diff --git a/Makefile b/Makefile index 21da07018d9..9be6d8e5c6d 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ DEV_TAG ?= dev USE_LOCAL_IMG ?= false ENABLE_EXTERNAL_DATA ?= false -VERSION := v3.9.0-beta.1 +VERSION := v3.9.0-beta.2 KIND_VERSION ?= 0.13.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index 784279dd613..4dee0306ee7 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.9.0-beta.1 +version: 3.9.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.9.0-beta.1 +appVersion: v3.9.0-beta.2 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 8c501c7b941..1d19efc963e 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -66,19 +66,19 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | -| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | psp.enabled | Enabled PodSecurityPolicy | `true` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | -| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | @@ -95,6 +95,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | | enableExternalData | Enable external data (alpha feature) | `false` | | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | | mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | @@ -107,7 +108,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.9.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.9.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | @@ -121,11 +122,11 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | | controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | -| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | | audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | -| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | audit.healthPort | Health port for audit | `9090` | | audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | @@ -136,8 +137,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | | service.type | Service type | `ClusterIP` | | service.loadBalancerIP | The IP address of LoadBalancer service | `` | -| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` - | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | | rbac.create | Enable the creation of RBAC resources | `true` | ## Contributing Changes diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 8369cbfaf52..06f82ba205f 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -60,6 +60,10 @@ spec: - --health-addr=:{{ .Values.audit.healthPort }} - --prometheus-port={{ .Values.audit.metricsPort }} - --enable-external-data={{ .Values.enableExternalData }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} command: - /manager env: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index ab30510b6bc..e1a47339043 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -58,6 +58,10 @@ spec: - --enable-external-data={{ .Values.enableExternalData }} - --log-mutations={{ .Values.logMutations }} - --mutation-annotations={{ .Values.mutationAnnotations }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 0b5146339ef..b24e5119880 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -48,6 +48,24 @@ webhooks: {{- end }} resources: - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' {{- end }} sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index e82ef936b28..2ef64df9b56 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -1,5 +1,6 @@ replicas: 3 auditInterval: 60 +metricsBackends: ["prometheus"] auditMatchKindOnly: false constraintViolationsLimit: 20 auditFromCache: false @@ -33,7 +34,7 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -51,7 +52,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -66,7 +67,7 @@ preUninstall: image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.9.0-beta.1 + release: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 784279dd613..4dee0306ee7 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.9.0-beta.1 +version: 3.9.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.9.0-beta.1 +appVersion: v3.9.0-beta.2 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 725861c3dea..8ccf9255ef1 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -66,7 +66,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | @@ -80,7 +80,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | @@ -116,7 +116,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.9.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.9.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index f87a25b2534..9f0eca2c8cb 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -34,7 +34,7 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -62,7 +62,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -77,7 +77,7 @@ preUninstall: image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.9.0-beta.1 + release: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index c5324d3b2e7..7668f64ee87 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -52,7 +52,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 imagePullPolicy: Always name: manager ports: @@ -144,7 +144,7 @@ spec: - --disable-opa-builtin={http.send} command: - /manager - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 env: # used by Gatekeeper - name: POD_NAMESPACE diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index d8abc9dc6cc..7d42f87ba5b 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -2447,7 +2447,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: @@ -2558,7 +2558,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: @@ -2692,6 +2692,21 @@ webhooks: - UPDATE resources: - '*' + - pods/ephemeralcontainers + - pods/exec + - pods/log + - pods/eviction + - pods/portforward + - pods/proxy + - pods/attach + - pods/binding + - deployments/scale + - replicasets/scale + - statefulsets/scale + - replicationcontrollers/scale + - services/proxy + - nodes/proxy + - services/status sideEffects: None timeoutSeconds: 3 - admissionReviewVersions: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 784279dd613..4dee0306ee7 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.9.0-beta.1 +version: 3.9.0-beta.2 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.9.0-beta.1 +appVersion: v3.9.0-beta.2 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 725861c3dea..8ccf9255ef1 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -66,7 +66,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | @@ -80,7 +80,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.1` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0-beta.2` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | @@ -116,7 +116,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.9.0-beta.1` | +| image.release | The image release tag to use | Current release version: `v3.9.0-beta.2` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index f87a25b2534..9f0eca2c8cb 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -34,7 +34,7 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -62,7 +62,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.9.0-beta.1 + tag: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -77,7 +77,7 @@ preUninstall: image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.9.0-beta.1 + release: v3.9.0-beta.2 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 0d2fd04d4a8..7d42f87ba5b 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -2447,7 +2447,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: @@ -2558,7 +2558,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.9.0-beta.1 + image: openpolicyagent/gatekeeper:v3.9.0-beta.2 imagePullPolicy: Always livenessProbe: httpGet: