Merge pull request #4 from smartcat999/feat-add-gatekeeper-charts

feat: add extension gatekeeper

gatekeeper/CHANGELOG.md

@@ -0,0 +1,15 @@
+## v1.0.1
+
+### Enhancements
+
+- Adapt for KubeSphere v4.1.1
+
+## v1.0.0
+
+[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an admission controller for Kubernetes that allows flexible configuration of policies, using [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to validate requests to create and update resources on a Kubernetes cluster.
+
+Gatekeeper enables the flexible definition of admission policies, enforcing security admission reviews at the cluster level to ensure stability and regulatory compliance of Kubernetes clusters.
+
+### Features
+
+- Support for configuring security admission policies at the cluster level

gatekeeper/CHANGELOG_zh.md

@@ -0,0 +1,15 @@
+## v1.0.1
+
+### 优化
+
+- 适配 KubeSphere v4.1.1
+
+## v1.0.0
+
+[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个用于 Kubernetes 可灵活配置策略的准入控制器，使用[Open Policy Agent (OPA) ](https://www.openpolicyagent.org/) 验证在 Kubernetes 集群上创建和更新资源的请求。
+
+借助 Gatekeeper 可以灵活的定义准入策略，在集群层面强制执行安全准入审查，从而确保 Kubernetes 集群的稳定性和安全合规。
+
+### 新特性
+
+- 支持在集群层面配置安全准入策略

gatekeeper/README.md

@@ -0,0 +1,15 @@
+[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) is an admission controller for Kubernetes that allows flexible configuration of policies, using [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to validate requests to create and update resources on a Kubernetes cluster.
+
+Gatekeeper enables the flexible definition of admission policies, enforcing security admission reviews at the cluster level to ensure stability and regulatory compliance of Kubernetes clusters.
+
+Key features of Gatekeeper include:
+
+1. **Flexibility:** Gatekeeper allows users to declaratively define admission policies that apply to selected namespaces and resource types.
+
+2. **Programmability:** Gatekeeper uses Open Policy Agent (OPA) as its decision engine, enabling complex security policy definitions using Rego.
+
+3. **Rollout:** Supports gradual enforcement of admission policies in a phased manner to mitigate the risk of disrupting workloads.
+
+4. **Pre-release mechanism:** Gatekeeper provides mechanisms to test the impact and scope of security policies before enforcement.
+
+[OPA Gatekeeper Library](https://open-policy-agent.github.io/gatekeeper-library/website/) provides a collection of commonly used security admission policies.

gatekeeper/README_zh.md

@@ -0,0 +1,15 @@
+[Gatekeeper](https://github.com/open-policy-agent/gatekeeper) 是一个用于 Kubernetes 可灵活配置策略的准入控制器，使用[Open Policy Agent (OPA) ](https://www.openpolicyagent.org/) 验证在 Kubernetes 集群上创建和更新资源的请求。
+
+借助 Gatekeeper 可以灵活的定义准入策略，在集群层面强制执行安全准入审查，从而确保 Kubernetes 集群的稳定性和安全合规。
+
+Gatekeeper 的主要特性包括：
+
+1. **灵活:** Gatekeeper 允许用户声明式的定义准入策略，作用于选定的 namespace 与选定的资源类型。
+
+2. **可编程:** Gatekeeper 使用 Open Policy Agent（OPA）作为决策引擎，可借助 Rego 实现复杂的安全策略定义。
+
+3. **滚动发布:** 支持以循序渐进的方式逐步执行准入策略，从而规避中断工作负载的风险。
+
+4. **预发布机制:** Gatekeeper 提供在强制执行之前测试安全策略影响和范围的机制。
+
+[OPA Gatekeeper Library](https://open-policy-agent.github.io/gatekeeper-library/website/) 提供了一些常用的安全准入策略。

