Skip to content

Commit

Permalink
Merge pull request #58 from mesosphere/tga/bump-gatekeeper
Browse files Browse the repository at this point in the history
feat: add project constraints in gatekeeper app
  • Loading branch information
takirala authored Nov 17, 2021
2 parents 24b0a4b + 47658b4 commit f3fc0dd
Show file tree
Hide file tree
Showing 8 changed files with 93 additions and 1 deletion.
21 changes: 21 additions & 0 deletions services/gatekeeper/0.6.8/constraints.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: gatekeeper-constraints
namespace: ${releaseNamespace}
spec:
force: false
prune: true
interval: 1m0s
path: ./services/gatekeeper/0.6.8/constraints
sourceRef:
kind: GitRepository
name: management
namespace: kommander-flux
timeout: 60s
dependsOn:
- name: gatekeeper-constraint-templates
healthChecks:
- apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequiredServiceAccountName
name: kustomization-must-have-sa
12 changes: 12 additions & 0 deletions services/gatekeeper/0.6.8/constraints/enforce-helmrelease-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequiredServiceAccountName
metadata:
name: helmrelease-must-have-sa
spec:
match:
kinds:
- apiGroups: ["helm.toolkit.fluxcd.io"]
kinds: ["HelmRelease"]
namespaceSelector:
matchLabels:
kommander.d2iq.io/managed-by-kind: "Project"
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RequiredServiceAccountName
metadata:
name: kustomization-must-have-sa
spec:
match:
kinds:
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
kinds: ["Kustomization"]
namespaceSelector:
matchLabels:
kommander.d2iq.io/managed-by-kind: "Project"
21 changes: 21 additions & 0 deletions services/gatekeeper/0.6.8/constrainttemplates.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: gatekeeper-constraint-templates
namespace: ${releaseNamespace}
spec:
force: false
prune: true
interval: 1m0s
path: ./services/gatekeeper/0.6.8/constrainttemplates
sourceRef:
kind: GitRepository
name: management
namespace: kommander-flux
dependsOn:
- name: gatekeeper
timeout: 60s
healthChecks:
- apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
name: requiredserviceaccountname
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: requiredserviceaccountname
annotations:
description: Requires the given resource to have the .spec.serviceAccountName field set.
spec:
crd:
spec:
names:
kind: RequiredServiceAccountName
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package requiredserviceaccountname
violation[{"msg": msg}] {
value := object.get(input.review.object.spec, "serviceAccountName", "")
value == ""
msg := "must have a serviceAccountName set"
}
4 changes: 3 additions & 1 deletion services/gatekeeper/0.6.8/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gatekeeper.yaml
- ./release
- constraints.yaml
- constrainttemplates.yaml
4 changes: 4 additions & 0 deletions services/gatekeeper/0.6.8/release/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- release.yaml
File renamed without changes.

0 comments on commit f3fc0dd

Please sign in to comment.