diff --git a/services/gatekeeper/0.6.8/constraints.yaml b/services/gatekeeper/0.6.8/constraints.yaml new file mode 100644 index 000000000..0caf068e8 --- /dev/null +++ b/services/gatekeeper/0.6.8/constraints.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: gatekeeper-constraints + namespace: ${releaseNamespace} +spec: + force: false + prune: true + interval: 1m0s + path: ./services/gatekeeper/0.6.8/constraints + sourceRef: + kind: GitRepository + name: management + namespace: kommander-flux + timeout: 60s + dependsOn: + - name: gatekeeper-constraint-templates + healthChecks: + - apiVersion: constraints.gatekeeper.sh/v1beta1 + kind: RequiredServiceAccountName + name: kustomization-must-have-sa diff --git a/services/gatekeeper/0.6.8/constraints/enforce-helmrelease-sa.yaml b/services/gatekeeper/0.6.8/constraints/enforce-helmrelease-sa.yaml new file mode 100644 index 000000000..a289ef74b --- /dev/null +++ b/services/gatekeeper/0.6.8/constraints/enforce-helmrelease-sa.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: RequiredServiceAccountName +metadata: + name: helmrelease-must-have-sa +spec: + match: + kinds: + - apiGroups: ["helm.toolkit.fluxcd.io"] + kinds: ["HelmRelease"] + namespaceSelector: + matchLabels: + kommander.d2iq.io/managed-by-kind: "Project" diff --git a/services/gatekeeper/0.6.8/constraints/enforce-kustomization-sa.yaml b/services/gatekeeper/0.6.8/constraints/enforce-kustomization-sa.yaml new file mode 100644 index 000000000..cccab736b --- /dev/null +++ b/services/gatekeeper/0.6.8/constraints/enforce-kustomization-sa.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: RequiredServiceAccountName +metadata: + name: kustomization-must-have-sa +spec: + match: + kinds: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + kinds: ["Kustomization"] + namespaceSelector: + matchLabels: + kommander.d2iq.io/managed-by-kind: "Project" diff --git a/services/gatekeeper/0.6.8/constrainttemplates.yaml b/services/gatekeeper/0.6.8/constrainttemplates.yaml new file mode 100644 index 000000000..3a0d6e510 --- /dev/null +++ b/services/gatekeeper/0.6.8/constrainttemplates.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: gatekeeper-constraint-templates + namespace: ${releaseNamespace} +spec: + force: false + prune: true + interval: 1m0s + path: ./services/gatekeeper/0.6.8/constrainttemplates + sourceRef: + kind: GitRepository + name: management + namespace: kommander-flux + dependsOn: + - name: gatekeeper + timeout: 60s + healthChecks: + - apiVersion: templates.gatekeeper.sh/v1beta1 + kind: ConstraintTemplate + name: requiredserviceaccountname diff --git a/services/gatekeeper/0.6.8/constrainttemplates/enforce-sa-constrainttemplate.yaml b/services/gatekeeper/0.6.8/constrainttemplates/enforce-sa-constrainttemplate.yaml new file mode 100644 index 000000000..df70e7b03 --- /dev/null +++ b/services/gatekeeper/0.6.8/constrainttemplates/enforce-sa-constrainttemplate.yaml @@ -0,0 +1,20 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: requiredserviceaccountname + annotations: + description: Requires the given resource to have the .spec.serviceAccountName field set. +spec: + crd: + spec: + names: + kind: RequiredServiceAccountName + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package requiredserviceaccountname + violation[{"msg": msg}] { + value := object.get(input.review.object.spec, "serviceAccountName", "") + value == "" + msg := "must have a serviceAccountName set" + } diff --git a/services/gatekeeper/0.6.8/kustomization.yaml b/services/gatekeeper/0.6.8/kustomization.yaml index 6104538fe..274f9ff19 100644 --- a/services/gatekeeper/0.6.8/kustomization.yaml +++ b/services/gatekeeper/0.6.8/kustomization.yaml @@ -1,4 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - gatekeeper.yaml + - ./release + - constraints.yaml + - constrainttemplates.yaml diff --git a/services/gatekeeper/0.6.8/release/kustomization.yaml b/services/gatekeeper/0.6.8/release/kustomization.yaml new file mode 100644 index 000000000..ad4414d89 --- /dev/null +++ b/services/gatekeeper/0.6.8/release/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - release.yaml diff --git a/services/gatekeeper/0.6.8/gatekeeper.yaml b/services/gatekeeper/0.6.8/release/release.yaml similarity index 100% rename from services/gatekeeper/0.6.8/gatekeeper.yaml rename to services/gatekeeper/0.6.8/release/release.yaml