From b34508447c307c425cca4dbaa1f80eddc93dc7f5 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Fri, 20 Oct 2023 22:46:39 +0000
Subject: [PATCH 1/6] adding default helm values for pubsub audit connection
 and channel

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 cmd/build/helmify/static/values.yaml             | 2 ++
 manifest_staging/charts/gatekeeper/values.yaml   | 2 ++
 pkg/audit/manager.go                             | 4 ++--
 website/docs/pubsub.md                           | 2 +-
 website/versioned_docs/version-v3.13.x/pubsub.md | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
index e1a872959f6..7fe5a94b3c2 100644
--- a/cmd/build/helmify/static/values.yaml
+++ b/cmd/build/helmify/static/values.yaml
@@ -210,6 +210,8 @@ controllerManager:
       #       cidr: 0.0.0.0/0
 audit:
   enablePubsub: false
+  connection: audit-connection
+  channel: audit-channel
   hostNetwork: false
   dnsPolicy: ClusterFirst
   metricsPort: 8888
diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
index e1a872959f6..7fe5a94b3c2 100644
--- a/manifest_staging/charts/gatekeeper/values.yaml
+++ b/manifest_staging/charts/gatekeeper/values.yaml
@@ -210,6 +210,8 @@ controllerManager:
       #       cidr: 0.0.0.0/0
 audit:
   enablePubsub: false
+  connection: audit-connection
+  channel: audit-channel
   hostNetwork: false
   dnsPolicy: ClusterFirst
   metricsPort: 8888
diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go
index dc4311a9307..efa5218b724 100644
--- a/pkg/audit/manager.go
+++ b/pkg/audit/manager.go
@@ -66,8 +66,8 @@ var (
 	auditEventsInvolvedNamespace = flag.Bool("audit-events-involved-namespace", false, "emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will still follow the default behavior")
 	auditMatchKindOnly           = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)")
 	apiCacheDir                  = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit")
-	auditConnection              = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages")
-	auditChannel                 = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages")
+	auditConnection              = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages. Defaults to audit-connection")
+	auditChannel                 = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages. Defaults to audit-channel")
 	emptyAuditResults            []updateListEntry
 	logStatsAudit                = flag.Bool("log-stats-audit", false, "(alpha) log stats metrics for the audit run")
 )
diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index ddbbac0d67f..c934d30d3b4 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -19,7 +19,7 @@ Install prerequisites such as a pubsub tool, a message broker etc.
 
 ### Setting up audit with pubsub enabled
 
-In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, `--audit-connection` and `--audit-channel` flags must be set to allow audit to publish violations. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
+In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` and `--audit-channel` flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
 
 Create a connection configMap that supplies [a provider-specific configuration](pubsub-driver-walkthrough.md#how-to-use-different-providers) for a connection to get established. For instance, to establish a connection that uses Dapr to publish messages this configMap is appropriate:
 
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index ddbbac0d67f..c934d30d3b4 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -19,7 +19,7 @@ Install prerequisites such as a pubsub tool, a message broker etc.
 
 ### Setting up audit with pubsub enabled
 
-In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, `--audit-connection` and `--audit-channel` flags must be set to allow audit to publish violations. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
+In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` and `--audit-channel` flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
 
 Create a connection configMap that supplies [a provider-specific configuration](pubsub-driver-walkthrough.md#how-to-use-different-providers) for a connection to get established. For instance, to establish a connection that uses Dapr to publish messages this configMap is appropriate:
 

From 35cfabca920d4fae198260dcf709a80349a1bd64 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Mon, 23 Oct 2023 18:53:54 +0000
Subject: [PATCH 2/6] improving pubsub doc

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 website/docs/pubsub.md                        | 300 +++++++++---------
 .../versioned_docs/version-v3.13.x/pubsub.md  | 300 +++++++++---------
 2 files changed, 306 insertions(+), 294 deletions(-)

diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index c934d30d3b4..2169fec1a07 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -19,15 +19,15 @@ Install prerequisites such as a pubsub tool, a message broker etc.
 
