diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..b904d43 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,31 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/debian +{ + "name": "Debian", + + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "image": "mcr.microsoft.com/devcontainers/base:bookworm", + + // Features to add to the dev container. More info: https://containers.dev/features. + "features": { + "ghcr.io/devcontainers/features/common-utils:2": { + "configureZshAsDefaultShell": true + }, + "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {} + }, + + // Use 'forwardPorts' to make a list of ports inside the container available locally. + // "forwardPorts": [], + + // Configure tool-specific properties. + "customizations": { + "vscode": { + "extensions": [ + "timonwong.shellcheck" + ] + } + } + + // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. + // "remoteUser": "root" +} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 886f95a..fe67739 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -22,7 +22,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 @@ -50,16 +50,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: 3.x @@ -98,10 +98,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'fs' scan-ref: '.' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4d9bae5..2292298 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -25,7 +25,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@v4 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/charts/cloudnative-pg/Chart.yaml b/charts/cloudnative-pg/Chart.yaml index 5a71bd5..234233f 100644 --- a/charts/cloudnative-pg/Chart.yaml +++ b/charts/cloudnative-pg/Chart.yaml @@ -18,12 +18,12 @@ name: cloudnative-pg description: CloudNativePG Operator Helm Chart icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg type: application -version: "0.22.0" +version: "0.22.1" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning, they should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.24.0" +appVersion: "1.24.1" sources: - https://github.com/jouve/charts - https://github.com/cloudnative-pg/charts diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md index a26ae7e..b626020 100644 --- a/charts/cloudnative-pg/README.md +++ b/charts/cloudnative-pg/README.md @@ -1,6 +1,6 @@ # cloudnative-pg -![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24.0](https://img.shields.io/badge/AppVersion-1.24.0-informational?style=flat-square) +![Version: 0.22.1](https://img.shields.io/badge/Version-0.22.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.24.1](https://img.shields.io/badge/AppVersion-1.24.1-informational?style=flat-square) CloudNativePG Operator Helm Chart diff --git a/charts/cloudnative-pg/crds/crds.yaml b/charts/cloudnative-pg/crds/crds.yaml index 6a91223..ddb5c9a 100644 --- a/charts/cloudnative-pg/crds/crds.yaml +++ b/charts/cloudnative-pg/crds/crds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 name: backups.postgresql.cnpg.io spec: group: postgresql.cnpg.io @@ -438,7 +438,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 name: clusterimagecatalogs.postgresql.cnpg.io spec: group: postgresql.cnpg.io @@ -519,7 +519,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 name: clusters.postgresql.cnpg.io spec: group: postgresql.cnpg.io @@ -662,7 +662,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -677,7 +677,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -843,7 +843,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -858,7 +858,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1021,7 +1021,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1036,7 +1036,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1202,7 +1202,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1217,7 +1217,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1652,13 +1652,11 @@ spec: provide flexibility to customize the backup process further according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-backup' command, to avoid potential errors or unintended @@ -1846,13 +1844,11 @@ spec: command-line invocation. These arguments provide flexibility to customize the WAL archive process further, according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-wal-archive' command, to avoid potential errors or unintended @@ -1895,13 +1891,11 @@ spec: command-line invocation. These arguments provide flexibility to customize the WAL restore process further, according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-wal-restore' command, to avoid potential errors or unintended @@ -2629,9 +2623,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap or its key @@ -2696,9 +2688,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -2730,9 +2720,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap must be defined @@ -2753,9 +2741,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret must be defined @@ -2778,7 +2764,6 @@ spec: entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). - An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until @@ -2788,11 +2773,9 @@ spec: this should not be necessary, but it may be useful when manually reconstructing a broken cluster. - This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. - Required, must not be nil. properties: metadata: @@ -2990,7 +2973,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -3116,13 +3099,11 @@ spec: provide flexibility to customize the backup process further according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-backup' command, to avoid potential errors or unintended @@ -3310,13 +3291,11 @@ spec: command-line invocation. These arguments provide flexibility to customize the WAL archive process further, according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-wal-archive' command, to avoid potential errors or unintended @@ -3359,13 +3338,11 @@ spec: command-line invocation. These arguments provide flexibility to customize the WAL restore process further, according to specific requirements or configurations. - Example: In a scenario where specialized backup options are required, such as setting a specific timeout or defining custom behavior, users can use this field to specify additional command arguments. - Note: It's essential to ensure that the provided arguments are valid and supported by the 'barman-cloud-wal-restore' command, to avoid potential errors or unintended @@ -3407,9 +3384,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -3435,9 +3410,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -3463,9 +3436,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -3491,9 +3462,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key must @@ -3626,7 +3595,6 @@ spec: with the additional field Ensure specifying whether to ensure the presence or absence of the role in the database - The defaults of the CREATE ROLE command are applied Reference: https://www.postgresql.org/docs/current/sql-createrole.html properties: @@ -3841,7 +3809,6 @@ spec: clients must ensure that clusterIPs[0] and clusterIP have the same value. - This field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. @@ -3921,7 +3888,6 @@ spec: NodePort, and LoadBalancer, and does apply to "headless" services. This field will be wiped when updating a Service to type ExternalName. - This field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are @@ -3992,17 +3958,14 @@ spec: This field follows standard Kubernetes label syntax. Valid values are either: - * Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). - * Kubernetes-defined prefixed names: * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - * Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol. type: string @@ -4243,7 +4206,6 @@ spec: RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped samples and remote write samples. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: @@ -4251,11 +4213,9 @@ spec: description: |- Action to perform based on the regex matching. - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - Default: "Replace" enum: - replace @@ -4285,7 +4245,6 @@ spec: description: |- Modulus to take of the hash of the source label values. - Only applicable when the action is `HashMod`. format: int64 type: integer @@ -4298,7 +4257,6 @@ spec: Replacement value against which a Replace action is performed if the regular expression matches. - Regex capture groups are available. type: string separator: @@ -4321,11 +4279,9 @@ spec: description: |- Label to which the resulting string is written in a replacement. - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and `DropEqual` actions. - Regex capture groups are available. type: string type: object @@ -4338,7 +4294,6 @@ spec: RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped samples and remote write samples. