-
Notifications
You must be signed in to change notification settings - Fork 743
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Yanir Quinn <yquinn@redhat.com>
- Loading branch information
Showing
10 changed files
with
371 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
142 changes: 142 additions & 0 deletions
142
config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
|
||
--- | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.3.0 | ||
creationTimestamp: null | ||
name: assignmetadata.mutations.gatekeeper.sh | ||
spec: | ||
group: mutations.gatekeeper.sh | ||
names: | ||
kind: AssignMetadata | ||
listKind: AssignMetadataList | ||
plural: assignmetadata | ||
singular: assignmetadata | ||
scope: Cluster | ||
validation: | ||
openAPIV3Schema: | ||
description: AssignMetadata is the Schema for the assignmetadatas API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: AssignMetadataSpec defines the desired state of AssignMetadata | ||
properties: | ||
location: | ||
type: string | ||
match: | ||
properties: | ||
excludedNamespaces: | ||
items: | ||
type: string | ||
type: array | ||
kinds: | ||
items: | ||
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. | ||
properties: | ||
apiGroups: | ||
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. | ||
type: string | ||
kinds: | ||
type: string | ||
type: object | ||
type: array | ||
labelSelector: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
items: | ||
type: string | ||
type: array | ||
required: | ||
- key | ||
- operator | ||
type: object | ||
type: array | ||
matchLabels: | ||
additionalProperties: | ||
type: string | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
type: object | ||
namespaceSelector: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
items: | ||
type: string | ||
type: array | ||
required: | ||
- key | ||
- operator | ||
type: object | ||
type: array | ||
matchLabels: | ||
additionalProperties: | ||
type: string | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
type: object | ||
namespaces: | ||
items: | ||
type: string | ||
type: array | ||
scope: | ||
description: ResourceScope is an enum defining the different scopes available to a custom resource | ||
type: string | ||
required: | ||
- scope | ||
type: object | ||
parameters: | ||
properties: | ||
value: | ||
type: object | ||
type: object | ||
type: object | ||
status: | ||
description: AssignMetadataStatus defines the observed state of AssignMetadata | ||
type: object | ||
type: object | ||
version: v1alpha1 | ||
versions: | ||
- name: v1alpha1 | ||
served: true | ||
storage: true | ||
status: | ||
acceptedNames: | ||
kind: "" | ||
plural: "" | ||
conditions: [] | ||
storedVersions: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
|
||
--- | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.3.0 | ||
creationTimestamp: null | ||
name: assigns.mutations.gatekeeper.sh | ||
spec: | ||
group: mutations.gatekeeper.sh | ||
names: | ||
kind: Assign | ||
listKind: AssignList | ||
plural: assigns | ||
singular: assign | ||
scope: Cluster | ||
validation: | ||
openAPIV3Schema: | ||
description: Assign is the Schema for the assigns API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: AssignSpec defines the desired state of Assign | ||
properties: | ||
applyTo: | ||
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file' | ||
items: | ||
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. | ||
properties: | ||
groups: | ||
items: | ||
type: string | ||
type: array | ||
kinds: | ||
items: | ||
type: string | ||
type: array | ||
versions: | ||
items: | ||
type: string | ||
type: array | ||
type: object | ||
type: array | ||
location: | ||
type: string | ||
match: | ||
properties: | ||
excludedNamespaces: | ||
items: | ||
type: string | ||
type: array | ||
kinds: | ||
items: | ||
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. | ||
properties: | ||
apiGroups: | ||
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. | ||
type: string | ||
kinds: | ||
type: string | ||
type: object | ||
type: array | ||
labelSelector: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
items: | ||
type: string | ||
type: array | ||
required: | ||
- key | ||
- operator | ||
type: object | ||
type: array | ||
matchLabels: | ||
additionalProperties: | ||
type: string | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
type: object | ||
namespaceSelector: | ||
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. | ||
properties: | ||
matchExpressions: | ||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||
items: | ||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||
properties: | ||
key: | ||
description: key is the label key that the selector applies to. | ||
type: string | ||
operator: | ||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||
type: string | ||
values: | ||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||
items: | ||
type: string | ||
type: array | ||
required: | ||
- key | ||
- operator | ||
type: object | ||
type: array | ||
matchLabels: | ||
additionalProperties: | ||
type: string | ||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||
type: object | ||
type: object | ||
namespaces: | ||
items: | ||
type: string | ||
type: array | ||
scope: | ||
description: ResourceScope is an enum defining the different scopes available to a custom resource | ||
type: string | ||
required: | ||
- scope | ||
type: object | ||
parameters: | ||
properties: | ||
ifIn: | ||
description: IfIn Only mutate if the current value is in the supplied list | ||
items: | ||
type: string | ||
type: array | ||
ifNotIn: | ||
description: IfNotIn Only mutate if the current value is NOT in the supplied list | ||
items: | ||
type: string | ||
type: array | ||
pathTests: | ||
items: | ||
description: "PathTests allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate" | ||
properties: | ||
condition: | ||
enum: | ||
- MustExist | ||
- MustNotExist | ||
type: string | ||
subPath: | ||
type: string | ||
type: object | ||
type: array | ||
value: | ||
description: Value to assign | ||
type: object | ||
type: object | ||
type: object | ||
status: | ||
description: AssignStatus defines the observed state of Assign | ||
type: object | ||
type: object | ||
version: v1alpha1 | ||
versions: | ||
- name: v1alpha1 | ||
served: true | ||
storage: true | ||
status: | ||
acceptedNames: | ||
kind: "" | ||
plural: "" | ||
conditions: [] | ||
storedVersions: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Adds namespace to all resources. | ||
namespace: gatekeeper-system | ||
|
||
# Value of this field is prepended to the | ||
# names of all resources, e.g. a deployment named | ||
# "wordpress" becomes "alices-wordpress". | ||
# Note that it should also match with the prefix (text before '-') of the namespace | ||
# field above. | ||
namePrefix: gatekeeper- | ||
|
||
commonLabels: | ||
gatekeeper.sh/system: "yes" | ||
|
||
resources: | ||
- ../../crd/bases/mutations.gatekeeper.sh_assigns.yaml | ||
- ../../crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml | ||
|
||
bases: | ||
- ../../rbac/mutation | ||
|
||
patchesStrategicMerge: | ||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. | ||
# patches here are for enabling the conversion webhook for each CRD | ||
#- ../../crd/patches/webhook_in_assignmetadata.yaml | ||
#- ../../crd/patches/webhook_in_assigns.yaml | ||
# +kubebuilder:scaffold:crdkustomizewebhookpatch | ||
|
||
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. | ||
# patches here are for enabling the CA injection for each CRD | ||
#- ../../crd/patches/cainjection_in_assignmetadata.yaml | ||
#- ../../crd/patches/cainjection_in_assigns.yaml | ||
# +kubebuilder:scaffold:crdkustomizecainjectionpatch | ||
|
||
# the following config is for teaching kustomize how to do kustomization for CRDs. | ||
configurations: | ||
- ../../crd/kustomizeconfig.yaml |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resources: | ||
- assign_editor_role.yaml | ||
- assign_viewer_role.yaml | ||
- assignmetadata_editor_role.yaml | ||
- assignmetadata_viewer_role.yaml |