gatekeeper/extension.yaml

@@ -0,0 +1,56 @@
+apiVersion: kubesphere.io/v1alpha1
+name: gatekeeper
+version: 1.0.1
+displayName:
+  en: Gatekeeper
+  zh: Gatekeeper
+description:
+  zh: |-
+    Gatekeeper 是一个基于 OPA 的安全策略管理工具
+  en: |-
+    Gatekeeper is a security policy management tool based on OPA
+category: security
+keywords:
+- security
+- gatekeeper
+- opa
+- admission webhook
+home: https://kubesphere.io
+docs: https://open-policy-agent.github.io/gatekeeper/website/docs/
+sources:
+- https://github.com/kubesphere-extensions/gatekeeper
+- https://github.com/open-policy-agent/gatekeeper
+kubeVersion: '>=1.19.0-0'
+ksVersion: '>=4.1.0-0'
+maintainers:
+- name: KubeSphere
+  email: [email protected]
+provider:
+  zh:
+    name: 北京青云科技股份有限公司
+    email: [email protected]
+    url: https://kubesphere.com.cn/
+  en:
+    name: QingCloud Technologies
+    email: [email protected]
+    url: https://kubesphere.co/
+icon: ./logo.svg
+dependencies:
+- name: gatekeeper
+  tags:
+  - agent
+- name: agent
+  tags:
+  - agent
+- name: extension
+  tags:
+  - extension
+# installationMode describes how to install subcharts, it can be HostOnly or Multicluster.
+# In Multicluster mode, the subchart with tag `extension` will only be deployed to the host cluster,
+# and the subchart with tag `agent` will be deployed to all selected clusters.
+installationMode: Multicluster
+images:
+- docker.io/kubesphere/gatekeeper-extension-apiserver:v1.0.1
+- docker.io/kubesphere/kubectl:v1.27.12
+- docker.io/openpolicyagent/gatekeeper:v3.14.0
+- docker.io/openpolicyagent/gatekeeper-crds:v3.14.0

gatekeeper/permissions.yaml

@@ -0,0 +1,116 @@
+kind: ClusterRole
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - 'apiextensions.k8s.io'
+    resources:
+      - 'customresourcedefinitions'
+    verbs:
+      - '*'
+  - apiGroups:
+      - 'config.gatekeeper.sh'
+      - 'constraints.gatekeeper.sh'
+      - 'expansion.gatekeeper.sh'
+      - 'externaldata.gatekeeper.sh'
+      - 'mutations.gatekeeper.sh'
+      - 'status.gatekeeper.sh'
+      - 'templates.gatekeeper.sh'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - apiGroups:
+      - 'rbac.authorization.k8s.io'
+    resources:
+      - 'clusterroles'
+      - 'clusterrolebindings'
+    verbs:
+      - 'create'
+      - 'delete'
+  - apiGroups:
+      - ''
+    resources:
+      - 'namespaces'
+    verbs:
+      - 'patch'
+      - 'update'
+  - apiGroups:
+      - 'rbac.authorization.k8s.io'
+    resources:
+      - 'clusterroles'
+    verbs:
+      - '*'
+    resourceNames:
+      - gatekeeper-manager-role
+      - gatekeeper-admin-upgrade-crds
+  - apiGroups:
+      - ''
+    resources:
+      - 'secrets'
+    verbs:
+      - 'list'
+  - apiGroups:
+      - 'rbac.authorization.k8s.io'
+    resources:
+      - 'clusterrolebindings'
+    verbs:
+      - '*'
+    resourceNames:
+      - gatekeeper-manager-rolebinding
+      - gatekeeper-admin-upgrade-crds
+  - apiGroups:
+      - 'policy'
+    resources:
+      - 'podsecuritypolicies'
+    verbs:
+      - '*'
+    resourceNames:
+      - gatekeeper-admin
+  - apiGroups:
+      - 'policy'
+    resources:
+      - 'podsecuritypolicies'
+    verbs:
+      - 'create'
+  - apiGroups:
+      - 'admissionregistration.k8s.io'
+    resources:
+      - 'mutatingwebhookconfigurations'
+    verbs:
+      - '*'
+  - apiGroups:
+      - 'admissionregistration.k8s.io'
+    resources:
+      - 'validatingwebhookconfigurations'
+    verbs:
+      - '*'
+  - apiGroups:
+      - 'extensions.kubesphere.io'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+
+---
+kind: Role
+rules:
+  - verbs:
+      - '*'
+    apiGroups:
+      - '*'
+    resources:
+      - '*'