:\n {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml + sed -i 's/ namespace: kubewarden/ namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml .PHONY: generate-chart generate-chart: ## Generate Helm chart values schema. diff --git a/Tiltfile b/Tiltfile index 99bb27b14..7ef85de8c 100644 --- a/Tiltfile +++ b/Tiltfile @@ -8,34 +8,15 @@ update_settings(k8s_upsert_timeout_secs=300) load("ext://namespace", "namespace_create") namespace_create("kubewarden") -# Install the CRDs Helm chart first -crds_yaml = helm( - "./charts/kubewarden-crds", - name="kubewarden-crds", - namespace="kubewarden", -) -k8s_yaml(crds_yaml) - -# Group all CRDs under a single resource name for dependency tracking -k8s_resource( - new_name='kubewarden-crds', - objects=[ - 'policyservers.policies.kubewarden.io:CustomResourceDefinition', - 'admissionpolicies.policies.kubewarden.io:CustomResourceDefinition', - 'clusteradmissionpolicies.policies.kubewarden.io:CustomResourceDefinition', - 'admissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', - 'clusteradmissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', - ], -) - +# Install the unified Kubewarden admission controller chart registry = settings.get("registry") controller_image = settings.get("controller").get("image") audit_scanner_image = settings.get("audit-scanner").get("image") policy_server_image = settings.get("policy-server").get("image") -kubewarden_controller_yaml = helm( +kubewarden_yaml = helm( "./charts/kubewarden-controller", - name="kubewarden-controller", + name="kubewarden", namespace="kubewarden", set=[ "global.cattle.systemDefaultRegistry=null", @@ -45,32 +26,35 @@ kubewarden_controller_yaml = helm( "podSecurityContext=null", "containerSecurityContext=null", "auditScanner.image.repository=" + registry + "/" + audit_scanner_image, - "auditScanner.logLevel=debug", + "auditScanner.logLevel=debug", + "policyServer.enabled=true", + "policyServer.image.repository=" + registry + "/" + policy_server_image, + "policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL", + "policyServer.env[0].value=debug", ], ) -k8s_yaml(kubewarden_controller_yaml) +k8s_yaml(kubewarden_yaml) -# Wait for kubewarden-controller deployment to be ready before applying defaults -# This ensures the webhook is running before PolicyServer resources are created +# Group all CRDs under a single resource name for dependency tracking k8s_resource( - 'kubewarden-controller:deployment', - new_name='kubewarden-controller', - resource_deps=['kubewarden-crds'], + new_name='kubewarden-crds', + objects=[ + 'policyservers.policies.kubewarden.io:CustomResourceDefinition', + 'admissionpolicies.policies.kubewarden.io:CustomResourceDefinition', + 'clusteradmissionpolicies.policies.kubewarden.io:CustomResourceDefinition', + 'admissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', + 'clusteradmissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', + ], ) -kubewarden_defaults_yaml = helm( - "./charts/kubewarden-defaults", - name="kubewarden-defaults", - namespace="kubewarden", - set=[ - "global.cattle.systemDefaultRegistry=null", - "policyServer.image.repository=" + registry + "/" + policy_server_image, - "policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL", - "policyServer.env[0].value=debug", - ], +# Wait for controller deployment to be ready +k8s_resource( + 'kubewarden:deployment', + new_name='kubewarden-controller', + resource_deps=['kubewarden-crds'], ) -k8s_yaml(kubewarden_defaults_yaml) +# Default PolicyServer resource dependency k8s_resource( 'default', resource_deps=['kubewarden-controller', 'policy_server_tilt'], diff --git a/e2e/main_test.go b/e2e/main_test.go index 6dd1d34e2..a814d9cd6 100644 --- a/e2e/main_test.go +++ b/e2e/main_test.go @@ -33,10 +33,8 @@ func TestMain(m *testing.M) { cfg, _ := envconf.NewFromFlags() testenv = env.NewWithConfig(cfg) kindClusterName = envconf.RandomName("kubewarden-e2e-cluster", 32) - releaseCRDsName := "kubewarden-crds" - releaseControllerName := "kubewarden-controller" - kubewardenCRDsChartPath := "../charts/kubewarden-crds" - kubewardenControllerChartPath := "../charts/kubewarden-controller" + releaseName := "kubewarden" + kubewardenChartPath := "../charts/kubewarden-controller" testenv.Setup( envfuncs.CreateCluster(kind.NewProvider(), kindClusterName), @@ -48,31 +46,25 @@ func TestMain(m *testing.M) { envfuncs.LoadImageToCluster(kindClusterName, auditScannerImage, "--verbose", "--mode", "direct"), envfuncs.LoadImageToCluster(kindClusterName, policyServerImage, "--verbose", "--mode", "direct"), func(ctx context.Context, _ *envconf.Config) (context.Context, error) { - // can be used to install additional helm charts or perform other custom setup + // Install unified Kubewarden admission controller chart manager := helm.New(cfg.KubeconfigFile()) - err := manager.RunInstall(helm.WithName(releaseCRDsName), + err := manager.RunInstall(helm.WithName(releaseName), helm.WithNamespace(cfg.Namespace()), - helm.WithChart(kubewardenCRDsChartPath), - helm.WithTimeout("1m"), - ) - if err != nil { - return ctx, fmt.Errorf("failed to install kubewarden-crds helm chart: %w", err) - } - - err = manager.RunInstall(helm.WithName(releaseControllerName), - helm.WithNamespace(cfg.Namespace()), - helm.WithChart(kubewardenControllerChartPath), + helm.WithChart(kubewardenChartPath), helm.WithWait(), + helm.WithTimeout("10m"), helm.WithArgs( "--set", "image.tag=dev", "--set", "auditScanner.image.tag=dev", + "--set", "policyServer.image.tag=dev", "--set", "logLevel=debug", "--set", "auditScanner.logLevel=debug", + "--set", "policyServer.enabled=true", ), ) if err != nil { - return ctx, fmt.Errorf("failed to install kubewarden-controller helm chart: %w", err) + return ctx, fmt.Errorf("failed to install kubewarden helm chart: %w", err) } // Wait explicitly for kubewarden-controller deployment to be ready @@ -93,11 +85,11 @@ func TestMain(m *testing.M) { os.Exit(testenv.Run(m)) } -// waitForKubewardenControllerDeployment waits for the kubewarden-controller deployment to be ready. +// waitForKubewardenControllerDeployment waits for the kubewarden deployment to be ready. func waitForKubewardenControllerDeployment(_ context.Context, cfg *envconf.Config) error { - // Wait for the kubewarden-controller deployment to be available + // The deployment name is generated by the fullname helper: releaseName-chartName return wait.For(conditions.New(cfg.Client().Resources()).DeploymentConditionMatch( - &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "kubewarden-controller", Namespace: namespace}}, + &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "kubewarden-kubewarden-controller", Namespace: namespace}}, appsv1.DeploymentAvailable, corev1.ConditionTrue, ), wait.WithTimeout(5*time.Minute), wait.WithInterval(1*time.Second)) diff --git a/go.mod b/go.mod index 6969af8f8..e468ef33b 100644 --- a/go.mod +++ b/go.mod @@ -17,6 +17,7 @@ require ( go.opentelemetry.io/otel/sdk/metric v1.43.0 golang.org/x/sync v0.20.0 k8s.io/api v0.36.1 + k8s.io/apiextensions-apiserver v0.36.0 k8s.io/apimachinery v0.36.1 k8s.io/apiserver v0.36.1 k8s.io/client-go v0.36.1 @@ -111,7 +112,6 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.36.0 // indirect k8s.io/component-base v0.36.1 // indirect k8s.io/klog/v2 v2.140.0 // indirect k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect diff --git a/go.sum b/go.sum index 3b62eed7d..bdeaae05b 100644 --- a/go.sum +++ b/go.sum @@ -389,8 +389,6 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo/v2 v2.28.3 h1:4JvMdwtFU0imd8fHx25OJXoDMRexnf8v5NHKYSTTji4= -github.com/onsi/ginkgo/v2 v2.28.3/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44= github.com/onsi/ginkgo/v2 v2.29.0 h1:rfh+ZFjgJhYWRoIqVf3Uwx/W20yLrcrE2h2GmYVRaag= github.com/onsi/ginkgo/v2 v2.29.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= @@ -398,8 +396,6 @@ github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.40.0 h1:Vtol0e1MghCD2ZVIilPDIg44XSL9l2QAn8ZNaljWcJc= -github.com/onsi/gomega v1.40.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A= github.com/onsi/gomega v1.41.0 h1:OwKp4pXNgVxf6sCplzYo794OFNuoL2q2SBMU5NSWOjA= github.com/onsi/gomega v1.41.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A= github.com/openreports/reports-api v0.2.1 h1:g9KS3yle9Y1elmww4TK9EkD1rl6inIaiIJPX6e+u680= @@ -828,8 +824,6 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI= k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80= -k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34= k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY= k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo= k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M= @@ -837,25 +831,17 @@ k8s.io/apiextensions-apiserver v0.36.0 h1:Wt7E8J+VBCbj4FjiBfDTK/neXDDjyJVJc7xfuO k8s.io/apiextensions-apiserver v0.36.0/go.mod h1:kGDjH0msuiIB3tgsYRV0kS9GqpMYMUsQ3GHv7TApyug= k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko= k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ= -k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc= k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA= k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8= k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg= -k8s.io/apiserver v0.36.0 h1:Jg5OFAENUACByUCg15CmhZAYrr5ZyJ+jodyA1mHl3YE= -k8s.io/apiserver v0.36.0/go.mod h1:mHvwdHf+qKEm+1/hYm756SV+oREOKSPnsjagOpx6Vho= k8s.io/apiserver v0.36.1 h1:iMS5V+rPUertv5P9RaqJgmHHTuh4quWpoxchvMUY+JY= k8s.io/apiserver v0.36.1/go.mod h1:Cby1PbLWztu0GDOxoO6iFOyyqIsziHNEW+w9zVQ22Kw= k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q= k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c= -k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y= k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0= k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU= k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c= k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14= -k8s.io/component-base v0.36.0 h1:hFjEktssxiJhrK1zfybkH4kJOi8iZuF+mIDCqS5+jRo= -k8s.io/component-base v0.36.0/go.mod h1:JZvIfcNHk+uck+8LhJzhSBtydWXaZNQwX2OdL+Mnwsk= k8s.io/component-base v0.36.1 h1:iG6GsELftXqTNG9HG6kiVjatSgAw1sf5pJ6R5a6N0kA= k8s.io/component-base v0.36.1/go.mod h1:nf9XPlntRdqO6WMeEWAA5F93Y4ICZQdeT9GeqLDB3JI= k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= @@ -872,15 +858,11 @@ k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg= k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0= -k8s.io/streaming v0.36.0 h1:agnTxU+NFulUrtYzXUGKO3ndEa8jKwht1Kwn9nu9x+4= -k8s.io/streaming v0.36.0/go.mod h1:z6fV3D+NVkoeqRMtWwlUZK6U17SY/LqNzOxWL6GyR/s= k8s.io/streaming v0.36.1 h1:L+K68n4Gg940BGNNYtUBvL1WTLL0YnKT3s+P1MNAmR4= k8s.io/streaming v0.36.1/go.mod h1:z6fV3D+NVkoeqRMtWwlUZK6U17SY/LqNzOxWL6GyR/s= k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20260319190234-28399d86e0b5 h1:kBawHLSnx/mYHmRnNUf9d4CpjREbeZuxoSGOX/J+aYM= -k8s.io/utils v0.0.0-20260319190234-28399d86e0b5/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= k8s.io/utils v0.0.0-20260507154919-ff6756f316d2 h1:wU4tMEhLGgIbLvXQb1cfN+EcM0wf7zC6CPF+C79jroc= k8s.io/utils v0.0.0-20260507154919-ff6756f316d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= @@ -888,8 +870,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0= sigs.k8s.io/controller-runtime v0.6.3/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY= -sigs.k8s.io/controller-runtime v0.24.0 h1:Ck6N2LdS8Lovy1o25BB4r1xjvLEKUl1s2o9kU+KWDE4= -sigs.k8s.io/controller-runtime v0.24.0/go.mod h1:vFkfY5fGt5xAC/sKb8IBFKgWPNKG9OUG29dR8Y2wImw= sigs.k8s.io/controller-runtime v0.24.1 h1:miPEwrmirImAvgME1L9qebGHrOnGJoVmVdtOU9fRfo4= sigs.k8s.io/controller-runtime v0.24.1/go.mod h1:vFkfY5fGt5xAC/sKb8IBFKgWPNKG9OUG29dR8Y2wImw= sigs.k8s.io/e2e-framework v0.7.0 h1:AHkySTC6MvnnMbVSxaO4z1m2MhQKNFP+2Ihs5pRNLlM= diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go index 490bbeda5..0552b3983 100644 --- a/internal/controller/suite_test.go +++ b/internal/controller/suite_test.go @@ -18,6 +18,8 @@ package controller import ( "context" + "fmt" + "os" "path/filepath" "testing" "time" @@ -26,7 +28,9 @@ import ( . "github.com/onsi/gomega" corev1 "k8s.io/api/core/v1" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/yaml" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/tools/clientcmd" ctrl "sigs.k8s.io/controller-runtime" @@ -55,6 +59,43 @@ const ( deploymentsNamespace = "kubewarden-integration-tests" ) +// loadKubewardenCRDsFromChart loads the Kubewarden admission controller CRDs +// from the Helm chart templates directory. +func loadKubewardenCRDsFromChart() ([]*apiextensionsv1.CustomResourceDefinition, error) { + chartCRDsPath := filepath.Join("..", "..", "charts", "kubewarden-controller", "templates", "crds") + + // List of Kubewarden admission controller CRD files (excluding policy reports) + crdFiles := []string{ + "policies.kubewarden.io_admissionpolicies.yaml", + "policies.kubewarden.io_admissionpolicygroups.yaml", + "policies.kubewarden.io_clusteradmissionpolicies.yaml", + "policies.kubewarden.io_clusteradmissionpolicygroups.yaml", + "policies.kubewarden.io_policyservers.yaml", + } + + var crds []*apiextensionsv1.CustomResourceDefinition + + for _, filename := range crdFiles { + crdPath := filepath.Join(chartCRDsPath, filename) + + // Read the CRD file + data, err := os.ReadFile(crdPath) + if err != nil { + return nil, fmt.Errorf("failed to read CRD file %s: %w", filename, err) + } + + // Decode YAML to CRD object + crd := &apiextensionsv1.CustomResourceDefinition{} + if err := yaml.Unmarshal(data, crd); err != nil { + return nil, fmt.Errorf("failed to unmarshal CRD from %s: %w", filename, err) + } + + crds = append(crds, crd) + } + + return crds, nil +} + func TestAPIs(t *testing.T) { RegisterFailHandler(Fail) @@ -67,9 +108,13 @@ var _ = SynchronizedBeforeSuite(func() []byte { var ctx context.Context ctx, cancel := context.WithCancel(context.TODO()) + // Load CRDs from the Helm chart + kubewardenCRDs, err := loadKubewardenCRDsFromChart() + Expect(err).NotTo(HaveOccurred(), "failed to load Kubewarden CRDs from Helm chart") + Expect(kubewardenCRDs).To(HaveLen(5), "expected 5 Kubewarden admission controller CRDs") + testEnv := &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "charts", "kubewarden-crds", "templates", "crds")}, - ErrorIfCRDPathMissing: true, + CRDs: kubewardenCRDs, } restConfig, err := testEnv.Start() @@ -138,6 +183,15 @@ var _ = SynchronizedBeforeSuite(func() []byte { }).SetupWithManager(k8sManager) Expect(err).ToNot(HaveOccurred()) + err = (&DefaultsApplierReconciler{ + Client: k8sManager.GetClient(), + Scheme: k8sManager.GetScheme(), + Log: ctrl.Log.WithName("defaults-applier-test"), + DeploymentsNamespace: deploymentsNamespace, + ConfigMapName: constants.DefaultDefaultsConfigMapName, + }).SetupWithManager(k8sManager) + Expect(err).ToNot(HaveOccurred()) + // Create the integration tests deployments namespace err = k8sClient.Create(ctx, &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ diff --git a/internal/controller/utils_test.go b/internal/controller/utils_test.go index 6e017c7e7..da28be629 100644 --- a/internal/controller/utils_test.go +++ b/internal/controller/utils_test.go @@ -40,7 +40,6 @@ import ( ) const ( - integrationTestsFinalizer = "kubewarden.io/integration-tests-safety-net-finalizer" clientCAConfigMapName = "client-ca" fakeSigstoreTrustConfig = `{"trusted_root": {"version": "test"}}` reconcilerImagePullSecret = "reconciler-pull-secret" @@ -208,8 +207,8 @@ func policyGroupHostCapabilitiesMatcher( namespacedHostCapsMatcher types.GomegaMatcher, clusterHostCapsMatcher types.GomegaMatcher, ) types.GomegaMatcher { - return WithTransform(func(data string) (map[string]interface{}, error) { - policiesData := map[string]interface{}{} + return WithTransform(func(data string) (map[string]any, error) { + policiesData := map[string]any{} err := json.Unmarshal([]byte(data), &policiesData) return policiesData, err }, MatchKeys(IgnoreExtras, Keys{ @@ -241,8 +240,8 @@ func admissionPolicyHostCapabilitiesMatcher( namespacedHostCapsMatcher types.GomegaMatcher, clusterHostCapsMatcher types.GomegaMatcher, ) types.GomegaMatcher { - return WithTransform(func(data string) (map[string]interface{}, error) { - policiesData := map[string]interface{}{} + return WithTransform(func(data string) (map[string]any, error) { + policiesData := map[string]any{} err := json.Unmarshal([]byte(data), &policiesData) return policiesData, err }, MatchKeys(IgnoreExtras, Keys{ diff --git a/scripts/charts-check-common-values.sh b/scripts/charts-check-common-values.sh index b8ce1ecc4..6bed1efda 100755 --- a/scripts/charts-check-common-values.sh +++ b/scripts/charts-check-common-values.sh @@ -9,8 +9,3 @@ diff <(yq eval '(.global // {}) | sort_keys(.)' charts/common-values.yaml) <(yq echo "kubewarden-controller values.yaml diverges from common-values.yaml" exit 1 ) -diff <(yq eval '(.global // {}) | sort_keys(.)' charts/common-values.yaml) <(yq eval '(.global // {}) | sort_keys(.)' charts/kubewarden-defaults/values.yaml) || ( - echo - echo "kubewarden-defaults values.yaml diverges from charts/common-values.yaml" - exit 1 -) diff --git a/scripts/charts-extract-images.sh b/scripts/charts-extract-images.sh index 56f97da03..c8df771bf 100755 --- a/scripts/charts-extract-images.sh +++ b/scripts/charts-extract-images.sh @@ -2,7 +2,7 @@ set -euo pipefail CHART_DIR=$1 -CHARTS_DIRS=$(find "$CHART_DIR" -type d -exec test -e '{}'/values.yaml \; -print | grep -v kubewarden-crds) +CHARTS_DIRS=$(find "$CHART_DIR" -type d -exec test -e '{}'/values.yaml \; -print) IMAGELIST_FILENAME=imagelist.txt TMP_IMAGE_FILE=/tmp/$IMAGELIST_FILENAME diff --git a/scripts/charts-generate-changelog-files.sh b/scripts/charts-generate-changelog-files.sh index a94588f37..af7e035b9 100755 --- a/scripts/charts-generate-changelog-files.sh +++ b/scripts/charts-generate-changelog-files.sh @@ -11,5 +11,3 @@ CONTROLLER_URL=$(gh release view "$CONTROLLER_VERSION" --repo kubewarden/adm-con echo "Kubewarden Admission Controller [changelog]($CONTROLLER_URL)" } >>$TMP_CHANGELOG_FILE_PATH cp $TMP_CHANGELOG_FILE_PATH "$CHART_DIR/kubewarden-controller/CHANGELOG.md" -cp $TMP_CHANGELOG_FILE_PATH "$CHART_DIR/kubewarden-defaults/CHANGELOG.md" -cp $TMP_CHANGELOG_FILE_PATH "$CHART_DIR/kubewarden-crds/CHANGELOG.md" diff --git a/scripts/test-sigstore-e2e.sh b/scripts/test-sigstore-e2e.sh index b0077db42..b0a0699fc 100755 --- a/scripts/test-sigstore-e2e.sh +++ b/scripts/test-sigstore-e2e.sh @@ -28,7 +28,7 @@ # --no-sigstore Install Kubewarden in stage 3 without any Sigstore # configuration. Skips policy deployment and webhook evaluation. # --policy-server-image Full image reference (repository:tag) for the policy-server. -# Overrides the default image in charts/kubewarden-defaults. +# Overrides the default image in the kubewarden-controller chart. # Example: --policy-server-image ghcr.io/kubewarden/adm-controller/policy-server:dev # # Tools required (per stage): @@ -398,15 +398,10 @@ function install_kubewarden() { kubectl create namespace "$KUBEWARDEN_NAMESPACE" \ --dry-run=client -o yaml | kubectl apply -f - - echo -e "${GREEN} Installing kubewarden-crds...${NC}" - helm upgrade --install kubewarden-crds ./charts/kubewarden-crds \ - -n "$KUBEWARDEN_NAMESPACE" \ - --wait - - echo -e "${GREEN} Installing adm-controller...${NC}" + echo -e "${GREEN} Installing kubewarden-controller (unified chart)...${NC}" helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set replicas=1 \ + --set controller.replicas=1 \ --wait echo -e "${GREEN} Waiting for adm-controller rollout...${NC}" @@ -419,8 +414,8 @@ function build_image_flags() { # policy-server image when POLICY_SERVER_IMAGE is set. IMAGE_FLAGS=() if [[ -n "${POLICY_SERVER_IMAGE}" ]]; then - IMAGE_FLAGS+=(--set "policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") - IMAGE_FLAGS+=(--set "policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") + IMAGE_FLAGS+=(--set "defaults.policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") + IMAGE_FLAGS+=(--set "defaults.policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") fi } @@ -439,20 +434,22 @@ function configure_policy_server() { -n "$KUBEWARDEN_NAMESPACE" \ --dry-run=client -o yaml | kubectl apply -f - - echo -e "${GREEN} Installing kubewarden-defaults with sigstoreTrustConfig...${NC}" + echo -e "${GREEN} Upgrading kubewarden-controller with default PolicyServer and Sigstore config...${NC}" local image_flags=() build_image_flags image_flags=("${IMAGE_FLAGS[@]}") - helm upgrade --install kubewarden-defaults ./charts/kubewarden-defaults \ + helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set policyServer.sigstoreTrustConfig="$SIGSTORE_TRUST_CONFIGMAP" \ - --set policyServer.verificationConfig="$VERIFICATION_CONFIGMAP" \ - --set 'policyServer.insecureSources[0]=registry.local:5001' \ - --set 'policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ - --set 'policyServer.env[0].value=info' \ - --set 'policyServer.env[1].name=RUST_BACKTRACE' \ - --set 'policyServer.env[1].value=1' \ + --set controller.replicas=1 \ + --set defaults.enabled=true \ + --set 'defaults.policyServer.sigstoreTrustConfig'="$SIGSTORE_TRUST_CONFIGMAP" \ + --set 'defaults.policyServer.verificationConfig'="$VERIFICATION_CONFIGMAP" \ + --set 'defaults.policyServer.insecureSources[0]=registry.local:5001' \ + --set 'defaults.policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ + --set 'defaults.policyServer.env[0].value=info' \ + --set 'defaults.policyServer.env[1].name=RUST_BACKTRACE' \ + --set 'defaults.policyServer.env[1].value=1' \ "${image_flags[@]}" \ --wait # Policy-server readiness is confirmed when the ClusterAdmissionPolicy @@ -460,18 +457,20 @@ function configure_policy_server() { } function install_kubewarden_no_sigstore() { - echo -e "${GREEN}Installing kubewarden-defaults (no Sigstore configuration)...${NC}" + echo -e "${GREEN}Upgrading kubewarden-controller with default PolicyServer (no Sigstore configuration)...${NC}" local image_flags=() build_image_flags image_flags=("${IMAGE_FLAGS[@]}") - helm upgrade --install kubewarden-defaults ./charts/kubewarden-defaults \ + helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set 'policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ - --set 'policyServer.env[0].value=info' \ - --set 'policyServer.env[1].name=RUST_BACKTRACE' \ - --set 'policyServer.env[1].value=1' \ + --set controller.replicas=1 \ + --set defaults.enabled=true \ + --set 'defaults.policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ + --set 'defaults.policyServer.env[0].value=info' \ + --set 'defaults.policyServer.env[1].name=RUST_BACKTRACE' \ + --set 'defaults.policyServer.env[1].value=1' \ "${image_flags[@]}" \ --wait diff --git a/scripts/validate-hauler-manifest.sh b/scripts/validate-hauler-manifest.sh index 6f4559e7e..53505163d 100755 --- a/scripts/validate-hauler-manifest.sh +++ b/scripts/validate-hauler-manifest.sh @@ -10,8 +10,8 @@ # PR, on pushes to the main branch, and on manual workflow triggers. It # validates all container images (controller, audit-scanner, # policy-server, kuberlr-kubectl, policy modules and third-party images: -# policy-reporter, policy-reporter-ui ) and Helm charts (kubewarden-crds, -# kubewarden-controller, kubewarden-defaults, policy-reporter, openreports). +# policy-reporter, policy-reporter-ui) and Helm charts (kubewarden-controller, +# policy-reporter, openreports). # # The weekly updatecli workflow automatically updates both Helm chart values # and the Hauler manifest. This validation serves as a safety check to catch @@ -30,10 +30,7 @@ REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" HAULER_MANIFEST="$REPO_ROOT/charts/hauler_manifest.yaml" CONTROLLER_VALUES="$REPO_ROOT/charts/kubewarden-controller/values.yaml" -DEFAULTS_VALUES="$REPO_ROOT/charts/kubewarden-defaults/values.yaml" CONTROLLER_CHART="$REPO_ROOT/charts/kubewarden-controller/Chart.yaml" -DEFAULTS_CHART="$REPO_ROOT/charts/kubewarden-defaults/Chart.yaml" -CRDS_CHART="$REPO_ROOT/charts/kubewarden-crds/Chart.yaml" ERRORS=0 @@ -86,9 +83,9 @@ AUDIT_SCANNER_HAULER_VERSION=$(get_hauler_image_version "adm-controller/audit-sc compare_version "audit-scanner" "$AUDIT_SCANNER_CHART_VERSION" "$AUDIT_SCANNER_HAULER_VERSION" "$CONTROLLER_VALUES" # Validate policy-server image -POLICY_SERVER_CHART_VERSION=$(yq eval '.policyServer.image.tag' "$DEFAULTS_VALUES") +POLICY_SERVER_CHART_VERSION=$(yq eval '.defaults.policyServer.image.tag' "$CONTROLLER_VALUES") POLICY_SERVER_HAULER_VERSION=$(get_hauler_image_version "adm-controller/policy-server") -compare_version "policy-server" "$POLICY_SERVER_CHART_VERSION" "$POLICY_SERVER_HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "policy-server" "$POLICY_SERVER_CHART_VERSION" "$POLICY_SERVER_HAULER_VERSION" "$CONTROLLER_VALUES" # Validate kuberlr-kubectl image KUBERLR_CHART_VERSION=$(yq eval '.preDeleteJob.image.tag' "$CONTROLLER_VALUES") @@ -127,34 +124,34 @@ echo "===============================" echo # Validate allow-privilege-escalation-psp policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/allow-privilege-escalation-psp") -compare_version "allow-privilege-escalation-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "allow-privilege-escalation-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate capabilities-psp policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.capabilitiesPolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.capabilitiesPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/capabilities-psp") -compare_version "capabilities-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "capabilities-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate host-namespaces-psp policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.hostNamespacePolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.hostNamespacePolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/host-namespaces-psp") -compare_version "host-namespaces-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "host-namespaces-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate hostpaths-psp policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.hostPathsPolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.hostPathsPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/hostpaths-psp") -compare_version "hostpaths-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "hostpaths-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate pod-privileged policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.podPrivilegedPolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.podPrivilegedPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/pod-privileged") -compare_version "pod-privileged" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "pod-privileged" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate user-group-psp policy -POLICY_VERSION=$(yq eval '.recommendedPolicies.userGroupPolicy.module.tag' "$DEFAULTS_VALUES") +POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.userGroupPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/user-group-psp") -compare_version "user-group-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" +compare_version "user-group-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" echo echo "📋 Validating Helm Charts..." @@ -167,30 +164,20 @@ get_hauler_chart_version() { yq eval ".spec.charts[] | select(.name == \"$chart_name\") | .version" "$HAULER_MANIFEST" } -# Validate kubewarden-crds chart -CHART_VERSION=$(yq eval '.version' "$CRDS_CHART") -HAULER_VERSION=$(get_hauler_chart_version "kubewarden-crds") -compare_version "kubewarden-crds chart" "$CHART_VERSION" "$HAULER_VERSION" "$CRDS_CHART" - # Validate kubewarden-controller chart CHART_VERSION=$(yq eval '.version' "$CONTROLLER_CHART") HAULER_VERSION=$(get_hauler_chart_version "kubewarden-controller") compare_version "kubewarden-controller chart" "$CHART_VERSION" "$HAULER_VERSION" "$CONTROLLER_CHART" -# Validate kubewarden-defaults chart -CHART_VERSION=$(yq eval '.version' "$DEFAULTS_CHART") -HAULER_VERSION=$(get_hauler_chart_version "kubewarden-defaults") -compare_version "kubewarden-defaults chart" "$CHART_VERSION" "$HAULER_VERSION" "$DEFAULTS_CHART" - # Validate policy-reporter chart (from kubewarden-controller dependencies) -CHART_VERSION=$(yq eval '.dependencies[0].version' "$CONTROLLER_CHART") +CHART_VERSION=$(yq eval '.dependencies[] | select(.name == "policy-reporter") | .version' "$CONTROLLER_CHART") HAULER_VERSION=$(get_hauler_chart_version "policy-reporter") compare_version "policy-reporter chart" "$CHART_VERSION" "$HAULER_VERSION" "$CONTROLLER_CHART dependencies" -# Validate openreports chart (from kubewarden-crds dependencies) -CHART_VERSION=$(yq eval '.dependencies[0].version' "$CRDS_CHART") +# Validate openreports chart (from kubewarden-controller dependencies) +CHART_VERSION=$(yq eval '.dependencies[] | select(.name == "openreports") | .version' "$CONTROLLER_CHART") HAULER_VERSION=$(get_hauler_chart_version "openreports") -compare_version "openreports chart" "$CHART_VERSION" "$HAULER_VERSION" "$CRDS_CHART dependencies" +compare_version "openreports chart" "$CHART_VERSION" "$HAULER_VERSION" "$CONTROLLER_CHART dependencies" echo echo "==================================" From d565ac7cfa7de3e3816b7633f1d9953030f133ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:19:26 -0300 Subject: [PATCH 09/22] refactor(controller): simplify defaults applier with unstructured lists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace typed ObjectList with extractItems type-switch by UnstructuredList for generic resource listing in cleanupStale. Remove the .yaml key suffix filter from ConfigMap data iteration since keys are now bare names. Rewrite tests to use factory builders and sigs.k8s.io/yaml for YAML serialization instead of inline string literals, use DeleteAllOf for cleanup, and replace time.Sleep with Consistently. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- api/policies/v1/factories.go | 60 +++-- go.mod | 2 +- internal/controller/defaults_applier.go | 73 ++----- internal/controller/defaults_applier_test.go | 218 ++++++------------- 4 files changed, 124 insertions(+), 229 deletions(-) diff --git a/api/policies/v1/factories.go b/api/policies/v1/factories.go index 2de6bc6da..16b2e6013 100644 --- a/api/policies/v1/factories.go +++ b/api/policies/v1/factories.go @@ -145,6 +145,7 @@ type ClusterAdmissionPolicyFactory struct { mode PolicyMode timeoutSeconds *int32 timeoutEvalSeconds *int32 + withoutFinalizers bool } func NewClusterAdmissionPolicyFactory() *ClusterAdmissionPolicyFactory { @@ -219,19 +220,28 @@ func (f *ClusterAdmissionPolicyFactory) WithTimeoutEvalSeconds(timeout *int32) * return f } +func (f *ClusterAdmissionPolicyFactory) WithoutFinalizers() *ClusterAdmissionPolicyFactory { + f.withoutFinalizers = true + return f +} + func (f *ClusterAdmissionPolicyFactory) Build() *ClusterAdmissionPolicy { + var finalizers []string + if !f.withoutFinalizers { + finalizers = []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + } + } clusterAdmissionPolicy := ClusterAdmissionPolicy{ ObjectMeta: metav1.ObjectMeta{ - Name: f.name, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, + Name: f.name, + Finalizers: finalizers, }, Spec: ClusterAdmissionPolicySpec{ ContextAwareResources: f.contextAwareResources, @@ -494,6 +504,7 @@ type PolicyServerBuilder struct { webhookPort *int32 readinessProbePort *int32 metricsPort *int32 + withoutFinalizers bool } func NewPolicyServerFactory() *PolicyServerBuilder { @@ -557,19 +568,28 @@ func (f *PolicyServerBuilder) WithMetricsPort(port int32) *PolicyServerBuilder { return f } +func (f *PolicyServerBuilder) WithoutFinalizers() *PolicyServerBuilder { + f.withoutFinalizers = true + return f +} + func (f *PolicyServerBuilder) Build() *PolicyServer { + var finalizers []string + if !f.withoutFinalizers { + finalizers = []string{ + // On a real cluster the Kubewarden finalizer is added by our mutating + // webhook. This is not running now, hence we have to manually add the finalizer + constants.KubewardenFinalizer, + // By adding this finalizer automatically, we ensure that when + // testing removal of finalizers on deleted objects, that they will + // exist at all times + integrationTestsFinalizer, + } + } policyServer := PolicyServer{ ObjectMeta: metav1.ObjectMeta{ - Name: f.name, - Finalizers: []string{ - // On a real cluster the Kubewarden finalizer is added by our mutating - // webhook. This is not running now, hence we have to manually add the finalizer - constants.KubewardenFinalizer, - // By adding this finalizer automatically, we ensure that when - // testing removal of finalizers on deleted objects, that they will - // exist at all times - integrationTestsFinalizer, - }, + Name: f.name, + Finalizers: finalizers, }, Spec: PolicyServerSpec{ Image: policyServerRepository() + ":" + policyServerVersion(), diff --git a/go.mod b/go.mod index e468ef33b..47b15e78f 100644 --- a/go.mod +++ b/go.mod @@ -25,6 +25,7 @@ require ( sigs.k8s.io/controller-runtime v0.24.1 sigs.k8s.io/e2e-framework v0.7.0 sigs.k8s.io/wg-policy-prototypes v0.0.0-20230505033312-51c21979086a + sigs.k8s.io/yaml v1.6.0 ) // CEL needs to be pinned to the same version as the one used by the k8s.io/apiserver package @@ -119,5 +120,4 @@ require ( sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect - sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/internal/controller/defaults_applier.go b/internal/controller/defaults_applier.go index 20b4460e9..4c69ca243 100644 --- a/internal/controller/defaults_applier.go +++ b/internal/controller/defaults_applier.go @@ -8,7 +8,9 @@ import ( "github.com/go-logr/logr" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/serializer" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -37,7 +39,6 @@ type DefaultsApplierReconciler struct { func (r *DefaultsApplierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { log := r.Log.WithValues("configmap", req.NamespacedName) - // Phase 1: Read ConfigMap var cm corev1.ConfigMap if err := r.Get(ctx, req.NamespacedName, &cm); err != nil { if apierrors.IsNotFound(err) { @@ -50,16 +51,10 @@ func (r *DefaultsApplierReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, fmt.Errorf("failed to get ConfigMap: %w", err) } - // Phase 2: Apply desired resources decoder := serializer.NewCodecFactory(r.Scheme).UniversalDeserializer() desired := make(map[resourceKey]bool) for key, yamlData := range cm.Data { - if len(key) < 5 || key[len(key)-5:] != ".yaml" { - // Skip non-YAML keys - continue - } - obj, gvk, err := decoder.Decode([]byte(yamlData), nil, nil) if err != nil { log.Error(err, "failed to decode resource from ConfigMap", "key", key) @@ -87,7 +82,6 @@ func (r *DefaultsApplierReconciler) Reconcile(ctx context.Context, req ctrl.Requ } } - // Phase 3: Clean up stale managed resources if err := r.cleanupStale(ctx, desired); err != nil { return ctrl.Result{}, fmt.Errorf("failed to cleanup stale resources: %w", err) } @@ -175,26 +169,24 @@ func (r *DefaultsApplierReconciler) cleanupStale(ctx context.Context, desired ma constants.DefaultsManagedByLabelKey: constants.DefaultsManagedByLabelValue, } - // List all managed resource types - resourceLists := []client.ObjectList{ - &policiesv1.PolicyServerList{}, - &policiesv1.ClusterAdmissionPolicyList{}, - &policiesv1.AdmissionPolicyList{}, - &policiesv1.ClusterAdmissionPolicyGroupList{}, - &policiesv1.AdmissionPolicyGroupList{}, + gvks := []schema.GroupVersionKind{ + {Group: "policies.kubewarden.io", Version: "v1", Kind: "PolicyServerList"}, + {Group: "policies.kubewarden.io", Version: "v1", Kind: "ClusterAdmissionPolicyList"}, + {Group: "policies.kubewarden.io", Version: "v1", Kind: "AdmissionPolicyList"}, + {Group: "policies.kubewarden.io", Version: "v1", Kind: "ClusterAdmissionPolicyGroupList"}, + {Group: "policies.kubewarden.io", Version: "v1", Kind: "AdmissionPolicyGroupList"}, } - for _, list := range resourceLists { + for _, gvk := range gvks { + list := &unstructured.UnstructuredList{} + list.SetGroupVersionKind(gvk) + if err := r.List(ctx, list, managedSelector); err != nil { return fmt.Errorf("failed to list managed resources: %w", err) } - items, err := extractItems(list) - if err != nil { - return err - } - - for _, item := range items { + for i := range list.Items { + item := &list.Items[i] rk := resourceKey{ gvk: item.GetObjectKind().GroupVersionKind().String(), name: item.GetName(), @@ -232,40 +224,3 @@ func (rk resourceKey) String() string { return fmt.Sprintf("%s/%s/%s", rk.gvk, rk.namespace, rk.name) } -// extractItems extracts client.Objects from a typed list. -func extractItems(list client.ObjectList) ([]client.Object, error) { - switch v := list.