 ### Setting up audit with pubsub enabled
 
-In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` and `--audit-channel` flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
+In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` (defaults to `audit-connection`) and `--audit-channel`(defaults to `audit-channel`) flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
 
-Create a connection configMap that supplies [a provider-specific configuration](pubsub-driver-walkthrough.md#how-to-use-different-providers) for a connection to get established. For instance, to establish a connection that uses Dapr to publish messages this configMap is appropriate:
+A ConfigMap that contains `provider` and `config` fields in `data` is required to establish connection for sending violations over the channel. Following is an example ConfigMap to establish a connection that uses Dapr to publish messages:
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: audit-pubsub-connection
+  name: audit-connection
   namespace: gatekeeper-system
 data:
   provider: "dapr"
@@ -43,185 +43,191 @@ data:
 #### Available Pubsub drivers
 Dapr: https://dapr.io/
 
-### Violations
-
-The audit pod publishes violations in following format:
-
-```json
-{
-  "id": "2023-07-18T21:21:52Z",
-  "details": {
-    "missing_labels": [
-      "test"
-    ]
-  },
-  "eventType": "violation_audited",
-  "group": "constraints.gatekeeper.sh",
-  "version": "v1beta1",
-  "kind": "K8sRequiredLabels",
-  "name": "pod-must-have-test",
-  "message": "you must provide labels: {\"test\"}",
-  "enforcementAction": "deny",
-  "resourceAPIVersion": "v1",
-  "resourceKind": "Pod",
-  "resourceNamespace": "nginx",
-  "resourceName": "nginx-deployment-cd55c47f5-2b84x",
-  "resourceLabels": {
-    "app": "nginx",
-    "pod-template-hash": "cd55c47f5"
-  }
-}
-```
-
 ### Quick start with publishing violations using Dapr and Redis
 
-> Redis is used for example purposes only. Dapr supports [many different state store options](https://docs.dapr.io/reference/components-reference/supported-state-stores/).
-
 #### Prerequisites
 
 1. Install Dapr
 
-    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
-    > Dapr is installed with mtls enabled by default, for more details on the same plaase refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
+   To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
+    > Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`. Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+
+    > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
 2. Install Redis
 
     Please refer to [this](https://docs.dapr.io/getting-started/tutorials/configure-state-pubsub/#step-1-create-a-redis-store) guide to install Redis.
 
-    > To install Redis with TLS, please refer to [this](https://docs.bitnami.com/kubernetes/infrastructure/redis-cluster/administration/enable-tls/) doc.
+    > Redis is used for example purposes only. Dapr supports [many different state store options](https://docs.dapr.io/reference/components-reference/supported-state-stores/). To install Redis with TLS, please refer to [this](https://docs.bitnami.com/kubernetes/infrastructure/redis-cluster/administration/enable-tls/) doc.
 
 #### Configure a sample subscriber to receive violations
 
 1. Create `fake-subscriber` namespace and redis secret
 
-```shell
-kubectl create ns fake-subscriber
-kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f - # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
-```
+    ```shell
+    kubectl create ns fake-subscriber
+    # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
+    kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f -
+    ```
 
 2. Create Dapr pubsub component
-```shell
-kubectl apply -f <<EOF
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: fake-subscriber
-spec:
-  type: pubsub.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: redis-master.default.svc.cluster.local:6379
-  - name: redisPassword
-    secretKeyRef: 
-      name: redis
-      key: redis-password
-```
-> Please use [this guide](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-redis/) to properly configure Redis pubsub component for Dapr.
+
+    ```shell
+    kubectl apply -f <<EOF
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: pubsub
+      namespace: fake-subscriber
+    spec:
+      type: pubsub.redis
+      version: v1
+      metadata:
+      - name: redisHost
+        value: redis-master.default.svc.cluster.local:6379
+      - name: redisPassword
+        secretKeyRef: 
+          name: redis
+          key: redis-password
+    EOF
+    ```
+
+    > Please use [this guide](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-redis/) to properly configure Redis pubsub component for Dapr.
 