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: @@ -4346,11 +4301,9 @@ spec: description: |- Action to perform based on the regex matching. - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - Default: "Replace" enum: - replace @@ -4380,7 +4333,6 @@ spec: description: |- Modulus to take of the hash of the source label values. - Only applicable when the action is `HashMod`. format: int64 type: integer @@ -4393,7 +4345,6 @@ spec: Replacement value against which a Replace action is performed if the regular expression matches. - Regex capture groups are available. type: string separator: @@ -4416,11 +4367,9 @@ spec: description: |- Label to which the resulting string is written in a replacement. - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and `DropEqual` actions. - Regex capture groups are available. type: string type: object @@ -4532,9 +4481,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret or its key @@ -4711,24 +4658,24 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected along with other - supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file. - Alpha, gated by the ClusterTrustBundleProjection feature gate. - ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector. - Kubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. @@ -4861,9 +4808,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify whether the ConfigMap @@ -4995,9 +4940,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional field specify whether the Secret @@ -5148,11 +5091,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -5163,6 +5104,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5219,7 +5166,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -5474,7 +5420,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -5732,7 +5678,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -5844,7 +5790,6 @@ spec: Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string @@ -5884,7 +5829,6 @@ spec: Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | @@ -5902,7 +5846,6 @@ spec: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -5914,7 +5857,6 @@ spec: has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. - If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -6148,7 +6090,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6275,16 +6217,8 @@ spec: conditions: description: Conditions for cluster object items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -6325,12 +6259,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6750,7 +6679,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 name: imagecatalogs.postgresql.cnpg.io spec: group: postgresql.cnpg.io @@ -6830,7 +6759,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 name: poolers.postgresql.cnpg.io spec: group: postgresql.cnpg.io @@ -6897,9 +6826,6 @@ spec: description: |- Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate. - --- - TODO: Update this to follow our convention for oneOf, whatever we decide it - to be. properties: maxSurge: anyOf: @@ -6961,7 +6887,6 @@ spec: RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped samples and remote write samples. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: @@ -6969,11 +6894,9 @@ spec: description: |- Action to perform based on the regex matching. - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - Default: "Replace" enum: - replace @@ -7003,7 +6926,6 @@ spec: description: |- Modulus to take of the hash of the source label values. - Only applicable when the action is `HashMod`. format: int64 type: integer @@ -7016,7 +6938,6 @@ spec: Replacement value against which a Replace action is performed if the regular expression matches. - Regex capture groups are available. type: string separator: @@ -7039,11 +6960,9 @@ spec: description: |- Label to which the resulting string is written in a replacement. - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and `DropEqual` actions. - Regex capture groups are available. type: string type: object @@ -7056,7 +6975,6 @@ spec: RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped samples and remote write samples. - More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: @@ -7064,11 +6982,9 @@ spec: description: |- Action to perform based on the regex matching. - `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. - Default: "Replace" enum: - replace @@ -7098,7 +7014,6 @@ spec: description: |- Modulus to take of the hash of the source label values. - Only applicable when the action is `HashMod`. format: int64 type: integer @@ -7111,7 +7026,6 @@ spec: Replacement value against which a Replace action is performed if the regular expression matches. - Regex capture groups are available. type: string separator: @@ -7134,11 +7048,9 @@ spec: description: |- Label to which the resulting string is written in a replacement. - It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and `DropEqual` actions. - Regex capture groups are available. type: string type: object @@ -7282,7 +7194,6 @@ spec: clients must ensure that clusterIPs[0] and clusterIP have the same value. - This field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. @@ -7362,7 +7273,6 @@ spec: NodePort, and LoadBalancer, and does apply to "headless" services. This field will be wiped when updating a Service to type ExternalName. - This field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are @@ -7433,17 +7343,14 @@ spec: This field follows standard Kubernetes label syntax. Valid values are either: - * Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). - * Kubernetes-defined prefixed names: * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - * Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol. type: string @@ -7910,7 +7817,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -7925,7 +7832,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8093,7 +8000,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8108,7 +8015,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8274,7 +8181,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8289,7 +8196,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8457,7 +8364,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8472,7 +8379,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -8637,9 +8544,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -8708,9 +8613,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -8750,9 +8653,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -8774,9 +8675,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret must @@ -9067,11 +8966,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -9282,11 +9181,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -9435,11 +9334,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry @@ -9451,6 +9348,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -9574,7 +9477,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -9656,7 +9559,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -9738,11 +9640,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -9958,10 +9860,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -9969,11 +9869,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -10082,7 +9980,6 @@ spec: removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation. - To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted. properties: @@ -10155,9 +10052,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -10226,9 +10121,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -10268,9 +10161,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -10292,9 +10183,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret must @@ -10578,11 +10467,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -10781,11 +10670,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -10933,11 +10822,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry @@ -10949,6 +10836,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -11060,7 +10953,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -11142,7 +11035,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -11217,11 +11109,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -11359,7 +11251,6 @@ spec: The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec. - The container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined. type: string @@ -11447,10 +11338,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -11458,11 +11347,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -11574,9 +11461,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -11672,9 +11557,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -11743,9 +11626,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret @@ -11785,9 +11666,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the ConfigMap @@ -11809,9 +11688,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: Specify whether the Secret must @@ -12102,11 +11979,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -12317,11 +12194,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -12470,11 +12347,9 @@ spec: Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry @@ -12486,6 +12361,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -12609,7 +12490,7 @@ spec: procMount: description: |- procMount denotes the type of proc mount to use for the containers. - The default is DefaultProcMount which uses the container runtime defaults for + The default value is Default which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. @@ -12691,7 +12572,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -12773,11 +12653,11 @@ spec: format: int32 type: integer service: + default: "" description: |- Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - If this is not specified, the default behavior is defined by gRPC. type: string required: @@ -12993,10 +12873,8 @@ spec: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. - If ReadOnly is false, this field has no meaning and must be unspecified. - If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this @@ -13004,11 +12882,9 @@ spec: supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. - If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). - If this field is not specified, it is treated as an equivalent of Disabled. type: string subPath: @@ -13047,9 +12923,11 @@ spec: x-kubernetes-list-type: map nodeName: description: |- - NodeName is a request to schedule this pod onto a specific node. If it is non-empty, - the scheduler simply schedules this pod onto that node, assuming that it fits resource - requirements. + NodeName indicates in which node this pod is scheduled. + If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName. + Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod. + This field should not be used to express a desire for the pod to be scheduled on a specific node. + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename type: string nodeSelector: additionalProperties: @@ -13065,11 +12943,9 @@ spec: Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set. - If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions - If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC @@ -13084,6 +12960,7 @@ spec: - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile @@ -13171,15 +13048,16 @@ spec: will be