(type) { - case *policiesv1.PolicyServerList: - items := make([]client.Object, len(v.Items)) - for i := range v.Items { - items[i] = &v.Items[i] - } - return items, nil - case *policiesv1.ClusterAdmissionPolicyList: - items := make([]client.Object, len(v.Items)) - for i := range v.Items { - items[i] = &v.Items[i] - } - return items, nil - case *policiesv1.AdmissionPolicyList: - items := make([]client.Object, len(v.Items)) - for i := range v.Items { - items[i] = &v.Items[i] - } - return items, nil - case *policiesv1.ClusterAdmissionPolicyGroupList: - items := make([]client.Object, len(v.Items)) - for i := range v.Items { - items[i] = &v.Items[i] - } - return items, nil - case *policiesv1.AdmissionPolicyGroupList: - items := make([]client.Object, len(v.Items)) - for i := range v.Items { - items[i] = &v.Items[i] - } - return items, nil - default: - return nil, fmt.Errorf("unknown list type: %T", list) - } -} diff --git a/internal/controller/defaults_applier_test.go b/internal/controller/defaults_applier_test.go index 252a2c289..734481c6b 100644 --- a/internal/controller/defaults_applier_test.go +++ b/internal/controller/defaults_applier_test.go @@ -2,7 +2,6 @@ package controller import ( "context" - "time" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -10,17 +9,28 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + sigsyaml "sigs.k8s.io/yaml" policiesv1 "github.com/kubewarden/adm-controller/api/policies/v1" "github.com/kubewarden/adm-controller/internal/constants" ) -var _ = Describe("DefaultsApplierReconciler", func() { - const ( - timeout = 180 * time.Second - pollInterval = 250 * time.Millisecond - ) +func marshalPolicyServer(ps *policiesv1.PolicyServer) string { + ps.SetGroupVersionKind(policiesv1.GroupVersion.WithKind("PolicyServer")) + data, err := sigsyaml.Marshal(ps) + Expect(err).ToNot(HaveOccurred()) + return string(data) +} + +func marshalClusterAdmissionPolicy(policy *policiesv1.ClusterAdmissionPolicy) string { + policy.SetGroupVersionKind(policiesv1.GroupVersion.WithKind("ClusterAdmissionPolicy")) + data, err := sigsyaml.Marshal(policy) + Expect(err).ToNot(HaveOccurred()) + return string(data) +} +var _ = Describe("DefaultsApplierReconciler", func() { var ( ctx context.Context configMapName string @@ -41,53 +51,27 @@ var _ = Describe("DefaultsApplierReconciler", func() { }) AfterEach(func() { - // Clean up ConfigMap cm := &corev1.ConfigMap{} err := k8sClient.Get(ctx, configMapNsName, cm) if err == nil { Expect(k8sClient.Delete(ctx, cm)).To(Succeed()) } - // Clean up any managed resources (ignore NotFound since the - // reconciler may have already deleted them after the ConfigMap removal). - psList := &policiesv1.PolicyServerList{} - Expect(k8sClient.List(ctx, psList)).To(Succeed()) - for _, ps := range psList.Items { - if ps.Labels[constants.DefaultsManagedByLabelKey] == constants.DefaultsManagedByLabelValue { - err := k8sClient.Delete(ctx, &ps) - if err != nil && !apierrors.IsNotFound(err) { - Expect(err).ToNot(HaveOccurred()) - } - } + managedSelector := client.MatchingLabels{ + constants.DefaultsManagedByLabelKey: constants.DefaultsManagedByLabelValue, } - - capList := &policiesv1.ClusterAdmissionPolicyList{} - Expect(k8sClient.List(ctx, capList)).To(Succeed()) - for _, cap := range capList.Items { - if cap.Labels[constants.DefaultsManagedByLabelKey] == constants.DefaultsManagedByLabelValue { - err := k8sClient.Delete(ctx, &cap) - if err != nil && !apierrors.IsNotFound(err) { - Expect(err).ToNot(HaveOccurred()) - } - } + for _, obj := range []client.Object{ + &policiesv1.PolicyServer{}, + &policiesv1.ClusterAdmissionPolicy{}, + } { + Expect(k8sClient.DeleteAllOf(ctx, obj, managedSelector)).To(Succeed()) } }) Context("when ConfigMap does not exist", func() { - It("should do nothing when no managed resources exist", func() { - // No ConfigMap exists, reconciler should not error - // This is tested implicitly by the absence of errors in the controller logs - }) - It("should delete all managed resources when they exist", func() { - // First create the ConfigMap so the reconciler creates the PolicyServer - policyServerYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:latest - replicas: 1` + ps := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + policyServerYAML := marshalPolicyServer(ps) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -95,20 +79,17 @@ spec: Namespace: deploymentsNamespace, }, Data: map[string]string{ - "policyserver-default.yaml": policyServerYAML, + "policyserver-default": policyServerYAML, }, } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait for the PolicyServer to be created Eventually(func() error { return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{}) }, timeout, pollInterval).Should(Succeed()) - // Delete the ConfigMap to trigger cleanup Expect(k8sClient.Delete(ctx, cm)).To(Succeed()) - // Wait for the managed resource to be deleted Eventually(func() bool { err := k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{}) return apierrors.IsNotFound(err) @@ -118,14 +99,8 @@ spec: Context("when ConfigMap has one PolicyServer", func() { It("should create the PolicyServer with ownership label", func() { - policyServerYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:latest - replicas: 1 - serviceAccountName: policy-server` + ps := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + policyServerYAML := marshalPolicyServer(ps) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -133,32 +108,26 @@ spec: Namespace: deploymentsNamespace, }, Data: map[string]string{ - "policyserver-default.yaml": policyServerYAML, + "policyserver-default": policyServerYAML, }, } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait for the PolicyServer to be created - ps := &policiesv1.PolicyServer{} + createdPS := &policiesv1.PolicyServer{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, createdPS) }, timeout, pollInterval).Should(Succeed()) - // Verify ownership label - Expect(ps.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) - Expect(ps.Spec.Image).To(Equal("ghcr.io/kubewarden/policy-server:latest")) + Expect(createdPS.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) + Expect(createdPS.Spec.Image).To(Equal(ps.Spec.Image)) }) }) Context("when ConfigMap is updated", func() { It("should update the PolicyServer spec", func() { - initialYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:v1.0.0 - replicas: 1` + initialPS := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + initialPS.Spec.Image = "ghcr.io/kubewarden/policy-server:v1.0.0" + initialYAML := marshalPolicyServer(initialPS) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -166,66 +135,42 @@ spec: Namespace: deploymentsNamespace, }, Data: map[string]string{ - "policyserver-default.yaml": initialYAML, + "policyserver-default": initialYAML, }, } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait for initial creation - ps := &policiesv1.PolicyServer{} + createdPS := &policiesv1.PolicyServer{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, createdPS) }, timeout, pollInterval).Should(Succeed()) - Expect(ps.Spec.Image).To(Equal("ghcr.io/kubewarden/policy-server:v1.0.0")) + Expect(createdPS.Spec.Image).To(Equal("ghcr.io/kubewarden/policy-server:v1.0.0")) - // Update the ConfigMap - updatedYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:v2.0.0 - replicas: 2` + updatedPS := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + updatedPS.Spec.Image = "ghcr.io/kubewarden/policy-server:v2.0.0" + updatedYAML := marshalPolicyServer(updatedPS) Expect(k8sClient.Get(ctx, configMapNsName, cm)).To(Succeed()) - cm.Data["policyserver-default.yaml"] = updatedYAML + cm.Data["policyserver-default"] = updatedYAML Expect(k8sClient.Update(ctx, cm)).To(Succeed()) - // Wait for the PolicyServer to be updated Eventually(func() string { - err := k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + err := k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, createdPS) if err != nil { return "" } - return ps.Spec.Image + return createdPS.Spec.Image }, timeout, pollInterval).Should(Equal("ghcr.io/kubewarden/policy-server:v2.0.0")) - - Expect(ps.Spec.Replicas).To(Equal(int32(2))) }) }) Context("when a key is removed from ConfigMap", func() { It("should delete the corresponding managed resource", func() { - policyServerYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:latest - replicas: 1` - - policyYAML := `apiVersion: policies.kubewarden.io/v1 -kind: ClusterAdmissionPolicy -metadata: - name: ` + policyName + ` -spec: - module: ghcr.io/kubewarden/policies/test:v1.0.0 - rules: - - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - operations: ["CREATE"] - settings: {}` + ps := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + policyServerYAML := marshalPolicyServer(ps) + + clusterPolicy := policiesv1.NewClusterAdmissionPolicyFactory().WithName(policyName).WithoutFinalizers().Build() + policyYAML := marshalClusterAdmissionPolicy(clusterPolicy) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -233,54 +178,38 @@ spec: Namespace: deploymentsNamespace, }, Data: map[string]string{ - "policyserver-default.yaml": policyServerYAML, - "policy.yaml": policyYAML, + "policyserver-default": policyServerYAML, + "policy": policyYAML, }, } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait for both resources to be created - ps := &policiesv1.PolicyServer{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{}) }, timeout, pollInterval).Should(Succeed()) - policy := &policiesv1.ClusterAdmissionPolicy{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, policy) + return k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, &policiesv1.ClusterAdmissionPolicy{}) }, timeout, pollInterval).Should(Succeed()) - // Remove the policy from the ConfigMap Expect(k8sClient.Get(ctx, configMapNsName, cm)).To(Succeed()) - delete(cm.Data, "policy.yaml") + delete(cm.Data, "policy") Expect(k8sClient.Update(ctx, cm)).To(Succeed()) - // Wait for the policy to be deleted Eventually(func() bool { - err := k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, policy) + err := k8sClient.Get(ctx, types.NamespacedName{Name: policyName}, &policiesv1.ClusterAdmissionPolicy{}) return apierrors.IsNotFound(err) }, timeout, pollInterval).Should(BeTrue(), "managed policy should be deleted") - // PolicyServer should still exist - Expect(k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps)).To(Succeed()) + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, &policiesv1.PolicyServer{})).To(Succeed()) }) }) Context("resource safety", func() { It("should never delete resources without the ownership label", func() { - // Create an unmanaged PolicyServer (no ownership label) - unmanagedPS := &policiesv1.PolicyServer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "unmanaged-policyserver", - }, - Spec: policiesv1.PolicyServerSpec{ - Image: "ghcr.io/kubewarden/policy-server:latest", - Replicas: 1, - }, - } + unmanagedPS := policiesv1.NewPolicyServerFactory().WithName("unmanaged-policyserver").WithoutFinalizers().Build() Expect(k8sClient.Create(ctx, unmanagedPS)).To(Succeed()) - // Create an empty ConfigMap (should trigger cleanup of all managed resources) cm := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: configMapName, @@ -290,26 +219,18 @@ spec: } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait a bit to allow reconciliation - time.Sleep(2 * time.Second) - - // Unmanaged resource should still exist - Expect(k8sClient.Get(ctx, types.NamespacedName{Name: "unmanaged-policyserver"}, &policiesv1.PolicyServer{})).To(Succeed()) + Consistently(func() error { + return k8sClient.Get(ctx, types.NamespacedName{Name: unmanagedPS.Name}, &policiesv1.PolicyServer{}) + }, consistencyTimeout, pollInterval).Should(Succeed()) - // Clean up Expect(k8sClient.Delete(ctx, unmanagedPS)).To(Succeed()) }) }) Context("when ConfigMap has malformed YAML", func() { It("should skip the malformed entry and continue with others", func() { - policyServerYAML := `apiVersion: policies.kubewarden.io/v1 -kind: PolicyServer -metadata: - name: ` + policyServerName + ` -spec: - image: ghcr.io/kubewarden/policy-server:latest - replicas: 1` + ps := policiesv1.NewPolicyServerFactory().WithName(policyServerName).WithoutFinalizers().Build() + policyServerYAML := marshalPolicyServer(ps) malformedYAML := `this is not: valid: yaml: at: all` @@ -319,19 +240,18 @@ spec: Namespace: deploymentsNamespace, }, Data: map[string]string{ - "policyserver-default.yaml": policyServerYAML, - "malformed.yaml": malformedYAML, + "policyserver-default": policyServerYAML, + "malformed": malformedYAML, }, } Expect(k8sClient.Create(ctx, cm)).To(Succeed()) - // Wait for the valid PolicyServer to be created (malformed entry should be skipped) - ps := &policiesv1.PolicyServer{} + createdPS := &policiesv1.PolicyServer{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, ps) + return k8sClient.Get(ctx, types.NamespacedName{Name: policyServerName}, createdPS) }, timeout, pollInterval).Should(Succeed()) - Expect(ps.