 3. Deploy subscriber application
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sub
-  namespace: fake-subscriber
-  labels:
-    app: sub
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: sub
-  template:
+
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
     metadata:
+      name: sub
+      namespace: fake-subscriber
       labels:
         app: sub
-      annotations:
-        dapr.io/enabled: "true"
-        dapr.io/app-id: "subscriber"
-        dapr.io/enable-api-logging: "true"
-        dapr.io/app-port: "6002"
     spec:
-      containers:
-      - name: go-sub
-        image: fake-subscriber:latest
-        imagePullPolicy: Never
-```
-**Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber). You can find make rule to build and deploy subscriber in [Makefile](https://github.com/open-policy-agent/gatekeeper/blob/master/Makefile) under name `e2e-subscriber-build-load-image` and `e2e-subscriber-deploy`.
+      replicas: 1
+      selector:
+        matchLabels:
+          app: sub
+      template:
+        metadata:
+          labels:
+            app: sub
+          annotations:
+            dapr.io/enabled: "true"
+            dapr.io/app-id: "subscriber"
+            dapr.io/enable-api-logging: "true"
+            dapr.io/app-port: "6002"
+        spec:
+          containers:
+          - name: go-sub
+            image: fake-subscriber:latest
+            imagePullPolicy: Never
+    ```
+
+    **Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
 
 #### Configure Gatekeeper with Pubsub enabled
 
 1. Create Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
 
-```shell
-kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
-kubectl apply -f - <<EOF
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: gatekeeper-system
-spec:
-  type: pubsub.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: redis-master.default.svc.cluster.local:6379
-  - name: redisPassword
-    secretKeyRef:
-      name: redis
-      key: redis-password
-EOF
-```
-
-2. Install Gatekeeper with `--enable-pub-sub` set to `true`, `--audit-connection` set to `audit-pubsub-connection`, `--audit-channel` set to `audit` on audit pod.
-
-
-```shell
-echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > .tmp/annotations.yaml # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
-helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
---set audit.enablePubsub=true \
---set audit.connection=audit-pubsub-connection \
---set audit.channel=audit \
---values .tmp/annotations.yaml
-```
-
-**Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
+    ```shell
+    kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
+    kubectl apply -f - <<EOF
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: pubsub
+      namespace: gatekeeper-system
+    spec:
+      type: pubsub.redis
+      version: v1
+      metadata:
+      - name: redisHost
+        value: redis-master.default.svc.cluster.local:6379
+      - name: redisPassword
+        secretKeyRef:
+          name: redis
+          key: redis-password
+    EOF
+    ```
+
+2. To upgrade or install Gatekeeper with `--enable-pub-sub` set to `true`, `--audit-connection` set to `audit-connection`, `--audit-channel` set to `audit-channel` on audit pod.
+
+    ```shell
+    # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
+    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > /tmp/annotations.yaml
+    helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
+    --set audit.enablePubsub=true \
+    --set audit.connection=audit-connection \
+    --set audit.channel=audit-channel \
+    --values /tmp/annotations.yaml
+    ```
+
+    **Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
 
 3. Create connection config to establish a connection.
 
-```shell
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: audit-pubsub-connection
-  namespace: gatekeeper-system
-data:
-  provider: "dapr"
-  config: |
-    {
-      "component": "pubsub"
-    }
-EOF
-```
-**Note:** Name of the connection configMap must match the value of `--audit-connection` for it to be used by audit to publish violation. At the moment, now only one connection config can exists for audit.