made available to those containers which consume them by name. - This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. - This field is immutable. items: description: |- - PodResourceClaim references exactly one ResourceClaim through a ClaimSource. + PodResourceClaim references exactly one ResourceClaim, either directly + or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim + for the pod. + It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim reference it with this name. properties: @@ -13188,32 +13066,32 @@ spec: Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL. type: string - source: - description: Source describes where to find the ResourceClaim. - properties: - resourceClaimName: - description: |- - ResourceClaimName is the name of a ResourceClaim object in the same - namespace as this pod. - type: string - resourceClaimTemplateName: - description: |- - ResourceClaimTemplateName is the name of a ResourceClaimTemplate - object in the same namespace as this pod. + resourceClaimName: + description: |- + ResourceClaimName is the name of a ResourceClaim object in the same + namespace as this pod. + Exactly one of ResourceClaimName and ResourceClaimTemplateName must + be set. + type: string + resourceClaimTemplateName: + description: |- + ResourceClaimTemplateName is the name of a ResourceClaimTemplate + object in the same namespace as this pod. - The template will be used to create a new ResourceClaim, which will - be bound to this pod. When this pod is deleted, the ResourceClaim - will also be deleted. The pod name and resource name, along with a - generated component, will be used to form a unique name for the - ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + The template will be used to create a new ResourceClaim, which will + be bound to this pod. When this pod is deleted, the ResourceClaim + will also be deleted. The pod name and resource name, along with a + generated component, will be used to form a unique name for the + ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. + This field is immutable and no changes will be made to the + corresponding ResourceClaim by the control plane after creating the + ResourceClaim. - This field is immutable and no changes will be made to the - corresponding ResourceClaim by the control plane after creating the - ResourceClaim. - type: string - type: object + Exactly one of ResourceClaimName and ResourceClaimTemplateName must + be set. + type: string required: - name type: object @@ -13247,7 +13125,6 @@ spec: If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod. - SchedulingGates can only be set at pod creation time, and be removed only afterwards. items: description: PodSchedulingGate is associated to a Pod to @@ -13299,12 +13176,10 @@ spec: Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: - 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- - If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows. format: int64 @@ -13391,7 +13266,6 @@ spec: type indicates which kind of seccomp profile will be applied. Valid options are: - Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied. @@ -13401,18 +13275,28 @@ spec: type: object supplementalGroups: description: |- - A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships - defined in the container image for the uid of the container process. If unspecified, - no additional groups are added to any container. Note that group memberships - defined in the container image for the uid of the container process are still effective, - even if they are not included in this list. + A list of groups applied to the first process run in each container, in + addition to the container's primary GID and fsGroup (if specified). If + the SupplementalGroupsPolicy feature is enabled, the + supplementalGroupsPolicy field determines whether these are in addition + to or instead of any group memberships defined in the container image. + If unspecified, no additional groups are added, though group memberships + defined in the container image may still be used, depending on the + supplementalGroupsPolicy field. Note that this field cannot be set when spec.os.name is windows. items: format: int64 type: integer type: array x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + description: |- + Defines how supplemental groups of the first container processes are calculated. + Valid values are "Merge" and "Strict". If not specified, "Merge" is used. + (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled + and the container runtime must implement support for this feature. + Note that this field cannot be set when spec.os.name is windows. + type: string sysctls: description: |- Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported @@ -13619,7 +13503,6 @@ spec: Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: type: string @@ -13659,7 +13542,6 @@ spec: Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | @@ -13677,7 +13559,6 @@ spec: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -13689,7 +13570,6 @@ spec: has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. - If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string @@ -13757,7 +13637,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -13797,6 +13676,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -13810,6 +13690,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -13878,9 +13759,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -13922,9 +13801,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -13997,9 +13874,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify whether the ConfigMap @@ -14038,9 +13913,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -14181,7 +14054,6 @@ spec: The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. - Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity @@ -14192,17 +14064,14 @@ spec: information on the connection between this volume type and PersistentVolumeClaim). - Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. - A pod can use both types of ephemeral volumes and persistent volumes at the same time. properties: @@ -14216,7 +14085,6 @@ spec: entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). - An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until @@ -14226,11 +14094,9 @@ spec: this should not be necessary, but it may be useful when manually reconstructing a broken cluster. - This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. - Required, must not be nil. properties: metadata: @@ -14434,7 +14300,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -14460,7 +14326,6 @@ spec: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem from compromising the machine type: string lun: description: 'lun is Optional: FC target lun number' @@ -14528,9 +14393,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -14564,7 +14427,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from compromising the machine type: string partition: description: |- @@ -14645,9 +14507,6 @@ spec: used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- - TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not - mount host directories as read/write. properties: path: description: |- @@ -14664,6 +14523,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -14684,7 +14578,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from compromising the machine type: string initiatorName: description: |- @@ -14696,6 +14589,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -14728,9 +14622,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -14849,24 +14741,24 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file. - Alpha, gated by the ClusterTrustBundleProjection feature gate. - ClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector. - Kubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. @@ -15001,9 +14893,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional specify whether @@ -15145,9 +15035,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string optional: description: optional field specify whether @@ -15237,7 +15125,6 @@ spec: Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from compromising the machine type: string image: description: |- @@ -15245,6 +15132,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -15259,6 +15147,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -15284,13 +15173,12 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -15305,6 +15193,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -15336,9 +15225,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -15347,6 +15234,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -15461,9 +15349,7 @@ spec: This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. - TODO: Add other useful fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string type: object x-kubernetes-map-type: atomic @@ -15605,8 +15491,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 -s name: scheduledbackups.postgresql.cnpg.io + controller-gen.kubebuilder.io/version: v0.16.4 + name: scheduledbackups.postgresql.cnpg.io spec: group: postgresql.cnpg.io names: diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml index 483855b..1b0d444 100644 --- a/charts/cloudnative-pg/templates/rbac.yaml +++ b/charts/cloudnative-pg/templates/rbac.yaml @@ -44,6 +44,8 @@ rules: - "" resources: - configmaps + - secrets + - services verbs: - create - delete @@ -56,6 +58,7 @@ rules: - "" resources: - configmaps/status + - secrets/status verbs: - get - patch @@ -79,27 +82,7 @@ rules: - "" resources: - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - pods - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - pods/exec verbs: - create @@ -114,26 +97,6 @@ rules: - pods/status verbs: - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - secrets/status - verbs: - - get - - patch - - update - apiGroups: - "" resources: @@ -145,28 +108,10 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - verbs: - - get - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - validatingwebhookconfigurations verbs: - get @@ -229,6 +174,9 @@ rules: - postgresql.cnpg.io resources: - backups + - clusters + - poolers + - scheduledbackups verbs: - create - delete @@ -241,6 +189,7 @@ rules: - postgresql.cnpg.io resources: - backups/status + - scheduledbackups/status verbs: - get - patch @@ -249,40 +198,6 @@ rules: - postgresql.cnpg.io resources: - clusterimagecatalogs - verbs: - - get - - list - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters/finalizers - verbs: - - update -- apiGroups: - - postgresql.cnpg.io - resources: - - clusters/status - verbs: - - get - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - imagecatalogs verbs: - get @@ -291,64 +206,24 @@ rules: - apiGroups: - postgresql.cnpg.io resources: - - poolers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: + - clusters/finalizers - poolers/finalizers verbs: - update - apiGroups: - postgresql.cnpg.io resources: + - clusters/status - poolers/status verbs: - get - patch - update - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - scheduledbackups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.cnpg.io - resources: - - scheduledbackups/status - verbs: - - get - - patch - - update - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - roles verbs: - create diff --git a/charts/coredns/Chart.lock b/charts/coredns/Chart.lock index 519d134..b1dc99c 100644 --- a/charts/coredns/Chart.lock +++ b/charts/coredns/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:10.334680169+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:42.660047824+01:00" diff --git a/charts/coredns/Chart.yaml b/charts/coredns/Chart.yaml index dfce26c..22b0134 100644 --- a/charts/coredns/Chart.yaml +++ b/charts/coredns/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: coredns -version: 1.32.0 +version: 1.36.1 appVersion: 1.11.3 home: https://coredns.io icon: https://coredns.io/images/CoreDNS_Colour_Horizontal.png @@ -26,5 +26,5 @@ dependencies: version: 2.x.x annotations: artifacthub.io/changes: | - - kind: changed - description: Upgrade CoreDNS to 1.11.3 + - kind: fix + description: Add default values to chart to fix cluster role name templating issue diff --git a/charts/coredns/README.md b/charts/coredns/README.md index 43e15fe..33ca309 100644 --- a/charts/coredns/README.md +++ b/charts/coredns/README.md @@ -74,6 +74,7 @@ The command removes all the Kubernetes components associated with the chart and | `service.ipFamilyPolicy` | Service dual-stack policy | `""` | | `service.annotations` | Annotations to add to service | {} | | `service.selector` | Pod selector | `{}` | +| `service.trafficDistribution` | Service traffic routing strategy | | | `serviceAccount.create` | If true, create & use serviceAccount | false | | `serviceAccount.name` | If not set & create is true, use template fullname | | | `rbac.create` | If true, create & use RBAC resources | true | @@ -102,6 +103,7 @@ The command removes all the Kubernetes components associated with the chart and | `extraVolumes` | Optional array of volumes to create | [] | | `extraVolumeMounts` | Optional array of volumes to mount inside the CoreDNS container | [] | | `extraSecrets` | Optional array of secrets to mount inside the CoreDNS container | [] | +| `env` | Optional array of environment variables for CoreDNS container | [] | | `customLabels` | Optional labels for Deployment(s), Pod, Service, ServiceMonitor objects | {} | | `customAnnotations` | Optional annotations for Deployment(s), Pod, Service, ServiceMonitor objects | | `rollingUpdate.maxUnavailable` | Maximum number of unavailable replicas during rolling update | `1` | diff --git a/charts/coredns/templates/_helpers.tpl b/charts/coredns/templates/_helpers.tpl index e6f7491..954c71a 100644 --- a/charts/coredns/templates/_helpers.tpl +++ b/charts/coredns/templates/_helpers.tpl @@ -70,10 +70,11 @@ Generate the list of ports automatically from the server definitions {{- range .Values.servers -}} {{/* Capture port to avoid scoping awkwardness */}} {{- $port := toString .port -}} + {{- $serviceport := default .port .servicePort -}} {{/* If none of the server blocks has mentioned this port yet take note of it */}} {{- if not (hasKey $ports $port) -}} - {{- $ports := set $ports $port (dict "istcp" false "isudp" false) -}} + {{- $ports := set $ports $port (dict "istcp" false "isudp" false "serviceport" $serviceport) -}} {{- end -}} {{/* Retrieve the inner dict that holds the protocols for a given port */}} {{- $innerdict := index $ports $port -}} @@ -116,10 +117,10 @@ Generate the list of ports automatically from the server definitions {{- range $port, $innerdict := $ports -}} {{- $portList := list -}} {{- if index $innerdict "isudp" -}} - {{- $portList = append $portList (dict "port" ($port | int) "protocol" "UDP" "name" (printf "udp-%s" $port)) -}} + {{- $portList = append $portList (dict "port" (get $innerdict "serviceport") "protocol" "UDP" "name" (printf "udp-%s" $port) "targetPort" ($port | int)) -}} {{- end -}} {{- if index $innerdict "istcp" -}} - {{- $portList = append $portList (dict "port" ($port | int) "protocol" "TCP" "name" (printf "tcp-%s" $port)) -}} + {{- $portList = append $portList (dict "port" (get $innerdict "serviceport") "protocol" "TCP" "name" (printf "tcp-%s" $port) "targetPort" ($port | int)) -}} {{- end -}} {{- range $portDict := $portList -}} @@ -234,4 +235,4 @@ Create the name of the service account to use {{- else -}} {{ template "coredns.fullname" . }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/coredns/templates/deployment.yaml b/charts/coredns/templates/deployment.yaml index c3047e9..841067e 100644 --- a/charts/coredns/templates/deployment.yaml +++ b/charts/coredns/templates/deployment.yaml @@ -101,6 +101,10 @@ spec: {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8}} +{{- end }} +{{- if .Values.env }} + env: +{{- toYaml .Values.env | nindent 10}} {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} diff --git a/charts/coredns/templates/service.yaml b/charts/coredns/templates/service.yaml index 84ddcf4..246ffa5 100644 --- a/charts/coredns/templates/service.yaml +++ b/charts/coredns/templates/service.yaml @@ -40,6 +40,9 @@ spec: {{- if .Values.service.loadBalancerIP }} loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} + {{- if .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} ports: {{ include "coredns.servicePorts" . | indent 2 -}} type: {{ default "ClusterIP" .Values.serviceType }} @@ -47,3 +50,6 @@ spec: ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} {{- end }} {{- end }} + {{- if .Values.service.trafficDistribution }} + trafficDistribution: {{ .Values.service.trafficDistribution }} + {{- end }} diff --git a/charts/coredns/values.yaml b/charts/coredns/values.yaml index 1538a59..f6b1b3b 100644 --- a/charts/coredns/values.yaml +++ b/charts/coredns/values.yaml @@ -54,9 +54,11 @@ service: # clusterIP: "" # clusterIPs: [] # loadBalancerIP: "" +# loadBalancerClass: "" # externalIPs: [] # externalTrafficPolicy: "" # ipFamilyPolicy: "" +# trafficDistribution: PreferClose # The name of the Service # If not set, a name is generated using the fullname template name: "" @@ -78,6 +80,11 @@ rbac: # If not set and create is true, a name is generated using the fullname template # name: +clusterRole: + # By default a name is generated using the fullname template. + # Override here if desired: + nameOverride: "" + # isClusterService specifies whether chart should be deployed as cluster-service or normal k8s app. isClusterService: true @@ -100,6 +107,8 @@ servers: - zones: - zone: . port: 53 + # -- expose the service on a different port + # servicePort: 5353 # If serviceType is nodePort you can specify nodePort here # nodePort: 30053 # hostPort: 53 @@ -253,6 +262,17 @@ extraSecrets: [] # mountPath: /etc/wherever # defaultMode: 440 +# optional array of environment variables for coredns container +# possible usecase: provides username and password for etcd user authentications +env: [] +# - name: WHATEVER_ENV +# value: whatever +# - name: SOME_SECRET_ENV +# valueFrom: +# secretKeyRef: +# name: some-secret-name +# key: secret-key + # To support legacy deployments using CoreDNS with the "k8s-app: kube-dns" label selectors. # See https://github.com/coredns/helm/blob/master/charts/coredns/README.md#adopting-existing-coredns-resources # k8sAppLabelOverride: "kube-dns" diff --git a/charts/distribution/Chart.lock b/charts/distribution/Chart.lock index 308a42e..a50eebb 100644 --- a/charts/distribution/Chart.lock +++ b/charts/distribution/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:12.161953351+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:44.472349045+01:00" diff --git a/charts/distribution/Chart.yaml b/charts/distribution/Chart.yaml index ccaae50..3190e33 100644 --- a/charts/distribution/Chart.yaml +++ b/charts/distribution/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: distribution description: A Helm chart for Kubernetes type: application -version: 0.1.4 +version: 0.1.5 appVersion: 2.8.3 dependencies: - name: common diff --git a/charts/extra/Chart.lock b/charts/extra/Chart.lock index 51c5106..a1e7dfe 100644 --- a/charts/extra/Chart.lock +++ b/charts/extra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:13.947056866+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:46.217969579+01:00" diff --git a/charts/extra/Chart.yaml b/charts/extra/Chart.yaml index 967ec4a..1506eaf 100644 --- a/charts/extra/Chart.yaml +++ b/charts/extra/Chart.yaml @@ -3,7 +3,7 @@ name: extra description: Deploy a list of Kubernetes resources as a release icon: https://raw.githubusercontent.com/KDE/breeze-icons/master/icons/actions/16/list-add.svg type: application -version: 0.3.8 +version: 0.3.9 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts diff --git a/charts/gatekeeper-library/Chart.yaml b/charts/gatekeeper-library/Chart.yaml index 7593818..950b234 100644 --- a/charts/gatekeeper-library/Chart.yaml +++ b/charts/gatekeeper-library/Chart.yaml @@ -3,8 +3,8 @@ name: gatekeeper-library description: A Helm chart for Kubernetes icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/website/static/img/logo.svg type: application -version: 0.2.3 -appVersion: 7a9e47d11ebf99a153afaf1b35ad72de14958ae9 +version: 0.2.4 +appVersion: da229ba0e2807341b41b7e6c5eec3c2141b25e59 sources: - https://github.com/jouve/charts - https://github.com/open-policy-agent/gatekeeper-library diff --git a/charts/gatekeeper-library/kustomization.yaml b/charts/gatekeeper-library/kustomization.yaml index a7ae930..beac8a3 100644 --- a/charts/gatekeeper-library/kustomization.yaml +++ b/charts/gatekeeper-library/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github.com/open-policy-agent/gatekeeper-library/library?ref=7a9e47d11ebf99a153afaf1b35ad72de14958ae9 +- github.com/open-policy-agent/gatekeeper-library/library?ref=da229ba0e2807341b41b7e6c5eec3c2141b25e59 diff --git a/charts/gatekeeper-library/templates/k8spspprivilegedcontainer.yaml b/charts/gatekeeper-library/templates/k8spspprivilegedcontainer.yaml index 3c69903..9ff29a1 100644 --- a/charts/gatekeeper-library/templates/k8spspprivilegedcontainer.yaml +++ b/charts/gatekeeper-library/templates/k8spspprivilegedcontainer.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Controls the ability of any container to enable privileged mode. Corresponds to the `privileged` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged metadata.gatekeeper.sh/title: Privileged Container - metadata.gatekeeper.sh/version: 1.1.1 + metadata.gatekeeper.sh/version: 1.1.2 name: k8spspprivilegedcontainer spec: crd: @@ -29,7 +29,7 @@ spec: source: validations: - expression: variables.isUpdate || size(variables.badContainers) == 0 - messageExpression: variables.badContainers.join("\n") + messageExpression: variables.badContainers.join(", ") variables: - expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' name: containers @@ -52,8 +52,8 @@ spec: - expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, !(container.image in variables.exemptImages) && - (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged == true) - ).map(container, "Privileged container is not allowed: " + container.name +", securityContext: " + container.securityContext) + (has(container.securityContext) && has(container.securityContext.privileged) && container.securityContext.privileged) + ).map(container, "Privileged container is not allowed: " + container.name +", securityContext.privileged: true") name: badContainers - expression: has(request.operation) && request.operation == "UPDATE" name: isUpdate diff --git a/charts/gatekeeper-library/templates/k8spspseccomp.yaml b/charts/gatekeeper-library/templates/k8spspseccomp.yaml index 48b66a5..6fd8ade 100644 --- a/charts/gatekeeper-library/templates/k8spspseccomp.yaml +++ b/charts/gatekeeper-library/templates/k8spspseccomp.yaml @@ -4,7 +4,7 @@ metadata: annotations: description: Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp metadata.gatekeeper.sh/title: Seccomp - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 name: k8spspseccomp spec: crd: @@ -43,216 +43,110 @@ spec: type: array type: object targets: - - libs: - - | - package lib.exempt_container - - is_exempt(container) { - exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) - img := container.image - exemption := exempt_images[_] - _matches_exemption(img, exemption) - } - - _matches_exemption(img, exemption) { - not endswith(exemption, "*") - exemption == img - } - - _matches_exemption(img, exemption) { - endswith(exemption, "*") - prefix := trim_suffix(exemption, "*") - startswith(img, prefix) - } - rego: | - package k8spspseccomp - - import data.lib.exempt_container.is_exempt - - container_annotation_key_prefix = "container.seccomp.security.alpha.kubernetes.io/" - - pod_annotation_key = "seccomp.security.alpha.kubernetes.io/pod" - - naming_translation = { - # securityContext -> annotation - "RuntimeDefault": ["runtime/default", "docker/default"], - "Unconfined": ["unconfined"], - "Localhost": ["localhost"], - # annotation -> securityContext - "runtime/default": ["RuntimeDefault"], - "docker/default": ["RuntimeDefault"], - "unconfined": ["Unconfined"], - "localhost": ["Localhost"], - } - - violation[{"msg": msg}] { - not input_wildcard_allowed_profiles - allowed_profiles := get_allowed_profiles - container := input_containers[name] - not is_exempt(container) - result := get_profile(container) - not allowed_profile(result.profile, result.file, allowed_profiles) - msg := get_message(result.profile, result.file, name, result.location, allowed_profiles) - } - - get_message(profile, _, name, location, allowed_profiles) = message { - not profile == "Localhost" - message := sprintf("Seccomp profile '%v' is not allowed for container '%v'. Found at: %v. Allowed profiles: %v", [profile, name, location, allowed_profiles]) - } - - get_message(profile, file, name, location, allowed_profiles) = message { - profile == "Localhost" - message := sprintf("Seccomp profile '%v' with file '%v' is not allowed for container '%v'. Found at: %v. Allowed profiles: %v", [profile, file, name, location, allowed_profiles]) - } - - input_wildcard_allowed_profiles { - input.parameters.allowedProfiles[_] == "*" - } - - input_wildcard_allowed_files { - input.parameters.allowedLocalhostFiles[_] == "*" - } - - input_wildcard_allowed_files { - "localhost/*" == input.parameters.allowedProfiles[_] - } - - # Simple allowed Profiles - allowed_profile(profile, _, allowed) { - not startswith(lower(profile), "localhost") - profile == allowed[_] - } - - # seccomp Localhost without wildcard - allowed_profile(profile, file, allowed) { - profile == "Localhost" - not input_wildcard_allowed_files - profile == allowed[_] - allowed_files := {x | x := object.get(input.parameters, "allowedLocalhostFiles", [])[_]} | get_annotation_localhost_files - file == allowed_files[_] - } - - # seccomp Localhost with wildcard - allowed_profile(profile, _, allowed) { - profile == "Localhost" - input_wildcard_allowed_files - profile == allowed[_] - } - - # annotation localhost with wildcard - allowed_profile(profile, _, allowed) { - "localhost/*" == allowed[_] - startswith(profile, "localhost/") - } - - # annotation localhost without wildcard - allowed_profile(profile, _, allowed) { - startswith(profile, "localhost/") - profile == allowed[_] - } - - # Localhost files from annotation scheme - get_annotation_localhost_files[file] { - profile := input.parameters.allowedProfiles[_] - startswith(profile, "localhost/") - file := replace(profile, "localhost/", "") - } - - # The profiles explicitly in the list - get_allowed_profiles[allowed] { - allowed := input.parameters.allowedProfiles[_] - } - - # The simply translated profiles - get_allowed_profiles[allowed] { - profile := input.parameters.allowedProfiles[_] - not startswith(lower(profile), "localhost") - allowed := naming_translation[profile][_] - } - - # Seccomp Localhost to annotation translation - get_allowed_profiles[allowed] { - profile := input.parameters.allowedProfiles[_] - profile == "Localhost" - file := object.get(input.parameters, "allowedLocalhostFiles", [])[_] - allowed := sprintf("%v/%v", [naming_translation[profile][_], file]) - } - - # Annotation localhost to Seccomp translation - get_allowed_profiles[allowed] { - profile := input.parameters.allowedProfiles[_] - startswith(profile, "localhost") - allowed := naming_translation.localhost[_] - } - - # Container profile as defined in pod annotation - get_profile(container) = {"profile": profile, "file": "", "location": location} { - not has_securitycontext_container(container) - not has_annotation(get_container_annotation_key(container.name)) - not has_securitycontext_pod - profile := input.review.object.metadata.annotations[pod_annotation_key] - location := sprintf("annotation %v", [pod_annotation_key]) - } - - # Container profile as defined in container annotation - get_profile(container) = {"profile": profile, "file": "", "location": location} { - not has_securitycontext_container(container) - not has_securitycontext_pod - container_annotation := get_container_annotation_key(container.name) - has_annotation(container_annotation) - profile := input.review.object.metadata.annotations[container_annotation] - location := sprintf("annotation %v", [container_annotation]) - } - - # Container profile as defined in pods securityContext - get_profile(container) = {"profile": profile, "file": file, "location": location} { - not has_securitycontext_container(container) - profile := input.review.object.spec.securityContext.seccompProfile.type - file := object.get(input.review.object.spec.securityContext.seccompProfile, "localhostProfile", "") - location := "pod securityContext" - } - - # Container profile as defined in containers securityContext - get_profile(container) = {"profile": profile, "file": file, "location": location} { - has_securitycontext_container(container) - profile := container.securityContext.seccompProfile.type - file := object.get(container.securityContext.seccompProfile, "localhostProfile", "") - location := "container securityContext" - } - - # Container profile missing - get_profile(container) = {"profile": "not configured", "file": "", "location": "no explicit profile found"} { - not has_annotation(get_container_annotation_key(container.name)) - not has_annotation(pod_annotation_key) - not has_securitycontext_pod - not has_securitycontext_container(container) - } - - has_annotation(annotation) { - input.review.object.metadata.annotations[annotation] - } - - has_securitycontext_pod { - input.review.object.spec.securityContext.seccompProfile - } - - has_securitycontext_container(container) { - container.securityContext.seccompProfile - } - - get_container_annotation_key(name) = annotation { - annotation := concat("", [container_annotation_key_prefix, name]) - } - - input_containers[container.name] = container { - container := input.review.object.spec.containers[_] - } - - input_containers[container.name] = container { - container := input.review.object.spec.initContainers[_] - } - - input_containers[container.name] = container { - container := input.review.object.spec.ephemeralContainers[_] - } + - code: + - engine: K8sNativeValidation + source: + validations: + - expression: size(variables.badContainerProfiles) == 0 + messageExpression: | + variables.badContainerProfiles.join(", ") + variables: + - expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + name: containers + - expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + name: initContainers + - expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + name: ephemeralContainers + - expression: | + has(variables.params.allowedProfiles) && variables.params.allowedProfiles.exists(profile, profile == "*") + name: allowAllProfiles + - expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + name: exemptImagePrefixes + - expression: "!has(variables.params.exemptImages) ? [] : \n variables.params.exemptImages.filter(image, !image.endsWith(\"*\"))\n" + name: exemptImageExplicit + - expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))).map(container, container.image) + name: exemptImages + - expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + !variables.allowAllProfiles && + !(container.image in variables.exemptImages)) + name: unverifiedContainers + - expression: | + !has(variables.params.allowedProfiles) ? [] : variables.params.allowedProfiles + name: inputAllowedProfiles + - expression: | + has(variables.params.allowedLocalhostFiles) ? variables.params.allowedLocalhostFiles : [] + name: allowedLocalhostFiles + - expression: "(variables.inputAllowedProfiles.filter(profile,\nprofile != \"Localhost\").map(profile, profile == \"Unconfined\" ? \"unconfined\" : profile)) + \n(variables.inputAllowedProfiles.exists(profile, profile == \"RuntimeDefault\") ? [\"runtime/default\", \"docker/default\"] : [])\n" + name: allowedProfilesTranslation + - expression: | + variables.inputAllowedProfiles.exists(profile, profile == "Localhost") + name: allowSecurityContextLocalhost + - expression: | + variables.allowSecurityContextLocalhost ? variables.params.allowedLocalhostFiles.map(file, "localhost/" + file) : [] + name: derivedAllowedLocalhostFiles + - expression: | + variables.inputAllowedProfiles.exists(profile, profile == "localhost/*") || variables.derivedAllowedLocalhostFiles.exists(profile, profile == "localhost/*") + name: localhostWildcardAllowed + - expression: | + (variables.allowedProfilesTranslation + variables.derivedAllowedLocalhostFiles) + name: allowedProfiles + - expression: | + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile) + name: hasPodSeccomp + - expression: | + has(variables.anyObject.metadata.annotations) && ("seccomp.security.alpha.kubernetes.io/pod" in variables.anyObject.metadata.annotations) + name: hasPodAnnotations + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n !(has(variables.anyObject.metadata.annotations) && ((\"container.seccomp.security.alpha.kubernetes.io/\" + container.name) in variables.anyObject.metadata.annotations)) && \n !variables.hasPodSeccomp && \n variables.hasPodAnnotations \n).map(container, {\n \"container\" : container.name,\n \"profile\" : variables.anyObject.metadata.annotations[\"seccomp.security.alpha.kubernetes.io/pod\"],\n \"file\" : dyn(\"\"),\n \"location\" : dyn(\"annotation seccomp.security.alpha.kubernetes.io/pod\"),\n})\n" + name: podAnnotationsProfiles + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n !variables.hasPodSeccomp && \n has(variables.anyObject.metadata.annotations) && ((\"container.seccomp.security.alpha.kubernetes.io/\" + container.name) in variables.anyObject.metadata.annotations)\n).map(container, {\n \"container\" : container.name,\n \"profile\" : variables.anyObject.metadata.annotations[\"container.seccomp.security.alpha.kubernetes.io/\" + container.name],\n \"file\" : dyn(\"\"),\n \"location\" : dyn(\"annotation container.seccomp.security.alpha.kubernetes.io/\" + container.name),\n})\n" + name: containerAnnotationsProfiles + - expression: | + variables.hasPodSeccomp && has(variables.anyObject.spec.securityContext.seccompProfile.localhostProfile) ? variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "" + name: podLocalHostProfile + - expression: "has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? \n (variables.anyObject.spec.securityContext.seccompProfile.type == \"RuntimeDefault\" ? (\n variables.allowedProfiles.exists(profile, profile == \"runtime/default\") ? \"runtime/default\" : variables.allowedProfiles.exists(profile, profile == \"docker/default\") ? \"docker/default\" : \"runtime/default\") : \n variables.anyObject.spec.securityContext.seccompProfile.type == \"Unconfined\" ? \"unconfined\" : variables.anyObject.spec.securityContext.seccompProfile.type == \"Localhost\" ? \"localhost/\" + variables.podLocalHostProfile : \"\")\n : \"\"\n" + name: canonicalPodSecurityContextProfile + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n variables.hasPodSeccomp\n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(variables.canonicalPodSecurityContextProfile),\n \"file\" : variables.podLocalHostProfile,\n \"location\" : dyn(\"pod securityContext\"),\n})\n" + name: podSecurityContextProfiles + - expression: "variables.unverifiedContainers.filter(container, \n has(container.securityContext) && has(container.securityContext.seccompProfile)\n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(has(container.securityContext.seccompProfile.type) ? (container.securityContext.seccompProfile.type == \"RuntimeDefault\" ? (\n variables.allowedProfiles.exists(profile, profile == \"runtime/default\") ? \"runtime/default\" : variables.allowedProfiles.exists(profile, profile == \"docker/default\") ? \"docker/default\" : \"runtime/default\") : \n container.securityContext.seccompProfile.type == \"Unconfined\" ? \"unconfined\" : container.securityContext.seccompProfile.type == \"Localhost\" ? \"localhost/\" + container.securityContext.seccompProfile.localhostProfile : \"\")\n : \"\"),\n \"file\" : has(container.securityContext.seccompProfile.localhostProfile) ? container.securityContext.seccompProfile.localhostProfile : dyn(\"\"),\n \"location\" : dyn(\"container securityContext\"),\n})\n" + name: containerSecurityContextProfiles + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n !(has(variables.anyObject.metadata.annotations) && ((\"container.seccomp.security.alpha.kubernetes.io/\" + container.name) in variables.anyObject.metadata.annotations)) && \n !variables.hasPodSeccomp && \n !variables.hasPodAnnotations \n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(\"not configured\"),\n \"file\" : dyn(\"\"),\n \"location\" : dyn(\"no explicit profile found\"),\n})\n" + name: containerProfilesMissing + - expression: | + variables.podAnnotationsProfiles + variables.containerAnnotationsProfiles + variables.podSecurityContextProfiles + variables.containerSecurityContextProfiles + variables.containerProfilesMissing + name: allContainerProfiles + - expression: | + variables.allContainerProfiles.filter(badContainerProfile, + !((badContainerProfile.profile in variables.allowedProfiles) || (badContainerProfile.profile.startsWith("localhost/") && variables.localhostWildcardAllowed)) + ).map(badProfile, "Seccomp profile '" + badProfile.profile + "' is not allowed for container '" + badProfile.container + "'. Found at: " + badProfile.location + ". Allowed profiles: " + variables.allowedProfiles.join(", ")) + name: badContainerProfiles + - engine: Rego + source: + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } + rego: "package k8spspseccomp\n\nimport data.lib.exempt_container.is_exempt\n\ncontainer_annotation_key_prefix = \"container.seccomp.security.alpha.kubernetes.io/\"\n\npod_annotation_key = \"seccomp.security.alpha.kubernetes.io/pod\"\n\nviolation[{\"msg\": msg}] {\n not input_wildcard_allowed_profiles\n allowed_profiles := get_allowed_profiles\n container := input_containers[name]\n not is_exempt(container)\n result := get_profile(container)\n not allowed_profile(result.profile, result.file, allowed_profiles)\n msg := get_message(result.profile, result.file, name, result.location, allowed_profiles)\n}\n\nget_message(profile, _, name, location, allowed_profiles) = message {\n message := sprintf(\"Seccomp profile '%v' is not allowed for container '%v'. Found at: %v. Allowed profiles: %v\", [profile, name, location, allowed_profiles])\n}\n\ninput_wildcard_allowed_profiles {\n input.parameters.allowedProfiles[_] == \"*\"\n}\n\ninput_wildcard_allowed_files {\n input.parameters.allowedLocalhostFiles[_] == \"*\"\n}\n\ninput_wildcard_allowed_files {\n \"localhost/*\" == input.parameters.allowedProfiles[_]\n}\n\n# Simple allowed Profiles\nallowed_profile(profile, _, allowed) {\n not startswith(profile, \"localhost/\")\n profile == allowed[_]\n}\n\n# annotation localhost with wildcard\nallowed_profile(profile, _, allowed) {\n \"localhost/*\" == allowed[_]\n startswith(profile, \"localhost/\")\n}\n\n# annotation localhost without wildcard\nallowed_profile(profile, _, allowed) {\n startswith(profile, \"localhost/\")\n profile == allowed[_]\n}\n\n# The profiles explicitly in the list\nget_allowed_profiles[allowed] {\n allowed := input.parameters.allowedProfiles[_]\n}\n\n# Seccomp Localhost to annotation translation\nget_allowed_profiles[allowed] {\n profile := input.parameters.allowedProfiles[_]\n not contains(profile, \"/\")\n file := object.get(input.parameters, \"allowedLocalhostFiles\", [])[_]\n allowed := canonicalize_seccomp_profile({\"type\": profile, \"localhostProfile\": file}, \"\")[_]\n}\n\n# Container profile as defined in pod annotation\nget_profile(container) = {\"profile\": profile, \"file\": \"\", \"location\": location} {\n not has_securitycontext_container(container)\n not has_annotation(get_container_annotation_key(container.name))\n not has_securitycontext_pod\n profile := input.review.object.metadata.annotations[pod_annotation_key]\n location := sprintf(\"annotation %v\", [pod_annotation_key])\n}\n\n# Container profile as defined in container annotation\nget_profile(container) = {\"profile\": profile, \"file\": \"\", \"location\": location} {\n not has_securitycontext_container(container)\n not has_securitycontext_pod\n container_annotation := get_container_annotation_key(container.name)\n has_annotation(container_annotation)\n profile := input.review.object.metadata.annotations[container_annotation]\n location := sprintf(\"annotation %v\", [container_annotation])\n}\n\n# Container profile as defined in pods securityContext\nget_profile(container) = {\"profile\": profile, \"file\": file, \"location\": location} {\n not has_securitycontext_container(container)\n profile := canonicalize_seccomp_profile(input.review.object.spec.securityContext.seccompProfile, canonicalize_runtime_default_profile)[_]\n file := object.get(input.review.object.spec.securityContext.seccompProfile, \"localhostProfile\", \"\")\n location := \"pod securityContext\"\n}\n\n# Container profile as defined in containers securityContext\nget_profile(container) = {\"profile\": profile, \"file\": file, \"location\": location} {\n has_securitycontext_container(container)\n profile := canonicalize_seccomp_profile(container.securityContext.seccompProfile, canonicalize_runtime_default_profile)[_]\n file := object.get(container.securityContext.seccompProfile, \"localhostProfile\", \"\")\n location := \"container securityContext\"\n}\n\n# Container profile missing\nget_profile(container) = {\"profile\": \"not configured\", \"file\": \"\", \"location\": \"no explicit profile found\"} {\n not has_securitycontext_container(container)\n not has_securitycontext_pod\n not has_annotation(get_container_annotation_key(container.name))\n not has_annotation(pod_annotation_key)\n}\n\nhas_annotation(annotation) {\n input.review.object.metadata.annotations[annotation]\n}\n\nhas_securitycontext_pod {\n input.review.object.spec.securityContext.seccompProfile\n}\n\nhas_securitycontext_container(container) {\n container.securityContext.seccompProfile\n}\n\nget_container_annotation_key(name) = annotation {\n annotation := concat(\"\", [container_annotation_key_prefix, name])\n}\n\ninput_containers[container.name] = container {\n container := input.review.object.spec.containers[_]\n}\n\ninput_containers[container.name] = container {\n container := input.review.object.spec.initContainers[_]\n}\n\ninput_containers[container.name] = container {\n container := input.review.object.spec.ephemeralContainers[_]\n}\n\ncanonicalize_runtime_default_profile() = out {\n \"runtime/default\" == input.parameters.allowedProfiles[_]\n out := \"runtime/default\"\n} else = out {\n \"docker/default\" == input.parameters.allowedProfiles[_]\n out := \"docker/default\"\n} else = out {\n out := \"runtime/default\"\n}\n\ncanonicalize_seccomp_profile(profile, def) = out {\n profile.type == \"RuntimeDefault\"\n def == \"\" \n out := [\"runtime/default\", \"docker/default\"]\n} else = out {\n profile.type == \"RuntimeDefault\"\n def != \"\"\n out := [def]\n} else = out {\n profile.type == \"Localhost\"\n out := [sprintf(\"localhost/%s\", [profile.localhostProfile])]\n} else = out {\n profile.type == \"Unconfined\"\n out := [\"unconfined\"]\n} \n" target: admission.k8s.gatekeeper.sh diff --git a/charts/gatekeeper-library/templates/k8spspseccompv2.yaml b/charts/gatekeeper-library/templates/k8spspseccompv2.yaml new file mode 100644 index 0000000..45fda78 --- /dev/null +++ b/charts/gatekeeper-library/templates/k8spspseccompv2.yaml @@ -0,0 +1,248 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + annotations: + description: Controls the seccomp profile used by containers. Corresponds to the `securityContext.seccompProfile` field. Security contexts from the annotation is not considered as Kubernetes no longer reads security contexts from the annotation. + metadata.gatekeeper.sh/title: Seccomp V2 + metadata.gatekeeper.sh/version: 1.0.0 + name: k8spspseccompv2 +spec: + crd: + spec: + names: + kind: K8sPSPSeccompV2 + validation: + openAPIV3Schema: + description: Controls the seccomp profile used by containers. Corresponds to the `securityContext.seccompProfile` field. Security contexts from the annotation is not considered as Kubernetes no longer reads security contexts from the annotation. + properties: + allowedLocalhostFiles: + description: |- + When using securityContext naming scheme for seccomp and including `Localhost` this array holds the allowed profile JSON files. + Putting a `*` in this array will allows all JSON files to be used. + This field is required to allow `Localhost` in securityContext as with an empty list it will block. + items: + type: string + type: array + allowedProfiles: + description: |- + An array of allowed profile values for seccomp on Pods/Containers. + Can use the securityContext naming scheme: `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext `Localhost`, use the parameter `allowedLocalhostFiles` to list the allowed profile JSON files. + The policy code will translate between the two schemes so it is not necessary to use both. + Putting a `*` in this array allows all Profiles to be used. + This field is required since with an empty list this policy will block all workloads. + items: + type: string + type: array + exemptImages: + description: |- + Any container that uses an image that matches an entry in this list will be excluded from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository. + items: + type: string + type: array + type: object + targets: + - code: + - engine: K8sNativeValidation + source: + validations: + - expression: size(variables.badContainerProfilesWithoutFiles) == 0 + messageExpression: | + variables.badContainerProfilesWithoutFiles.join(", ") + - expression: size(variables.badContainerProfilesWithFiles) == 0 + messageExpression: | + variables.badContainerProfilesWithFiles.join(", ") + variables: + - expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + name: containers + - expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + name: initContainers + - expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + name: ephemeralContainers + - expression: | + has(variables.params.allowedProfiles) && variables.params.allowedProfiles.exists(profile, profile == "*") + name: allowAllProfiles + - expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + name: exemptImagePrefixes + - expression: "!has(variables.params.exemptImages) ? [] : \n variables.params.exemptImages.filter(image, !image.endsWith(\"*\"))\n" + name: exemptImageExplicit + - expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))).map(container, container.image) + name: exemptImages + - expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + !variables.allowAllProfiles && + !(container.image in variables.exemptImages)) + name: unverifiedContainers + - expression: | + variables.params.allowedProfiles.filter(profile, profile != "Localhost").map(profile, {"type": profile}) + name: inputNonLocalHostProfiles + - expression: | + variables.params.allowedProfiles.exists(profile, profile == "Localhost") ? variables.params.allowedLocalhostFiles.map(file, {"type": "Localhost", "localHostProfile": string(file)}) : [] + name: inputLocalHostProfiles + - expression: | + variables.inputNonLocalHostProfiles + variables.inputLocalHostProfiles + name: inputAllowedProfiles + - expression: | + has(variables.anyObject.spec.securityContext) && has(variables.anyObject.spec.securityContext.seccompProfile) + name: hasPodSeccomp + - expression: | + variables.hasPodSeccomp && has(variables.anyObject.spec.securityContext.seccompProfile.localhostProfile) ? variables.anyObject.spec.securityContext.seccompProfile.localhostProfile : "" + name: podLocalHostProfile + - expression: | + has(variables.hasPodSeccomp) && has(variables.anyObject.spec.securityContext.seccompProfile.type) ? variables.anyObject.spec.securityContext.seccompProfile.type + : "" + name: podSecurityContextProfileType + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n variables.hasPodSeccomp\n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(variables.podSecurityContextProfileType),\n \"file\" : variables.podLocalHostProfile,\n \"location\" : dyn(\"pod securityContext\"),\n})\n" + name: podSecurityContextProfiles + - expression: "variables.unverifiedContainers.filter(container, \n has(container.securityContext) && has(container.securityContext.seccompProfile)\n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(container.securityContext.seccompProfile.type),\n \"file\" : has(container.securityContext.seccompProfile.localhostProfile) ? container.securityContext.seccompProfile.localhostProfile : dyn(\"\"),\n \"location\" : dyn(\"container securityContext\"),\n})\n" + name: containerSecurityContextProfiles + - expression: "variables.unverifiedContainers.filter(container, \n !(has(container.securityContext) && has(container.securityContext.seccompProfile)) && \n !variables.hasPodSeccomp\n).map(container, {\n \"container\" : container.name,\n \"profile\" : dyn(\"not configured\"),\n \"file\" : dyn(\"\"),\n \"location\" : dyn(\"no explicit profile found\"),\n})\n" + name: containerProfilesMissing + - expression: | + variables.podSecurityContextProfiles + variables.containerSecurityContextProfiles + variables.containerProfilesMissing + name: allContainerProfiles + - expression: "variables.allContainerProfiles.filter(container, \n container.profile != \"Localhost\" &&\n !variables.inputAllowedProfiles.exists(profile, profile.type == container.profile)\n).map(badProfile, \"Seccomp profile '\" + badProfile.profile + \"' is not allowed for container '\" + badProfile.container + \"'. Found at: \" + badProfile.location + \". Allowed profiles: \" + variables.inputAllowedProfiles.map(profile, \"{\\\"type\\\": \\\"\" + profile.type + \"\\\"\" + (has(profile.localHostProfile) ? \", \\\"localHostProfile\\\": \\\"\" + profile.localHostProfile + \"\\\"}\" : \"}\")).join(\", \"))\n" + name: badContainerProfilesWithoutFiles + - expression: "variables.allContainerProfiles.filter(container, \n container.profile == \"Localhost\" &&\n !variables.inputAllowedProfiles.exists(profile, profile.type == \"Localhost\" && (has(profile.localHostProfile) && (profile.localHostProfile == container.file || profile.localHostProfile == \"*\")))\n).map(badProfile, \"Seccomp profile '\" + badProfile.profile + \"' With file '\" + badProfile.file + \"' is not allowed for container '\" + badProfile.container + \"'. Found at: \" + badProfile.location + \". Allowed profiles: \" + variables.inputAllowedProfiles.map(profile, \"{\\\"type\\\": \\\"\" + profile.type + \"\\\"\" + (has(profile.localHostProfile) ? \", \\\"localHostProfile\\\": \\\"\" + profile.localHostProfile + \"\\\"}\" : \"}\")).join(\", \"))\n" + name: badContainerProfilesWithFiles + - engine: Rego + source: + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } + rego: | + package k8spspseccomp + + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg}] { + not input_wildcard_allowed_profiles + allowed_profiles := get_allowed_profiles + container := input_containers[name] + not is_exempt(container) + result := get_profile(container) + not allowed_profile(result.profile, result.file, allowed_profiles) + msg := get_message(result.profile, result.file, name, result.location, allowed_profiles) + } + + get_message(profile, _, name, location, allowed_profiles) = message { + profile != "Localhost" + message := sprintf("Seccomp profile '%v' is not allowed for container '%v'. Found at: %v. Allowed profiles: %v", [profile, name, location, allowed_profiles]) + } + + get_message(profile, file, name, location, allowed_profiles) = message { + profile == "Localhost" + message := sprintf("Seccomp profile '%v' with file '%v' is not allowed for container '%v'. Found at: %v. Allowed profiles: %v", [profile, file, name, location, allowed_profiles]) + } + + input_wildcard_allowed_profiles { + input.parameters.allowedProfiles[_] == "*" + } + + input_wildcard_allowed_files { + input.parameters.allowedLocalhostFiles[_] == "*" + } + + allowed_profile(_, _, _) { + input_wildcard_allowed_profiles + } + + allowed_profile(profile, _, _) { + profile == "Localhost" + input_wildcard_allowed_files + } + + # Simple allowed Profiles + allowed_profile(profile, _, allowed) { + profile != "Localhost" + allow_profile = allowed[_] + profile == allow_profile.type + } + + # annotation localhost without wildcard + allowed_profile(profile, file, allowed) { + profile == "Localhost" + allow_profile = allowed[_] + allow_profile.type == "Localhost" + file == allow_profile.localHostProfile + } + + # The profiles explicitly in the list + get_allowed_profiles[allowed] { + profile := input.parameters.allowedProfiles[_] + profile != "Localhost" + allowed := {"type": profile} + } + + get_allowed_profiles[allowed] { + profile := input.parameters.allowedProfiles[_] + profile == "Localhost" + file := object.get(input.parameters, "allowedLocalhostFiles", [""])[_] + allowed := {"type": "Localhost", "localHostProfile": file} + } + + # Container profile as defined in containers securityContext + get_profile(container) = {"profile": profile, "file": file, "location": location} { + has_securitycontext_container(container) + profile := container.securityContext.seccompProfile.type + file := object.get(container.securityContext.seccompProfile, "localhostProfile", "") + location := "container securityContext" + } + + # Container profile as defined in pods securityContext + get_profile(container) = {"profile": profile, "file": file, "location": location} { + not has_securitycontext_container(container) + profile := input.review.object.spec.securityContext.seccompProfile.type + file := object.get(input.review.object.spec.securityContext.seccompProfile, "localhostProfile", "") + location := "pod securityContext" + } + + # Container profile missing + get_profile(container) = {"profile": "not configured", "file": "", "location": "no explicit profile found"} { + not has_securitycontext_container(container) + not has_securitycontext_pod + } + + has_securitycontext_pod { + input.review.object.spec.securityContext.seccompProfile + } + + has_securitycontext_container(container) { + container.securityContext.seccompProfile + } + + input_containers[container.name] = container { + container := input.review.object.spec.containers[_] + } + + input_containers[container.name] = container { + container := input.review.object.spec.initContainers[_] + } + + input_containers[container.name] = container { + container := input.review.object.spec.ephemeralContainers[_] + } + target: admission.k8s.gatekeeper.sh diff --git a/charts/hnc/Chart.lock b/charts/hnc/Chart.lock index cda81df..cd207dd 100644 --- a/charts/hnc/Chart.lock +++ b/charts/hnc/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:15.814789818+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:48.23946657+01:00" diff --git a/charts/hnc/Chart.yaml b/charts/hnc/Chart.yaml index 67cec24..9bba3d4 100644 --- a/charts/hnc/Chart.yaml +++ b/charts/hnc/Chart.yaml @@ -3,7 +3,7 @@ name: hnc description: Hierarchical Namespace Controller (HNC). Policies and delegated creation to Kubernetes namespaces. icon: https://raw.githubusercontent.com/KDE/breeze-icons/master/icons/actions/16/view-list-tree.svg type: application -version: 0.6.9 +version: 0.7.0 appVersion: v1.1.0 dependencies: - name: common diff --git a/charts/hnc/templates/replication/controller-manager-ha.yaml b/charts/hnc/templates/replication/controller-manager-ha.yaml index d0da933..39c0d0f 100644 --- a/charts/hnc/templates/replication/controller-manager-ha.yaml +++ b/charts/hnc/templates/replication/controller-manager-ha.yaml @@ -30,6 +30,7 @@ spec: {{- end }} {{- end }} spec: + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) | nindent 6 }} {{- with .Values.affinity }} affinity: {{- include "common.tplvalues.render" ( dict "value" . "context" $) | nindent 8 }} {{- else }} diff --git a/charts/hnc/templates/replication/controller-manager.yaml b/charts/hnc/templates/replication/controller-manager.yaml index 7778389..cd48b7c 100644 --- a/charts/hnc/templates/replication/controller-manager.yaml +++ b/charts/hnc/templates/replication/controller-manager.yaml @@ -29,6 +29,7 @@ spec: {{- end }} {{- end }} spec: + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) | nindent 6 }} containers: - args: - --webhook-server-port=9443 diff --git a/charts/hnc/templates/standalone/controller-manager.yaml b/charts/hnc/templates/standalone/controller-manager.yaml index 3b5795e..bf2b59f 100644 --- a/charts/hnc/templates/standalone/controller-manager.yaml +++ b/charts/hnc/templates/standalone/controller-manager.yaml @@ -30,6 +30,7 @@ spec: {{- end }} {{- end }} spec: + {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) | nindent 6 }} containers: - args: - --webhook-server-port=9443 diff --git a/charts/mailpit/Chart.lock b/charts/mailpit/Chart.lock index d8b7eed..f104ff7 100644 --- a/charts/mailpit/Chart.lock +++ b/charts/mailpit/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:17.572727526+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:50.069026079+01:00" diff --git a/charts/mailpit/Chart.yaml b/charts/mailpit/Chart.yaml index f802948..37a4dd2 100644 --- a/charts/mailpit/Chart.yaml +++ b/charts/mailpit/Chart.yaml @@ -3,7 +3,7 @@ name: mailpit description: An email and SMTP testing tool with API for developers icon: https://raw.githubusercontent.com/axllent/mailpit/develop/server/ui/mailpit.svg type: application -version: 0.18.5 +version: 0.18.6 appVersion: 1.21.1 dependencies: - name: common diff --git a/charts/postgresql/Chart.lock b/charts/postgresql/Chart.lock index a8746ad..d3695eb 100644 --- a/charts/postgresql/Chart.lock +++ b/charts/postgresql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:19.424410833+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:51.814088157+01:00" diff --git a/charts/postgresql/Chart.yaml b/charts/postgresql/Chart.yaml index 0324a48..01e51b0 100644 --- a/charts/postgresql/Chart.yaml +++ b/charts/postgresql/Chart.yaml @@ -7,7 +7,7 @@ keywords: - database - postgresql - cloudnative-pg -version: 0.8.5 +version: 0.8.6 appVersion: "16.3" dependencies: - name: common diff --git a/charts/subnamespace/Chart.lock b/charts/subnamespace/Chart.lock index 2139fca..466e928 100644 --- a/charts/subnamespace/Chart.lock +++ b/charts/subnamespace/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.22.0 -digest: sha256:e66b153d2c35ef24ff65f0e17b63643843360e98a69ddfcd99b38befe00e6c37 -generated: "2024-09-09T21:34:21.427617006+02:00" + version: 2.26.0 +digest: sha256:7d6ef1ca72af8690ef0844c9521e44f011ec89d43030c11f5e46fdda229c6bb8 +generated: "2024-11-05T23:10:53.586006845+01:00" diff --git a/charts/subnamespace/Chart.yaml b/charts/subnamespace/Chart.yaml index 7feaf97..49dfffa 100644 --- a/charts/subnamespace/Chart.yaml +++ b/charts/subnamespace/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: subnamespace description: SubnamespaceAnchor is the Schema for the subnamespace API type: application -version: 0.2.10 +version: 0.2.11 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts diff --git a/git-subtree-pull.sh b/git-subtree-pull.sh index 4a60048..2866175 100755 --- a/git-subtree-pull.sh +++ b/git-subtree-pull.sh @@ -13,5 +13,5 @@ git_subtree_pull () { git subtree pull "--prefix=$tgt_dir" "$tmp" "$ref" } -git_subtree_pull https://github.com/cloudnative-pg/charts cloudnative-pg-v0.22.0 charts/cloudnative-pg charts/cloudnative-pg -git_subtree_pull https://github.com/coredns/helm coredns-1.32.0 charts/coredns charts/coredns +git_subtree_pull https://github.com/cloudnative-pg/charts cloudnative-pg-v0.22.1 charts/cloudnative-pg charts/cloudnative-pg +git_subtree_pull https://github.com/coredns/helm coredns-1.36.1 charts/coredns charts/coredns