Skip to content

Commit

Permalink
Policy group files (#518)
Browse files Browse the repository at this point in the history 
Signed-off-by: José Guilherme Vanz <[email protected]>
  • Loading branch information
@jvanz
jvanz authored Sep 9, 2024
1 parent 93e44bf commit cfab705
Show file tree
Hide file tree
Showing 7 changed files with 1,265 additions and 190 deletions.
72 changes: 27 additions & 45 deletions charts/kubewarden-controller/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,43 +51,43 @@ metadata:
{{- include "kubewarden-controller.annotations" . | nindent 4 }}
rules:
- apiGroups:
- ""
- apps
resources:
- secrets
- services
- configmaps
- deployments
verbs:
- get
- create
- patch
- update
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- pods
- configmaps
- secrets
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
- ""
resources:
- replicasets
- pods
verbs:
- get
- list
Expand Down Expand Up @@ -123,14 +123,16 @@ rules:
- create
- delete
- list
- get
- patch
- watch
- apiGroups:
- policies.kubewarden.io
resources:
- clusteradmissionpolicies
- admissionpolicies
- admissionpolicygroups
- clusteradmissionpolicies
- clusteradmissionpolicygroups
- policyservers
verbs:
- create
- delete
Expand All @@ -142,45 +144,25 @@ rules:
- apiGroups:
- policies.kubewarden.io
resources:
- clusteradmissionpolicies/finalizers
- admissionpolicies/finalizers
- admissionpolicygroups/finalizers
- clusteradmissionpolicies/finalizers
- clusteradmissionpolicygroups/finalizers
- policyservers/finalizers
verbs:
- update
- apiGroups:
- policies.kubewarden.io
resources:
- clusteradmissionpolicies/status
- admissionpolicies/status
- admissionpolicygroups/status
- clusteradmissionpolicies/status
- clusteradmissionpolicygroups/status
- policyservers/status
verbs:
- get
- patch
- update
- apiGroups:
- policies.kubewarden.io
resources:
- policyservers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policies.kubewarden.io
resources:
- policyservers/finalizers
verbs:
- update
- apiGroups:
- policies.kubewarden.io
resources:
- policyservers/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
89 changes: 88 additions & 1 deletion charts/kubewarden-controller/templates/webhooks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,28 @@ webhooks:
resources:
- clusteradmissionpolicies
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: {{ $caBundle }}
service:
name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /mutate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
failurePolicy: Fail
name: mclusteradmissionpolicygroup.kb.io
rules:
- apiGroups:
- policies.kubewarden.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- clusteradmissionpoliciesgroup
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
Expand Down Expand Up @@ -119,7 +141,28 @@ webhooks:
resources:
- admissionpolicies
sideEffects: None

- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: {{ $caBundle }}
service:
name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /mutate-policies-kubewarden-io-v1-admissionpolicygroup
failurePolicy: Fail
name: madmissionpolicygroup.kb.io
rules:
- apiGroups:
- policies.kubewarden.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- admissionpoliciesgroup
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
Expand Down Expand Up @@ -152,6 +195,28 @@ webhooks:
resources:
- clusteradmissionpolicies
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: {{ $caBundle }}
service:
name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-policies-kubewarden-io-v1-clusteradmissionpolicygroup
failurePolicy: Fail
name: vclusteradmissionpolicygroup.kb.io
rules:
- apiGroups:
- policies.kubewarden.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- clusteradmissionpoliciesgroup
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
Expand All @@ -174,6 +239,28 @@ webhooks:
resources:
- admissionpolicies
sideEffects: None
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: {{ $caBundle }}
service:
name: {{ include "kubewarden-controller.fullname" . }}-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-policies-kubewarden-io-v1-admissionpolicygroup
failurePolicy: Fail
name: vadmissionpolicygroup.kb.io
rules:
- apiGroups:
- policies.kubewarden.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- admissionpoliciesgroup
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
Expand Down
49 changes: 7 additions & 42 deletions charts/kubewarden-crds/templates/admissionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
controller-gen.kubebuilder.io/version: v0.16.1
name: admissionpolicies.policies.kubewarden.io
spec:
group: policies.kubewarden.io
Expand Down Expand Up @@ -115,7 +115,6 @@ spec:
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
Expand All @@ -125,7 +124,6 @@ spec:
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
Expand All @@ -138,7 +136,6 @@ spec:
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
Expand Down Expand Up @@ -297,7 +294,6 @@ spec:
description: |-
Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
Expand All @@ -306,11 +302,9 @@ spec:
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required.
items:
Expand Down Expand Up @@ -376,16 +370,8 @@ spec:
"PolicyServerServiceReconciled" and
"AdmissionPolicyActive"
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
Expand Down Expand Up @@ -426,12 +412,7 @@ spec:
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
Expand Down Expand Up @@ -676,7 +657,6 @@ spec:
description: |-
Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
Expand All @@ -685,11 +665,9 @@ spec:
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required.
items:
Expand Down Expand Up @@ -755,16 +733,8 @@ spec:
"PolicyServerServiceReconciled" and
"AdmissionPolicyActive"
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
Expand Down Expand Up @@ -805,12 +775,7 @@ spec:
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
Expand Down
Loading

0 comments on commit cfab705

Please sign in to comment.