+    ```shell
+    kubectl apply -f - <<EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: audit-connection
+      namespace: gatekeeper-system
+    data:
+      provider: "dapr"
+      config: |
+        {
+          "component": "pubsub"
+        }
+    EOF
+    ```
+
+    **Note:** Name of the connection configMap must match the value of `--audit-connection` for it to be used by audit to publish violation. At the moment, only one connection config can exists for audit.
+
+4. Create the constraint templates and constraints, and make sure audit ran by checking constraints. If constraint status is updated with information such as `auditTimeStamp` or `totalViolations`, then audit has ran at least once. Additionally, populated `TOTAL-VIOLATIONS` field for all constraints while listing constraints also indicates that audit has ran at least once.
+
+    ```log
+    kubectl get constraint
+    NAME                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
+    pod-must-have-test                        0
+    ```
 
-4. Create the constraint templates and constraints, and make sure audit ran by checking constraints. If constaint status is updated with information such as `auditTimeStamp` or `totalViolations`, then audit has ran atleast once. Additionally, populated `TOTAL-VIOLATIONS` field for all constraints while lising constraints also indicates that audit has ran at least once.
+5. Finally, check the subscriber logs to see the violations received.
 
-```log
-kubctl get constraint
-NAME                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
-pod-must-have-test                        0
-```
+    ```log
+    kubectl logs -l app=sub -c go-sub -n fake-subscriber 
+    2023/07/18 20:16:41 Listening...
+    2023/07/18 20:37:20 main.PubsubMsg{ID:"2023-07-18T20:37:19Z", Details:map[string]interface {}{"missing_labels":[]interface {}{"test"}}, EventType:"violation_audited", Group:"constraints.gatekeeper.sh", Version:"v1beta1", Kind:"K8sRequiredLabels", Name:"pod-must-have-test", Namespace:"", Message:"you must provide labels: {\"test\"}", EnforcementAction:"deny", ConstraintAnnotations:map[string]string(nil), ResourceGroup:"", ResourceAPIVersion:"v1", ResourceKind:"Pod", ResourceNamespace:"nginx", ResourceName:"nginx-deployment-58899467f5-j85bs", ResourceLabels:map[string]string{"app":"nginx", "owner":"admin", "pod-template-hash":"58899467f5"}}
+    ```
 
+### Violations
 
-5. Finally, check the subscriber logs to see the violations received.
+The audit pod publishes violations in following format:
 
-```log
-kubectl logs pod/sub-57bd5d694-7lvzf -c go-sub -n fake-subscriber 
-2023/07/18 20:16:41 Listening...
-2023/07/18 20:37:20 main.PubsubMsg{ID:"2023-07-18T20:37:19Z", Details:map[string]interface {}{"missing_labels":[]interface {}{"test"}}, EventType:"violation_audited", Group:"constraints.gatekeeper.sh", Version:"v1beta1", Kind:"K8sRequiredLabels", Name:"pod-must-have-test", Namespace:"", Message:"you must provide labels: {\"test\"}", EnforcementAction:"deny", ConstraintAnnotations:map[string]string(nil), ResourceGroup:"", ResourceAPIVersion:"v1", ResourceKind:"Pod", ResourceNamespace:"nginx", ResourceName:"nginx-deployment-58899467f5-j85bs", ResourceLabels:map[string]string{"app":"nginx", "owner":"admin", "pod-template-hash":"58899467f5"}}
+```json
+{
+  "id": "2023-07-18T21:21:52Z",
+  "details": {
+    "missing_labels": [
+      "test"
+    ]
+  },
+  "eventType": "violation_audited",
+  "group": "constraints.gatekeeper.sh",
+  "version": "v1beta1",
+  "kind": "K8sRequiredLabels",
+  "name": "pod-must-have-test",
+  "message": "you must provide labels: {\"test\"}",
+  "enforcementAction": "deny",
+  "resourceAPIVersion": "v1",
+  "resourceKind": "Pod",
+  "resourceNamespace": "nginx",
+  "resourceName": "nginx-deployment-cd55c47f5-2b84x",
+  "resourceLabels": {
+    "app": "nginx",
+    "pod-template-hash": "cd55c47f5"
+  }
+}
 ```
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index c934d30d3b4..2169fec1a07 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -19,15 +19,15 @@ Install prerequisites such as a pubsub tool, a message broker etc.
 
 ### Setting up audit with pubsub enabled
 
-In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` and `--audit-channel` flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
+In the audit deployment, set the `--enable-pub-sub` flag to `true` to publish audit violations. Additionally, use `--audit-connection` (defaults to `audit-connection`) and `--audit-channel`(defaults to `audit-channel`) flags to allow audit to publish violations using desired connection onto desired channel. `--audit-connection` must be set to the name of the connection config, and `--audit-channel` must be set to name of the channel where violations should get published.
 
-Create a connection configMap that supplies [a provider-specific configuration](pubsub-driver-walkthrough.md#how-to-use-different-providers) for a connection to get established. For instance, to establish a connection that uses Dapr to publish messages this configMap is appropriate:
+A ConfigMap that contains `provider` and `config` fields in `data` is required to establish connection for sending violations over the channel. Following is an example ConfigMap to establish a connection that uses Dapr to publish messages:
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: audit-pubsub-connection
+  name: audit-connection
   namespace: gatekeeper-system
 data:
   provider: "dapr"
@@ -43,185 +43,191 @@ data:
 #### Available Pubsub drivers
 Dapr: https://dapr.io/
 
-### Violations
-
-The audit pod publishes violations in following format:
-
-```json
-{
-  "id": "2023-07-18T21:21:52Z",
-  "details": {
-    "missing_labels": [
-      "test"
-    ]
-  },
-  "eventType": "violation_audited",
-  "group": "constraints.gatekeeper.sh",
-  "version": "v1beta1",
-  "kind": "K8sRequiredLabels",
-  "name": "pod-must-have-test",
-  "message": "you must provide labels: {\"test\"}",
-  "enforcementAction": "deny",
-  "resourceAPIVersion": "v1",
-  "resourceKind": "Pod",
-  "resourceNamespace": "nginx",
-  "resourceName": "nginx-deployment-cd55c47f5-2b84x",
-  "resourceLabels": {
-    "app": "nginx",
-    "pod-template-hash": "cd55c47f5"
-  }
-}
-```
-
 ### Quick start with publishing violations using Dapr and Redis
 
-> Redis is used for example purposes only. Dapr supports [many different state store options](https://docs.dapr.io/reference/components-reference/supported-state-stores/).
-
 #### Prerequisites
 
 1. Install Dapr
 
-    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
-    > Dapr is installed with mtls enabled by default, for more details on the same plaase refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
+   To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
+    > Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`. Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+
+    > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
 2. Install Redis
 
     Please refer to [this](https://docs.dapr.io/getting-started/tutorials/configure-state-pubsub/#step-1-create-a-redis-store) guide to install Redis.
 
-    > To install Redis with TLS, please refer to [this](https://docs.bitnami.com/kubernetes/infrastructure/redis-cluster/administration/enable-tls/) doc.
+    > Redis is used for example purposes only. Dapr supports [many different state store options](https://docs.dapr.io/reference/components-reference/supported-state-stores/). To install Redis with TLS, please refer to [this](https://docs.bitnami.com/kubernetes/infrastructure/redis-cluster/administration/enable-tls/) doc.
 
 #### Configure a sample subscriber to receive violations
 
 1. Create `fake-subscriber` namespace and redis secret
 
-```shell
-kubectl create ns fake-subscriber
-kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f - # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
-```
+    ```shell
+    kubectl create ns fake-subscriber
+    # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
+    kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f -
+    ```
 
 2. Create Dapr pubsub component
-```shell
-kubectl apply -f <<EOF
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: fake-subscriber
-spec:
-  type: pubsub.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: redis-master.default.svc.cluster.local:6379
-  - name: redisPassword
-    secretKeyRef: 
-      name: redis
-      key: redis-password
-```
-> Please use [this guide](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-redis/) to properly configure Redis pubsub component for Dapr.
+
+    ```shell
+    kubectl apply -f <<EOF
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: pubsub
+      namespace: fake-subscriber
+    spec:
+      type: pubsub.redis
+      version: v1
+      metadata:
+      - name: redisHost
+        value: redis-master.default.svc.cluster.local:6379
+      - name: redisPassword
+        secretKeyRef: 
+          name: redis
+          key: redis-password
+    EOF
+    ```
+
+    > Please use [this guide](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-redis/) to properly configure Redis pubsub component for Dapr.
 
 3. Deploy subscriber application
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sub
-  namespace: fake-subscriber
-  labels:
-    app: sub
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: sub
-  template:
+
+    ```yaml
+    apiVersion: apps/v1
+    kind: Deployment
     metadata:
+      name: sub
+      namespace: fake-subscriber
       labels:
         app: sub
-      annotations:
-        dapr.io/enabled: "true"
-        dapr.io/app-id: "subscriber"
-        dapr.io/enable-api-logging: "true"
-        dapr.io/app-port: "6002"
     spec:
-      containers:
-      - name: go-sub
-        image: fake-subscriber:latest
-        imagePullPolicy: Never
-```
-**Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber). You can find make rule to build and deploy subscriber in [Makefile](https://github.com/open-policy-agent/gatekeeper/blob/master/Makefile) under name `e2e-subscriber-build-load-image` and `e2e-subscriber-deploy`.
+      replicas: 1
+      selector:
+        matchLabels:
+          app: sub
+      template:
+        metadata:
+          labels:
+            app: sub
+          annotations:
+            dapr.io/enabled: "true"
+            dapr.io/app-id: "subscriber"
+            dapr.io/enable-api-logging: "true"
+            dapr.io/app-port: "6002"
+        spec:
+          containers:
+          - name: go-sub
+            image: fake-subscriber:latest
+            imagePullPolicy: Never
+    ```
+
+    **Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
 
 #### Configure Gatekeeper with Pubsub enabled
 
 1. Create Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
 
-```shell
-kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
-kubectl apply -f - <<EOF
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: gatekeeper-system
-spec:
-  type: pubsub.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: redis-master.default.svc.cluster.local:6379
-  - name: redisPassword
-    secretKeyRef:
-      name: redis
-      key: redis-password
-EOF
-```
-
-2. Install Gatekeeper with `--enable-pub-sub` set to `true`, `--audit-connection` set to `audit-pubsub-connection`, `--audit-channel` set to `audit` on audit pod.
-
-
-```shell
-echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > .tmp/annotations.yaml # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
-helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
---set audit.enablePubsub=true \
---set audit.connection=audit-pubsub-connection \
---set audit.channel=audit \
---values .tmp/annotations.yaml
-```
-
-**Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
+    ```shell
+    kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
+    kubectl apply -f - <<EOF
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: pubsub
+      namespace: gatekeeper-system
+    spec:
+      type: pubsub.redis
+      version: v1
+      metadata:
+      - name: redisHost
+        value: redis-master.default.svc.cluster.local:6379
+      - name: redisPassword
+        secretKeyRef:
+          name: redis
+          key: redis-password
+    EOF
+    ```
+
+2. To upgrade or install Gatekeeper with `--enable-pub-sub` set to `true`, `--audit-connection` set to `audit-connection`, `--audit-channel` set to `audit-channel` on audit pod.
+
+    ```shell
+    # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
+    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > /tmp/annotations.yaml
+    helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
+    --set audit.enablePubsub=true \
+    --set audit.connection=audit-connection \
+    --set audit.channel=audit-channel \
+    --values /tmp/annotations.yaml
+    ```
+
+    **Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
 
 3. Create connection config to establish a connection.
 
-```shell
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: audit-pubsub-connection
-  namespace: gatekeeper-system
-data:
-  provider: "dapr"
-  config: |
-    {
-      "component": "pubsub"
-    }
-EOF
-```
-**Note:** Name of the connection configMap must match the value of `--audit-connection` for it to be used by audit to publish violation. At the moment, now only one connection config can exists for audit.
+    ```shell
+    kubectl apply -f - <<EOF
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: audit-connection
+      namespace: gatekeeper-system
+    data:
+      provider: "dapr"
+      config: |
+        {
+          "component": "pubsub"
+        }
+    EOF
+    ```
+
+    **Note:** Name of the connection configMap must match the value of `--audit-connection` for it to be used by audit to publish violation. At the moment, only one connection config can exists for audit.
+
+4. Create the constraint templates and constraints, and make sure audit ran by checking constraints. If constraint status is updated with information such as `auditTimeStamp` or `totalViolations`, then audit has ran at least once. Additionally, populated `TOTAL-VIOLATIONS` field for all constraints while listing constraints also indicates that audit has ran at least once.
+
+    ```log
+    kubectl get constraint
+    NAME                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
+    pod-must-have-test                        0
+    ```
 
-4. Create the constraint templates and constraints, and make sure audit ran by checking constraints. If constaint status is updated with information such as `auditTimeStamp` or `totalViolations`, then audit has ran atleast once. Additionally, populated `TOTAL-VIOLATIONS` field for all constraints while lising constraints also indicates that audit has ran at least once.
+5. Finally, check the subscriber logs to see the violations received.
 
-```log
-kubctl get constraint
-NAME                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
-pod-must-have-test                        0
-```
+    ```log
+    kubectl logs -l app=sub -c go-sub -n fake-subscriber 
+    2023/07/18 20:16:41 Listening...
+    2023/07/18 20:37:20 main.PubsubMsg{ID:"2023-07-18T20:37:19Z", Details:map[string]interface {}{"missing_labels":[]interface {}{"test"}}, EventType:"violation_audited", Group:"constraints.gatekeeper.sh", Version:"v1beta1", Kind:"K8sRequiredLabels", Name:"pod-must-have-test", Namespace:"", Message:"you must provide labels: {\"test\"}", EnforcementAction:"deny", ConstraintAnnotations:map[string]string(nil), ResourceGroup:"", ResourceAPIVersion:"v1", ResourceKind:"Pod", ResourceNamespace:"nginx", ResourceName:"nginx-deployment-58899467f5-j85bs", ResourceLabels:map[string]string{"app":"nginx", "owner":"admin", "pod-template-hash":"58899467f5"}}
+    ```
 
+### Violations
 
-5. Finally, check the subscriber logs to see the violations received.
+The audit pod publishes violations in following format:
 
-```log
-kubectl logs pod/sub-57bd5d694-7lvzf -c go-sub -n fake-subscriber 
-2023/07/18 20:16:41 Listening...
-2023/07/18 20:37:20 main.PubsubMsg{ID:"2023-07-18T20:37:19Z", Details:map[string]interface {}{"missing_labels":[]interface {}{"test"}}, EventType:"violation_audited", Group:"constraints.gatekeeper.sh", Version:"v1beta1", Kind:"K8sRequiredLabels", Name:"pod-must-have-test", Namespace:"", Message:"you must provide labels: {\"test\"}", EnforcementAction:"deny", ConstraintAnnotations:map[string]string(nil), ResourceGroup:"", ResourceAPIVersion:"v1", ResourceKind:"Pod", ResourceNamespace:"nginx", ResourceName:"nginx-deployment-58899467f5-j85bs", ResourceLabels:map[string]string{"app":"nginx", "owner":"admin", "pod-template-hash":"58899467f5"}}
+```json
+{
+  "id": "2023-07-18T21:21:52Z",
+  "details": {
+    "missing_labels": [
+      "test"
+    ]
+  },
+  "eventType": "violation_audited",
+  "group": "constraints.gatekeeper.sh",
+  "version": "v1beta1",
+  "kind": "K8sRequiredLabels",
+  "name": "pod-must-have-test",
+  "message": "you must provide labels: {\"test\"}",
+  "enforcementAction": "deny",
+  "resourceAPIVersion": "v1",
+  "resourceKind": "Pod",
+  "resourceNamespace": "nginx",
+  "resourceName": "nginx-deployment-cd55c47f5-2b84x",
+  "resourceLabels": {
+    "app": "nginx",
+    "pod-template-hash": "cd55c47f5"
+  }
+}
 ```

From 33d9b7c350786000a0044df90a40003d86c81740 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Mon, 23 Oct 2023 20:30:30 +0000
Subject: [PATCH 3/6] addressing nits and updating

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 website/docs/pubsub.md                           | 14 +++++++++-----
 website/versioned_docs/version-v3.13.x/pubsub.md | 14 +++++++++-----
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index 2169fec1a07..51f072662ee 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -50,7 +50,9 @@ Dapr: https://dapr.io/
 1. Install Dapr
 
    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
-    > Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`. Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+    > [!IMPORTANT]
+    > - Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`.
+    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
 
     > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
@@ -73,7 +75,7 @@ Dapr: https://dapr.io/
 2. Create Dapr pubsub component
 
     ```shell
-    kubectl apply -f <<EOF
+    kubectl apply -f - <<EOF
     apiVersion: dapr.io/v1alpha1
     kind: Component
     metadata:
@@ -125,13 +127,15 @@ Dapr: https://dapr.io/
             imagePullPolicy: Never
     ```
 
-    **Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
+    > [!IMPORTANT]
+    > Please make sure `fake-subscriber` image is built and available in your cluster. Dockerfile to build image for `fake-subscriber` is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
 
 #### Configure Gatekeeper with Pubsub enabled
 
-1. Create Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
+1. Create Gatekeeper namespace, and create Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
 
     ```shell
+    kubectl create namespace gatekeeper-system
     kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
     kubectl apply -f - <<EOF
     apiVersion: dapr.io/v1alpha1
@@ -156,7 +160,7 @@ Dapr: https://dapr.io/
 
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
-    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > /tmp/annotations.yaml
+    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
     helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index 2169fec1a07..dac9ebd53d9 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -50,7 +50,9 @@ Dapr: https://dapr.io/
 1. Install Dapr
 