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) + Expect(createdPS.Labels).To(HaveKeyWithValue(constants.DefaultsManagedByLabelKey, constants.DefaultsManagedByLabelValue)) }) }) }) From e7aa7063d74871bac3c7452cf2a28a2ae8e9de5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:19:43 -0300 Subject: [PATCH 10/22] fix(chart): scope pre-delete hook to release namespace MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pre-delete job was using -A (all namespaces) for kubectl delete of managed defaults resources. Scope it to the release namespace with -n to avoid deleting resources from other installations. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../templates/controller/pre-delete-hook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml b/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml index 39e273689..ae5a48538 100644 --- a/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml +++ b/charts/kubewarden-controller/templates/controller/pre-delete-hook.yaml @@ -36,7 +36,7 @@ spec: containers: - name: pre-delete-job image: '{{ template "system_default_registry" . }}{{ .Values.preDeleteJob.image.repository }}:{{ .Values.preDeleteJob.image.tag }}' - command: ["kubectl", "delete", "policyservers,clusteradmissionpolicies,admissionpolicies,clusteradmissionpolicygroups,admissionpolicygroups", "-A", "-l", "kubewarden.io/managed-by=kubewarden-controller-defaults", "--ignore-not-found"] + command: ["kubectl", "delete", "policyservers,clusteradmissionpolicies,admissionpolicies,clusteradmissionpolicygroups,admissionpolicygroups", "-n", "{{ .Release.Namespace }}", "-l", "kubewarden.io/managed-by=kubewarden-controller-defaults", "--ignore-not-found"] env: - name: KUBERLR_ALLOWDOWNLOAD value: "1" From 919f69898a13aa7517286e3ef6b55ad7d4575a7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:20:14 -0300 Subject: [PATCH 11/22] fix(chart): restore missing metadata and fix regressions in defaults templates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the kubewarden-defaults chart templates were migrated into the unified chart as ConfigMap-embedded YAML, several pieces were lost: standard Kubernetes labels (app.kubernetes.io/part-of, component, managed-by), additionalAnnotations passthrough, correct PolicyServer affinity resolution via policyServer.affinity, the crdVersion values field, and the CREATE-only operation constraint on the allow-privilege-escalation policy. This restores all of them to match the behavior of the old chart. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-controller/templates/_helpers.tpl | 8 ++++++++ .../defaults/policies/_allow-privilege-escalation.tpl | 9 +++++++-- .../templates/defaults/policies/_capabilities.tpl | 7 ++++++- .../templates/defaults/policies/_host-namespace.tpl | 7 ++++++- .../templates/defaults/policies/_host-paths.tpl | 7 ++++++- .../templates/defaults/policies/_pod-privileged.tpl | 9 +++++++-- .../defaults/policies/_policyserver-default.tpl | 10 ++++++++-- .../templates/defaults/policies/_user-group.tpl | 9 +++++++-- charts/kubewarden-controller/values.schema.json | 3 +++ charts/kubewarden-controller/values.yaml | 2 ++ 10 files changed, 60 insertions(+), 11 deletions(-) diff --git a/charts/kubewarden-controller/templates/_helpers.tpl b/charts/kubewarden-controller/templates/_helpers.tpl index e37a66b35..d076b5c16 100644 --- a/charts/kubewarden-controller/templates/_helpers.tpl +++ b/charts/kubewarden-controller/templates/_helpers.tpl @@ -281,6 +281,14 @@ namespaceSelector: {{- end }} {{- end -}} +{{- define "kubewarden-defaults.effectiveAffinity" -}} +{{- if .Values.policyServer.affinity -}} + {{- toYaml .Values.policyServer.affinity -}} +{{- else if .Values.global.affinity -}} + {{- toYaml .Values.global.affinity -}} +{{- end -}} +{{- end -}} + {{- define "kubewarden-controller.validateHostNetworkSidecar" -}} {{- if and .Values.hostNetwork (eq .Values.telemetry.mode "sidecar") (or .Values.telemetry.metrics .Values.telemetry.tracing) -}} {{- fail "hostNetwork and telemetry.mode=sidecar are incompatible: OpenTelemetry sidecar injection causes port conflicts in host-network mode. Use telemetry.mode=custom with a remote collector instead." -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl b/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl index 4e2f34232..5d3e3e2b0 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_allow-privilege-escalation.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.allowPrivilegeEscalation" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} @@ -15,7 +20,7 @@ spec: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] - operations: ["CREATE", "UPDATE"] + operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod {{- include "policy-namespace-selector" . | nindent 2 }} settings: {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.settings | toYaml | nindent 4 }} {{- end -}} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl b/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl index 500afbdf2..261c00573 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_capabilities.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.capabilities" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.capabilitiesPolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl b/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl index 9763cdf1b..81df133b3 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_host-namespace.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.hostNamespace" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.hostNamespacePolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl b/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl index d87a737d8..9eeb908f1 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_host-paths.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.hostPaths" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.hostPathsPolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl b/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl index b63fc5240..df02931bc 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_pod-privileged.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.podPrivileged" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.podPrivilegedPolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} @@ -15,7 +20,7 @@ spec: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] - operations: ["CREATE"] + operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod - apiGroups: [""] apiVersions: ["v1"] resources: ["replicationcontrollers"] diff --git a/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl b/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl index 2316e47d2..01e3a4496 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_policyserver-default.tpl @@ -1,8 +1,14 @@ {{- define "kubewarden.defaults.policyserverDefault" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: PolicyServer metadata: name: default + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy-server + app.kubernetes.io/managed-by: kubewarden-controller + annotations: + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} finalizers: - kubewarden.io/finalizer spec: @@ -15,7 +21,7 @@ spec: {{- if .Values.policyServer.maxUnavailable }} maxUnavailable: {{ .Values.policyServer.maxUnavailable }} {{- end }} - {{- $affinity := include "kubewarden-controller.effectiveAffinity" . -}} + {{- $affinity := include "kubewarden-defaults.effectiveAffinity" . -}} {{- if $affinity }} affinity: {{ $affinity | nindent 4 }} {{- end }} diff --git a/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl b/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl index af3bb2e5c..b961ff3c9 100644 --- a/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl +++ b/charts/kubewarden-controller/templates/defaults/policies/_user-group.tpl @@ -1,11 +1,16 @@ {{- define "kubewarden.defaults.userGroup" -}} -apiVersion: policies.kubewarden.io/v1 +apiVersion: {{ $.Values.crdVersion }} kind: ClusterAdmissionPolicy metadata: name: {{ .Values.recommendedPolicies.userGroupPolicy.name }} + labels: + app.kubernetes.io/part-of: kubewarden + app.kubernetes.io/component: policy + app.kubernetes.io/managed-by: kubewarden-controller annotations: io.kubewarden.policy.severity: medium io.kubewarden.policy.category: PSP + {{- include "kubewarden-defaults.annotations" . | nindent 4 }} spec: mode: {{ .Values.recommendedPolicies.defaultPolicyMode | default "monitor" }} failurePolicy: {{ include "policy_failure_policy" . | trim }} @@ -15,7 +20,7 @@ spec: - apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] - operations: ["CREATE"] + operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod {{- include "policy-namespace-selector" . | nindent 2 }} settings: {{ .Values.recommendedPolicies.userGroupPolicy.settings | toYaml | nindent 4 }} {{- end -}} diff --git a/charts/kubewarden-controller/values.schema.json b/charts/kubewarden-controller/values.schema.json index 56f86b84e..04688f6eb 100644 --- a/charts/kubewarden-controller/values.schema.json +++ b/charts/kubewarden-controller/values.schema.json @@ -89,6 +89,9 @@ } } }, + "crdVersion": { + "type": "string" + }, "containerSecurityContext": { "type": "object", "properties": { diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 9c53cdf49..c4f71ad67 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -390,6 +390,8 @@ policy-reporter: # Defaults applier configuration defaultConfigMapName: kubewarden-defaults +# crdVersion is the apiVersion used for all default policy and PolicyServer resources +crdVersion: "policies.kubewarden.io/v1" # CRD installation toggles reportCRDs: From adc9a4ccbaed728740412595e40ef14701cff2e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:20:30 -0300 Subject: [PATCH 12/22] refactor(chart): restructure defaults configmap conditionals MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wrap individual policy checks inside an outer if .Values.recommendedPolicies.enabled block instead of repeating the and condition on every entry. No behavior change. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../templates/defaults/defaults-configmap.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml b/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml index f959a85bb..d8dc7fba3 100644 --- a/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml +++ b/charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml @@ -14,28 +14,30 @@ data: policyserver-default.yaml: | {{- include "kubewarden.defaults.policyserverDefault" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.allowPrivilegeEscalationPolicy }} + {{- if .Values.recommendedPolicies.enabled }} + {{- if .Values.recommendedPolicies.allowPrivilegeEscalationPolicy }} allow-privilege-escalation.yaml: | {{- include "kubewarden.defaults.allowPrivilegeEscalation" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.capabilitiesPolicy }} + {{- if .Values.recommendedPolicies.capabilitiesPolicy }} capabilities.yaml: | {{- include "kubewarden.defaults.capabilities" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.hostNamespacePolicy }} + {{- if .Values.recommendedPolicies.hostNamespacePolicy }} host-namespace.yaml: | {{- include "kubewarden.defaults.hostNamespace" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.hostPathsPolicy }} + {{- if .Values.recommendedPolicies.hostPathsPolicy }} host-paths.yaml: | {{- include "kubewarden.defaults.hostPaths" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.podPrivilegedPolicy }} + {{- if .Values.recommendedPolicies.podPrivilegedPolicy }} pod-privileged.yaml: | {{- include "kubewarden.defaults.podPrivileged" . | nindent 4 }} {{- end }} - {{- if and .Values.recommendedPolicies.enabled .Values.recommendedPolicies.userGroupPolicy }} + {{- if .Values.recommendedPolicies.userGroupPolicy }} user-group.yaml: | {{- include "kubewarden.defaults.userGroup" . | nindent 4 }} {{- end }} + {{- end }} {{- end }} From 901b67f221dc63c113de7154d94cf027534ec1a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:20:50 -0300 Subject: [PATCH 13/22] feat(chart): consolidate NOTES.txt with content from old charts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The unified chart NOTES.txt was missing content from the old kubewarden-crds and kubewarden-defaults charts. Add CRD listing, PolicyServer confirmation, recommended policies summary, monitor mode note, and documentation links so users see all relevant information after a single helm install. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../templates/controller/NOTES.txt | 59 +++++++++++++++++-- 1 file changed, 54 insertions(+), 5 deletions(-) diff --git a/charts/kubewarden-controller/templates/controller/NOTES.txt b/charts/kubewarden-controller/templates/controller/NOTES.txt index 5bffc429a..63d0dc2a8 100644 --- a/charts/kubewarden-controller/templates/controller/NOTES.txt +++ b/charts/kubewarden-controller/templates/controller/NOTES.txt @@ -1,19 +1,68 @@ +Kubewarden CRDs now available: + clusteradmissionpolicies.policies.kubewarden.io + admissionpolicies.policies.kubewarden.io + clusteradmissionpolicygroups.policies.kubewarden.io + admissionpolicygroups.policies.kubewarden.io + policyservers.policies.kubewarden.io +{{- if .Values.reportCRDs.installPolicyReportCRDs }} + +Policy report CRDs now available: + policyreports.wgpolicyk8s.io + clusterpolicyreports.wgpolicyk8s.io + + **WARNING**: + PolicyReport CRDs are deprecated and will be dropped in a future release. +{{- end }} +{{- if .Values.reportCRDs.installOpenReportsCRDs }} + +OpenReport CRDs now available: + reports.openreports.io + clusterreports.openreports.io +{{- end }} + You can now start defining admission policies by using the cluster-wide `clusteradmissionpolicies.policies.kubewarden.io` or the namespaced `admissionpolicies.policies.kubewarden.io` resources. +{{- if .Values.policyServer.enabled }} + +You now have a `PolicyServer` named `default` running in your cluster. +It is ready to run any `clusteradmissionpolicies.policies.kubewarden.io` or +`admissionpolicies.policies.kubewarden.io` resources. +{{- end }} +{{- if .Values.recommendedPolicies.enabled }} -For more information check out https://docs.kubewarden.io. +Installed recommended policies: +- {{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }} +- {{ .Values.recommendedPolicies.hostNamespacePolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }} +- {{ .Values.recommendedPolicies.podPrivilegedPolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }} +- {{ .Values.recommendedPolicies.userGroupPolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }} +- {{ .Values.recommendedPolicies.hostPathsPolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }} +- {{ .Values.recommendedPolicies.capabilitiesPolicy.name }} + module: registry://{{ .Values.global.cattle.systemDefaultRegistry}}/{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }} +{{- if eq .Values.recommendedPolicies.defaultPolicyMode "monitor" }} -🚀 **Kubewarden is applying to become a CNCF incubation project!** 🚀 +Note: all these policies have been installed in `monitor` mode, you can enforce them +by changing their `mode` to `protect`. +{{- end }} +{{- end }} -If you'd like to support us, we'd love to hear from you as one of our adopters. +For more information check out https://docs.kubewarden.io/quick-start. +Discover ready to use policies at https://artifacthub.io/packages/search?kind=13. -Adopters can be public or private. +🚀 **Kubewarden is applying to become a CNCF incubation project!** 🚀 + +If you'd like to support us, we'd love to hear from you as one of our adopters. + +Adopters can be public or private. Learn how to add your organization as a Kubewarden adopter by checking out the ADOPTERS.md file here: https://github.com/kubewarden/community/blob/main/ADOPTERS.md - {{ if .Values.hostNetwork }} ⚠️ WARNING ⚠️ Host Network is enabled. Ensure you set appropriate podAntiAffinity rules to From 3e551807495c2bb5680677837b882a212401620e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:21:07 -0300 Subject: [PATCH 14/22] test(chart): add helm unit tests for defaults configmap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Verify labels, annotations, affinity precedence, crdVersion usage, operations constraints, and the recommendedPolicies.enabled gate on the defaults ConfigMap. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .../tests/defaults_configmap_test.yaml | 227 ++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 charts/kubewarden-controller/tests/defaults_configmap_test.yaml diff --git a/charts/kubewarden-controller/tests/defaults_configmap_test.yaml b/charts/kubewarden-controller/tests/defaults_configmap_test.yaml new file mode 100644 index 000000000..2dca734a7 --- /dev/null +++ b/charts/kubewarden-controller/tests/defaults_configmap_test.yaml @@ -0,0 +1,227 @@ +suite: defaults configmap configuration +templates: + - defaults/defaults-configmap.yaml +tests: + - it: "policy templates should have app.kubernetes.io labels" + set: + policyServer.enabled: true + recommendedPolicies.enabled: true + asserts: + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "app.kubernetes.io/part-of: kubewarden" + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "app.kubernetes.io/component: policy" + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "app.kubernetes.io/managed-by: kubewarden-controller" + - matchRegex: + path: data["capabilities.yaml"] + pattern: "app.kubernetes.io/component: policy" + - matchRegex: + path: data["host-namespace.yaml"] + pattern: "app.kubernetes.io/component: policy" + - matchRegex: + path: data["host-paths.yaml"] + pattern: "app.kubernetes.io/component: policy" + - matchRegex: + path: data["pod-privileged.yaml"] + pattern: "app.kubernetes.io/component: policy" + - matchRegex: + path: data["user-group.yaml"] + pattern: "app.kubernetes.io/component: policy" + + - it: "PolicyServer template should use component policy-server" + set: + policyServer.enabled: true + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "app.kubernetes.io/part-of: kubewarden" + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "app.kubernetes.io/component: policy-server" + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "app.kubernetes.io/managed-by: kubewarden-controller" + + - it: "should include additionalAnnotations in policy templates" + set: + policyServer.enabled: true + recommendedPolicies.enabled: true + additionalAnnotations: + custom-annotation: custom-value + asserts: + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "custom-annotation: custom-value" + - matchRegex: + path: data["capabilities.yaml"] + pattern: "custom-annotation: custom-value" + - matchRegex: + path: data["host-namespace.yaml"] + pattern: "custom-annotation: custom-value" + - matchRegex: + path: data["host-paths.yaml"] + pattern: "custom-annotation: custom-value" + - matchRegex: + path: data["pod-privileged.yaml"] + pattern: "custom-annotation: custom-value" + - matchRegex: + path: data["user-group.yaml"] + pattern: "custom-annotation: custom-value" + + - it: "should include additionalAnnotations in PolicyServer template" + set: + policyServer.enabled: true + additionalAnnotations: + custom-annotation: custom-value + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "custom-annotation: custom-value" + + - it: "should use policyServer.affinity in PolicyServer template" + set: + policyServer.enabled: true + policyServer.affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "nodeAffinity" + + - it: "should fallback to global.affinity for PolicyServer when policyServer.affinity is not set" + set: + policyServer.enabled: true + policyServer.affinity: {} + global.affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "nodeAffinity" + + - it: "should prefer policyServer.affinity over global.affinity" + set: + policyServer.enabled: true + policyServer.affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: custom-ps-label + operator: In + values: + - ps-value + global.affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: global-label + operator: In + values: + - global-value + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "custom-ps-label" + - notMatchRegex: + path: data["policyserver-default.yaml"] + pattern: "global-label" + + - it: "should use crdVersion as apiVersion in all templates" + set: + policyServer.enabled: true + recommendedPolicies.enabled: true + crdVersion: "policies.kubewarden.io/v1" + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["capabilities.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["host-namespace.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["host-paths.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["pod-privileged.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + - matchRegex: + path: data["user-group.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1" + + - it: "should use custom crdVersion when overridden" + set: + policyServer.enabled: true + recommendedPolicies.enabled: true + crdVersion: "policies.kubewarden.io/v1beta1" + asserts: + - matchRegex: + path: data["policyserver-default.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1beta1" + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "apiVersion: policies.kubewarden.io/v1beta1" + + - it: "allow-privilege-escalation should only have CREATE operation" + set: + recommendedPolicies.enabled: true + asserts: + - matchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: 'operations: \["CREATE"\]' + - notMatchRegex: + path: data["allow-privilege-escalation.yaml"] + pattern: "UPDATE" + + - it: "should not render policy entries when recommendedPolicies.enabled is false" + set: + policyServer.enabled: true + recommendedPolicies.enabled: false + asserts: + - notExists: + path: data["allow-privilege-escalation.yaml"] + - notExists: + path: data["capabilities.yaml"] + - notExists: + path: data["host-namespace.yaml"] + - notExists: + path: data["host-paths.yaml"] + - notExists: + path: data["pod-privileged.yaml"] + - notExists: + path: data["user-group.yaml"] + - exists: + path: data["policyserver-default.yaml"] + + - it: "should not render ConfigMap when both policyServer and recommendedPolicies are disabled" + set: + policyServer.enabled: false + recommendedPolicies.enabled: false + asserts: + - hasDocuments: + count: 0 From 870012cb726b565a5e855bb592de3617bf230440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 12:38:31 -0300 Subject: [PATCH 15/22] style(controller): fix linter warnings in defaults applier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove trailing blank line flagged by goimports and rename cap parameter to policy to avoid shadowing the predeclared cap identifier. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- internal/controller/defaults_applier.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/controller/defaults_applier.go b/internal/controller/defaults_applier.go index 4c69ca243..c71aa771b 100644 --- a/internal/controller/defaults_applier.go +++ b/internal/controller/defaults_applier.go @@ -223,4 +223,3 @@ func (rk resourceKey) String() string { } return fmt.Sprintf("%s/%s/%s", rk.gvk, rk.namespace, rk.name) } - From 0d866ba76893f8a7a8a1565944a40970eb9a13c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 14:35:40 -0300 Subject: [PATCH 16/22] fix(controller): extract policies group string into constant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The repeated "policies.kubewarden.io" string in cleanupStale triggered a goconst lint violation. Move it to constants.KubewardenPoliciesGroup and reference that from the GVK list. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- internal/constants/constants.go | 2 ++ internal/controller/defaults_applier.go | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 1cca92650..3d6678ab8 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -56,6 +56,8 @@ const ( PolicyServerIndexKey = ".spec.policyServer" + KubewardenPoliciesGroup = "policies.kubewarden.io" + KubewardenFinalizerPre114 = "kubewarden" KubewardenFinalizer = "kubewarden.io/finalizer" diff --git a/internal/controller/defaults_applier.go b/internal/controller/defaults_applier.go index c71aa771b..ea9635058 100644 --- a/internal/controller/defaults_applier.go +++ b/internal/controller/defaults_applier.go @@ -170,11 +170,11 @@ func (r *DefaultsApplierReconciler) cleanupStale(ctx context.Context, desired ma } gvks := []schema.GroupVersionKind{ - {Group: "policies.kubewarden.io", Version: "v1", Kind: "PolicyServerList"}, - {Group: "policies.kubewarden.io", Version: "v1", Kind: "ClusterAdmissionPolicyList"}, - {Group: "policies.kubewarden.io", Version: "v1", Kind: "AdmissionPolicyList"}, - {Group: "policies.kubewarden.io", Version: "v1", Kind: "ClusterAdmissionPolicyGroupList"}, - {Group: "policies.kubewarden.io", Version: "v1", Kind: "AdmissionPolicyGroupList"}, + {Group: constants.KubewardenPoliciesGroup, Version: "v1", Kind: "PolicyServerList"}, + {Group: constants.KubewardenPoliciesGroup, Version: "v1", Kind: "ClusterAdmissionPolicyList"}, + {Group: constants.KubewardenPoliciesGroup, Version: "v1", Kind: "AdmissionPolicyList"}, + {Group: constants.KubewardenPoliciesGroup, Version: "v1", Kind: "ClusterAdmissionPolicyGroupList"}, + {Group: constants.KubewardenPoliciesGroup, Version: "v1", Kind: "AdmissionPolicyGroupList"}, } for _, gvk := range gvks { From b40c428eeb0cfbb8abdbc398c4c397dde1d183a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 14:35:56 -0300 Subject: [PATCH 17/22] style: reformat values.schema.json MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/kubewarden-controller/values.schema.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/kubewarden-controller/values.schema.json b/charts/kubewarden-controller/values.schema.json index 04688f6eb..c23935404 100644 --- a/charts/kubewarden-controller/values.schema.json +++ b/charts/kubewarden-controller/values.schema.json @@ -89,9 +89,6 @@ } } }, - "crdVersion": { - "type": "string" - }, "containerSecurityContext": { "type": "object", "properties": { @@ -111,6 +108,9 @@ } } }, + "crdVersion": { + "type": "string" + }, "defaultConfigMapName": { "type": "string" }, From eee75e38a9a7f71529940d2c23bd68893a154fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 15:12:50 -0300 Subject: [PATCH 18/22] fix: update Tiltfile for unified chart resource names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The unified chart changed the deployment name to kubewarden-kubewarden-controller and moved the default PolicyServer into the defaults ConfigMap instead of rendering it directly. Update the k8s_resource references, add report CRDs to the kubewarden-crds group, point restart_policy_server at the controller dependency, and suppress the unused policy-server image warning since Tilt cannot see the dynamically created PolicyServer. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- Tiltfile | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/Tiltfile b/Tiltfile index 7ef85de8c..f297138de 100644 --- a/Tiltfile +++ b/Tiltfile @@ -1,8 +1,6 @@ tilt_settings_file = "./tilt-settings.yaml" settings = read_yaml(tilt_settings_file) -update_settings(k8s_upsert_timeout_secs=300) - # Create the kubewarden namespace # This is required since the helm() function doesn't support the create_namespace flag load("ext://namespace", "namespace_create") @@ -14,6 +12,11 @@ controller_image = settings.get("controller").get("image") audit_scanner_image = settings.get("audit-scanner").get("image") policy_server_image = settings.get("policy-server").get("image") +update_settings( + k8s_upsert_timeout_secs=300, + suppress_unused_image_warnings=[registry + "/" + policy_server_image], +) + kubewarden_yaml = helm( "./charts/kubewarden-controller", name="kubewarden", @@ -44,22 +47,20 @@ k8s_resource( 'clusteradmissionpolicies.policies.kubewarden.io:CustomResourceDefinition', 'admissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', 'clusteradmissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition', + 'clusterreports.openreports.io:CustomResourceDefinition', + 'reports.openreports.io:CustomResourceDefinition', + 'clusterpolicyreports.wgpolicyk8s.io:CustomResourceDefinition', + 'policyreports.wgpolicyk8s.io:CustomResourceDefinition', ], ) # Wait for controller deployment to be ready k8s_resource( - 'kubewarden:deployment', + 'kubewarden-kubewarden-controller', new_name='kubewarden-controller', resource_deps=['kubewarden-crds'], ) -# Default PolicyServer resource dependency -k8s_resource( - 'default', - resource_deps=['kubewarden-controller', 'policy_server_tilt'], -) - # Tell tilt about the image used by the PolicyServer CRD # so that it can update it when needed k8s_kind("PolicyServer", image_json_path='{.spec.image}') @@ -158,10 +159,11 @@ docker_build( ) # Trigger PolicyServer pod restart by updating annotations when image changes -# Runs automatically whenever the policy-server image is rebuilt +# The default PolicyServer is created by the controller from the defaults ConfigMap, +# so we depend on the controller being ready before patching. local_resource( "restart_policy_server", "kubectl get policyserver default >/dev/null 2>&1 && kubectl patch policyserver default --type=merge -p '{\"spec\":{\"annotations\":{\"restart\":\"'$(date +%s)'\"}}}' || true", - resource_deps=["default"], + resource_deps=["kubewarden-controller"], trigger_mode=TRIGGER_MODE_AUTO, ) From fcc3169d9f1dd8787b44b6d46f284aa2b624af66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 16:22:45 -0300 Subject: [PATCH 19/22] fix(e2e): remove redundant policyServer.enabled flag from helm install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default PolicyServer is already enabled by default in the unified chart values. Setting it explicitly in the e2e test setup is unnecessary. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- e2e/main_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/e2e/main_test.go b/e2e/main_test.go index a814d9cd6..e1e380780 100644 --- a/e2e/main_test.go +++ b/e2e/main_test.go @@ -60,7 +60,6 @@ func TestMain(m *testing.M) { "--set", "policyServer.image.tag=dev", "--set", "logLevel=debug", "--set", "auditScanner.logLevel=debug", - "--set", "policyServer.enabled=true", ), ) if err != nil { From 0d16b240eb243c380e375c9fccac2654ebcfa82b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 17:00:31 -0300 Subject: [PATCH 20/22] fix: update helm value paths in scripts for unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The unified chart flattened the values hierarchy: defaults.policyServer.* became policyServer.*, defaults.recommendedPolicies.* became recommendedPolicies.*, and controller.replicas became replicas. The deployment name changed to kubewarden-kubewarden-controller via the fullname template. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- scripts/test-sigstore-e2e.sh | 36 ++++++++++++++--------------- scripts/validate-hauler-manifest.sh | 14 +++++------ 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/scripts/test-sigstore-e2e.sh b/scripts/test-sigstore-e2e.sh index b0a0699fc..4e875b522 100755 --- a/scripts/test-sigstore-e2e.sh +++ b/scripts/test-sigstore-e2e.sh @@ -401,11 +401,11 @@ function install_kubewarden() { echo -e "${GREEN} Installing kubewarden-controller (unified chart)...${NC}" helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set controller.replicas=1 \ + --set replicas=1 \ --wait echo -e "${GREEN} Waiting for adm-controller rollout...${NC}" - kubectl rollout status deployment/kubewarden-controller \ + kubectl rollout status deployment/kubewarden-kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" --timeout=3m } @@ -414,8 +414,8 @@ function build_image_flags() { # policy-server image when POLICY_SERVER_IMAGE is set. IMAGE_FLAGS=() if [[ -n "${POLICY_SERVER_IMAGE}" ]]; then - IMAGE_FLAGS+=(--set "defaults.policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") - IMAGE_FLAGS+=(--set "defaults.policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") + IMAGE_FLAGS+=(--set "policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") + IMAGE_FLAGS+=(--set "policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") fi } @@ -441,15 +441,14 @@ function configure_policy_server() { helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set controller.replicas=1 \ - --set defaults.enabled=true \ - --set 'defaults.policyServer.sigstoreTrustConfig'="$SIGSTORE_TRUST_CONFIGMAP" \ - --set 'defaults.policyServer.verificationConfig'="$VERIFICATION_CONFIGMAP" \ - --set 'defaults.policyServer.insecureSources[0]=registry.local:5001' \ - --set 'defaults.policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ - --set 'defaults.policyServer.env[0].value=info' \ - --set 'defaults.policyServer.env[1].name=RUST_BACKTRACE' \ - --set 'defaults.policyServer.env[1].value=1' \ + --set replicas=1 \ + --set 'policyServer.sigstoreTrustConfig'="$SIGSTORE_TRUST_CONFIGMAP" \ + --set 'policyServer.verificationConfig'="$VERIFICATION_CONFIGMAP" \ + --set 'policyServer.insecureSources[0]=registry.local:5001' \ + --set 'policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ + --set 'policyServer.env[0].value=info' \ + --set 'policyServer.env[1].name=RUST_BACKTRACE' \ + --set 'policyServer.env[1].value=1' \ "${image_flags[@]}" \ --wait # Policy-server readiness is confirmed when the ClusterAdmissionPolicy @@ -465,12 +464,11 @@ function install_kubewarden_no_sigstore() { helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ -n "$KUBEWARDEN_NAMESPACE" \ - --set controller.replicas=1 \ - --set defaults.enabled=true \ - --set 'defaults.policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ - --set 'defaults.policyServer.env[0].value=info' \ - --set 'defaults.policyServer.env[1].name=RUST_BACKTRACE' \ - --set 'defaults.policyServer.env[1].value=1' \ + --set replicas=1 \ + --set 'policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ + --set 'policyServer.env[0].value=info' \ + --set 'policyServer.env[1].name=RUST_BACKTRACE' \ + --set 'policyServer.env[1].value=1' \ "${image_flags[@]}" \ --wait diff --git a/scripts/validate-hauler-manifest.sh b/scripts/validate-hauler-manifest.sh index 53505163d..c27781234 100755 --- a/scripts/validate-hauler-manifest.sh +++ b/scripts/validate-hauler-manifest.sh @@ -83,7 +83,7 @@ AUDIT_SCANNER_HAULER_VERSION=$(get_hauler_image_version "adm-controller/audit-sc compare_version "audit-scanner" "$AUDIT_SCANNER_CHART_VERSION" "$AUDIT_SCANNER_HAULER_VERSION" "$CONTROLLER_VALUES" # Validate policy-server image -POLICY_SERVER_CHART_VERSION=$(yq eval '.defaults.policyServer.image.tag' "$CONTROLLER_VALUES") +POLICY_SERVER_CHART_VERSION=$(yq eval '.policyServer.image.tag' "$CONTROLLER_VALUES") POLICY_SERVER_HAULER_VERSION=$(get_hauler_image_version "adm-controller/policy-server") compare_version "policy-server" "$POLICY_SERVER_CHART_VERSION" "$POLICY_SERVER_HAULER_VERSION" "$CONTROLLER_VALUES" @@ -124,32 +124,32 @@ echo "===============================" echo # Validate allow-privilege-escalation-psp policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/allow-privilege-escalation-psp") compare_version "allow-privilege-escalation-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate capabilities-psp policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.capabilitiesPolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.capabilitiesPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/capabilities-psp") compare_version "capabilities-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate host-namespaces-psp policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.hostNamespacePolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.hostNamespacePolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/host-namespaces-psp") compare_version "host-namespaces-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate hostpaths-psp policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.hostPathsPolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.hostPathsPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/hostpaths-psp") compare_version "hostpaths-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate pod-privileged policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.podPrivilegedPolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.podPrivilegedPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/pod-privileged") compare_version "pod-privileged" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" # Validate user-group-psp policy -POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.userGroupPolicy.module.tag' "$CONTROLLER_VALUES") +POLICY_VERSION=$(yq eval '.recommendedPolicies.userGroupPolicy.module.tag' "$CONTROLLER_VALUES") HAULER_VERSION=$(get_hauler_image_version "policies/user-group-psp") compare_version "user-group-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" From fa677264a37a02846096053778045a060eb18549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 17:00:57 -0300 Subject: [PATCH 21/22] chore: simplify scripts and CI for unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With a single helm chart there is no need to iterate over chart directories or validate common values across charts. Simplify the image and policy extraction scripts to operate on the chart path directly, remove the common-values check script and its CI step, and update the Makefile targets. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- .github/workflows/ci.yml | 2 - Makefile | 8 +- charts/common-values.yaml | 104 -------------------------- scripts/charts-check-common-values.sh | 11 --- scripts/charts-extract-images.sh | 30 ++------ scripts/charts-extract-policies.sh | 41 +++------- 6 files changed, 19 insertions(+), 177 deletions(-) delete mode 100644 charts/common-values.yaml delete mode 100755 scripts/charts-check-common-values.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01e801b42..d326ec3ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -424,8 +424,6 @@ jobs: # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777 - name: Install Helm-unittest run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false - - name: Verify common values - run: make charts-check-common-values - name: helm unit tests run: make helm-unittest diff --git a/Makefile b/Makefile index e6806bb6c..7b357a65f 100644 --- a/Makefile +++ b/Makefile @@ -177,17 +177,13 @@ generate-chart: ## Generate Helm chart values schema. check-generate: generate @./hack/check-for-auto-generated-changes.sh -.PHONY: charts-check-common-values -charts-check-common-values: - @./scripts/charts-check-common-values.sh - .PHONY: charts-generate-images-file charts-generate-images-file: - @./scripts/charts-extract-images.sh ./charts + @./scripts/charts-extract-images.sh ./charts/kubewarden-controller .PHONY: charts-generate-policies-file charts-generate-policies-file: - @./scripts/charts-extract-policies.sh ./charts + @./scripts/charts-extract-policies.sh ./charts/kubewarden-controller .PHONY: charts-generate-changelog-files charts-generate-changelog-files: diff --git a/charts/common-values.yaml b/charts/common-values.yaml deleted file mode 100644 index eb2c08963..000000000 --- a/charts/common-values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# Common settings across multiple charts. These settings will be used -# by more than one chart and they ideally need to match during the -# installation of the charts consuming this values. -global: - # affinity: - # podAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S1 - # topologyKey: topology.kubernetes.io/zone - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S2 - # topologyKey: topology.kubernetes.io/zone - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/os - # operator: In - # values: - # - linux - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 1 - # preference: - # matchExpressions: - # - key: label-1 - # operator: In - # values: - # - key-1 - # - weight: 50 - # preference: - # matchExpressions: - # - key: label-2 - # operator: In - # values: - # - key-2 - affinity: {} - # tolerations: - # - key: "key1" - # operator: "Equal" - # value: "value1" - # effect: "NoSchedule" - # - key: "key1" - # operator: "Equal" - # value: "value1" - # effect: "NoExecute" - tolerations: [] - # priorityClassName: "" - cattle: - systemDefaultRegistry: ghcr.io - skipNamespaces: - - calico-apiserver - - calico-system - - capi-system - - cattle-capi-system - - cattle-alerting - - cattle-csp-adapter-system - - cattle-elemental-system - - cattle-epinio-system - - cattle-externalip-system - - cattle-fleet-local-system - - cattle-fleet-system - - cattle-gatekeeper-system - - cattle-global-data - - cattle-global-nt - - cattle-impersonation-system - - cattle-istio - - cattle-istio-system - - cattle-logging - - cattle-logging-system - - cattle-monitoring-system - - cattle-neuvector-system - - cattle-prometheus - - cattle-provisioning-capi-system - - cattle-resources-system - - cattle-sriov-system - - cattle-system - - cattle-turtles-system - - cattle-ui-plugin-system - - cattle-windows-gmsa-system - - cert-manager - - cis-operator-system - - fleet-default - - ingress-nginx - - istio-system - - kube-node-lease - - kube-public - - kube-system - - longhorn-system - - rancher-alerting-drivers - - security-scan - - tigera-operator diff --git a/scripts/charts-check-common-values.sh b/scripts/charts-check-common-values.sh deleted file mode 100755 index 6bed1efda..000000000 --- a/scripts/charts-check-common-values.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -set -euo pipefail - -# Check that there's no divergence between ./common-values.yaml, key `global`, -# and the `global` key on the helm-chart values.yaml - -diff <(yq eval '(.global // {}) | sort_keys(.)' charts/common-values.yaml) <(yq eval '(.global // {}) | sort_keys(.)' charts/kubewarden-controller/values.yaml) || ( - echo - echo "kubewarden-controller values.yaml diverges from common-values.yaml" - exit 1 -) diff --git a/scripts/charts-extract-images.sh b/scripts/charts-extract-images.sh index c8df771bf..e20d33579 100755 --- a/scripts/charts-extract-images.sh +++ b/scripts/charts-extract-images.sh @@ -1,29 +1,13 @@ #!/bin/bash set -euo pipefail -CHART_DIR=$1 -CHARTS_DIRS=$(find "$CHART_DIR" -type d -exec test -e '{}'/values.yaml \; -print) +CHART_DIR="$1" IMAGELIST_FILENAME=imagelist.txt -TMP_IMAGE_FILE=/tmp/$IMAGELIST_FILENAME -find "$CHART_DIR" -type f -name $IMAGELIST_FILENAME -delete -if [ -e $IMAGELIST_FILENAME ]; then - rm $IMAGELIST_FILENAME -fi +RENDERED=$(helm template --values "$CHART_DIR"/values.yaml --set auditScanner.policyReporter=true "$CHART_DIR/") -for chart in $CHARTS_DIRS; do - # the set CLI flag is used only by the controller chart. But to - # simplify the script, it will be passed for all the chart. It will be - # ignore for the other chart anyway - helm template --values "$chart"/values.yaml --set auditScanner.policyReporter=true "$chart"/ | yq -r "..|.image?" | grep -v "null" > $TMP_IMAGE_FILE - sed --in-place '/---/d' $TMP_IMAGE_FILE - mv $TMP_IMAGE_FILE "$chart"/$IMAGELIST_FILENAME -done - -# Delete the empty imagelist.txt files. -find "$CHART_DIR" -type f -name $IMAGELIST_FILENAME -empty -delete -find "$CHART_DIR" -type f -name $IMAGELIST_FILENAME -print0 | xargs --null cat > $TMP_IMAGE_FILE -mv $TMP_IMAGE_FILE $IMAGELIST_FILENAME - -find "$CHART_DIR" -type f -name $IMAGELIST_FILENAME -exec sort -u -o \{\} \{\} \; -sort -u -o $IMAGELIST_FILENAME $IMAGELIST_FILENAME +{ + echo "$RENDERED" | yq -r '..|.image?' | grep -v "null" + echo "$RENDERED" | yq '. | select(.kind=="ConfigMap" and .metadata.name=="kubewarden-defaults") | .data[]' \ + | yq -r '..|.image?' | grep -v "null" +} | grep -E '^[a-zA-Z0-9].*/' | sort -u > "$IMAGELIST_FILENAME" diff --git a/scripts/charts-extract-policies.sh b/scripts/charts-extract-policies.sh index c75c22df3..0944a9d23 100755 --- a/scripts/charts-extract-policies.sh +++ b/scripts/charts-extract-policies.sh @@ -2,36 +2,15 @@ set -euo pipefail CHART_DIR="$1" -CHARTS_DIRS=$(find "$CHART_DIR" -type d -exec test -e '{}'/values.yaml \; -print) POLICYLIST_FILENAME=policylist.txt -TMP_POLICY_FILE=/tmp/$POLICYLIST_FILENAME -find "$CHART_DIR" -type f -name $POLICYLIST_FILENAME -delete -if [ -e $POLICYLIST_FILENAME ]; then - rm $POLICYLIST_FILENAME -fi - -for chart in $CHARTS_DIRS; do - if [[ $chart == *"-defaults" ]]; then - helm template --values "$chart"/values.yaml --set recommendedPolicies.enabled=true "$chart/" \ - | yq -r ". | select(.kind==\"ClusterAdmissionPolicy\" or .kind==\"AdmissionPolicy\") | .spec.module" > "$TMP_POLICY_FILE" - sed --in-place '/---/d' $TMP_POLICY_FILE - # adds the registry prefix if necessary - file=$(cat $TMP_POLICY_FILE) - for line in $file; do - if [[ $(echo "$line" | awk '!/(https:\/\/|registry:\/\/)/') ]]; then - echo "$line" | sed 's/^/registry:\/\//' >> "$chart"/$POLICYLIST_FILENAME - continue - fi - echo "$line" >> "$chart"/$POLICYLIST_FILENAME - done - fi -done - -# Delete the empty policylist.txt files. -find "$CHART_DIR" -type f -name $POLICYLIST_FILENAME -empty -delete -find "$CHART_DIR" -type f -name $POLICYLIST_FILENAME -print0 | xargs --null cat > $TMP_POLICY_FILE -mv $TMP_POLICY_FILE $POLICYLIST_FILENAME -# Sort policylist file -find "$CHART_DIR" -type f -name $POLICYLIST_FILENAME -exec sort -u -o \{\} \{\} \; -sort -u -o $POLICYLIST_FILENAME $POLICYLIST_FILENAME +helm template --values "$CHART_DIR"/values.yaml --set recommendedPolicies.enabled=true "$CHART_DIR/" \ + | yq '. | select(.kind=="ConfigMap" and .metadata.name=="kubewarden-defaults") | .data[]' \ + | grep '^\s*module:' | sed 's/.*module:\s*//' \ + | while read -r line; do + if ! echo "$line" | grep -qE '(https://|registry://)'; then + echo "registry://$line" + else + echo "$line" + fi + done | sort -u > "$POLICYLIST_FILENAME" From cb7bddad10e4a9817ba4845ad59cf892f5dc08d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 21 May 2026 17:07:47 -0300 Subject: [PATCH 22/22] fix(chart): update hauler manifest for unified chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hauler manifest still referenced the old kubewarden-crds and kubewarden-defaults charts which no longer exist after merging into a single unified chart. Remove those entries and update the kubewarden-controller chart version to 6.0.0-alpha.1. Also fix the policy-reporter dependency version extraction in the validation script to use a name-based selector instead of a hardcoded array index, since the dependency order changed when openreports became the first entry. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz --- charts/hauler_manifest.yaml | 8 +------- scripts/validate-hauler-manifest.sh | 2 +- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/charts/hauler_manifest.yaml b/charts/hauler_manifest.yaml index ca7712f49..d26005215 100644 --- a/charts/hauler_manifest.yaml +++ b/charts/hauler_manifest.yaml @@ -56,15 +56,9 @@ metadata: name: kubewarden-helm-charts spec: charts: - - name: kubewarden-crds - repoURL: https://charts.kubewarden.io - version: 1.28.0-beta.1 - name: kubewarden-controller repoURL: https://charts.kubewarden.io - version: 5.14.0-beta.1 - - name: kubewarden-defaults - repoURL: https://charts.kubewarden.io - version: 3.14.0-beta.1 + version: 6.0.0-alpha.1 - name: policy-reporter version: 3.7.4 repoURL: https://kyverno.github.io/policy-reporter diff --git a/scripts/validate-hauler-manifest.sh b/scripts/validate-hauler-manifest.sh index c27781234..cee836664 100755 --- a/scripts/validate-hauler-manifest.sh +++ b/scripts/validate-hauler-manifest.sh @@ -99,7 +99,7 @@ echo # Extract policy-reporter chart metadata from the vendored chart POLICY_REPORTER_CHART_PATH="$REPO_ROOT/charts/kubewarden-controller/charts" -POLICY_REPORTER_CHART_VERSION=$(yq -e eval '.dependencies[0].version' "$CONTROLLER_CHART") +POLICY_REPORTER_CHART_VERSION=$(yq -e eval '.dependencies[] | select(.name == "policy-reporter") | .version' "$CONTROLLER_CHART") POLICY_REPORTER_TGZ="$POLICY_REPORTER_CHART_PATH/policy-reporter-${POLICY_REPORTER_CHART_VERSION}.tgz" # Check if the vendored chart exists