Skip to content

Commit

Permalink
Overlay deployment for mutations
Browse files Browse the repository at this point in the history 
Signed-off-by: Yanir Quinn <yquinn@redhat.com>
  • Loading branch information
@yanirq
yanirq committed Oct 29, 2020
1 parent 89c0ead commit 7fb8119
Show file tree
Hide file tree
Showing 10 changed files with 371 additions and 2 deletions.
3 changes: 3 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,9 @@ run: generate manifests
install: manifests
kustomize build config/crd | kubectl apply -f -

deploy-mutation: deploy
kustomize build --load_restrictor LoadRestrictionsNone config/overlays/mutation | kubectl apply -f -

# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: patch-image manifests
kustomize build config/overlays/dev | kubectl apply -f -
Expand Down
142 changes: 142 additions & 0 deletions config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: assignmetadata.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignMetadata
listKind: AssignMetadataList
plural: assignmetadata
singular: assignmetadata
scope: Cluster
validation:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadatas API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata
properties:
location:
type: string
match:
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
type: string
kinds:
type: string
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
required:
- scope
type: object
parameters:
properties:
value:
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
185 changes: 185 additions & 0 deletions config/crd/bases/mutations.gatekeeper.sh_assigns.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: assigns.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: Assign
listKind: AssignList
plural: assigns
singular: assign
scope: Cluster
validation:
openAPIV3Schema:
description: Assign is the Schema for the assigns API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign
properties:
applyTo:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
type: string
match:
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
type: string
kinds:
type: string
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
required:
- scope
type: object
parameters:
properties:
ifIn:
description: IfIn Only mutate if the current value is in the supplied list
items:
type: string
type: array
ifNotIn:
description: IfNotIn Only mutate if the current value is NOT in the supplied list
items:
type: string
type: array
pathTests:
items:
description: "PathTests allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate"
properties:
condition:
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
value:
description: Value to assign
type: object
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
2 changes: 0 additions & 2 deletions config/crd/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ resources:
- bases/config.gatekeeper.sh_configs.yaml
- bases/status.gatekeeper.sh_constraintpodstatuses.yaml
- bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml
- bases/mutations.gatekeeper.sh_assignmetadata.yaml
- bases/mutations.gatekeeper.sh_assigns.yaml
# +kubebuilder:scaffold:crdkustomizeresource

bases:
Expand Down
36 changes: 36 additions & 0 deletions config/overlays/mutation/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Adds namespace to all resources.
namespace: gatekeeper-system

# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: gatekeeper-

commonLabels:
gatekeeper.sh/system: "yes"

resources:
- ../../crd/bases/mutations.gatekeeper.sh_assigns.yaml
- ../../crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml

bases:
- ../../rbac/mutation

patchesStrategicMerge:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- ../../crd/patches/webhook_in_assignmetadata.yaml
#- ../../crd/patches/webhook_in_assigns.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch

# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- ../../crd/patches/cainjection_in_assignmetadata.yaml
#- ../../crd/patches/cainjection_in_assigns.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch

# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- ../../crd/kustomizeconfig.yaml
0 config/rbac/assign_editor_role.yaml β†’ config/rbac/mutation/assign_editor_role.yaml
View file
File renamed without changes.
0 config/rbac/assign_viewer_role.yaml β†’ config/rbac/mutation/assign_viewer_role.yaml
View file
File renamed without changes.
0 config/rbac/assignmetadata_editor_role.yaml β†’ .../mutation/assignmetadata_editor_role.yaml
View file
File renamed without changes.
0 config/rbac/assignmetadata_viewer_role.yaml β†’ .../mutation/assignmetadata_viewer_role.yaml
View file
File renamed without changes.
5 changes: 5 additions & 0 deletions config/rbac/mutation/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resources:
- assign_editor_role.yaml
- assign_viewer_role.yaml
- assignmetadata_editor_role.yaml
- assignmetadata_viewer_role.yaml

0 comments on commit 7fb8119

Please sign in to comment.