    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
-    > Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`. Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+    > [!IMPORTANT]
+    > - Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`.
+    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
 
     > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
@@ -73,7 +75,7 @@ Dapr: https://dapr.io/
 2. Create Dapr pubsub component
 
     ```shell
-    kubectl apply -f <<EOF
+    kubectl apply -f - <<EOF
     apiVersion: dapr.io/v1alpha1
     kind: Component
     metadata:
@@ -125,13 +127,15 @@ Dapr: https://dapr.io/
             imagePullPolicy: Never
     ```
 
-    **Note:** Dockerfile to build image for fake-subscriber is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
+    > [!IMPORTANT]
+    > Please make sure `fake-subscriber` image is built and available in your cluster. Dockerfile to build image for `fake-subscriber` is under [gatekeeper/test/fake-subscriber](https://github.com/open-policy-agent/gatekeeper/tree/master/test/pubsub/fake-subscriber).
 
 #### Configure Gatekeeper with Pubsub enabled
 
-1. Create Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
+1. Create Gatekeeper namespace, and Dapr pubsub component and Redis secret in Gatekeeper's namespace (`gatekeeper-system` by default). Please make sure to update `gatekeeper-system` namespace for the next steps if your cluster's Gatekeeper namespace is different.
 
     ```shell
+    kubectl create namespace gatekeeper-system
     kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
     kubectl apply -f - <<EOF
     apiVersion: dapr.io/v1alpha1
@@ -156,7 +160,7 @@ Dapr: https://dapr.io/
 
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
-    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999"}' > /tmp/annotations.yaml
+    echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
     helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \

From 981d7ce7b95b0d22d43c2d873653b139cfcc0aec Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Tue, 24 Oct 2023 17:27:23 +0000
Subject: [PATCH 4/6] updating helm command to install gatekeeper in pubsub doc

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 website/docs/pubsub.md                           | 2 +-
 website/versioned_docs/version-v3.13.x/pubsub.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index 51f072662ee..08babf33921 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -161,7 +161,7 @@ Dapr: https://dapr.io/
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
     echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
-    helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
+    helm upgrade --install gatekeeper/gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \
     --set audit.channel=audit-channel \
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index dac9ebd53d9..570354aceb3 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -161,7 +161,7 @@ Dapr: https://dapr.io/
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
     echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
-    helm upgrade --install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system \
+    helm upgrade --install gatekeeper/gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \
     --set audit.channel=audit-channel \

From 9e5b403b62fb770f53b8c5d005b9c7550468bcbf Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Wed, 25 Oct 2023 20:26:59 +0000
Subject: [PATCH 5/6] making channel in subscriber configurable

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 test/pubsub/fake-subscriber/main.go            | 18 +++++++++++-------
 .../fake-subscriber/manifest/subscriber.yaml   |  3 +++
 website/docs/pubsub.md                         |  2 +-
 .../versioned_docs/version-v3.13.x/pubsub.md   |  2 +-
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/test/pubsub/fake-subscriber/main.go b/test/pubsub/fake-subscriber/main.go
index 9831cbe2b2b..fadd3aac2c9 100644
--- a/test/pubsub/fake-subscriber/main.go
+++ b/test/pubsub/fake-subscriber/main.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"log"
+	"os"
 	"strconv"
 
 	"github.com/dapr/go-sdk/service/common"
@@ -30,15 +31,18 @@ type PubsubMsg struct {
 	ResourceLabels        map[string]string `json:"resourceLabels,omitempty"`
 }
 
-var sub = &common.Subscription{
-	PubsubName: "pubsub",
-	Topic:      "audit",
-	Route:      "/checkout",
-}
-
 func main() {
+	auditChannel := os.Getenv("AUDIT_CHANNEL")
+	if auditChannel == "" {
+		auditChannel = "audit-channel"
+	}
+	sub := &common.Subscription{
+		PubsubName: "pubsub",
+		Topic:      auditChannel,
+		Route:      "/checkout",
+	}
 	s := daprd.NewService(":6002")
-	log.Printf("Listening...")
+	log.Printf("Listening on %s...", auditChannel)
 	if err := s.AddTopicEventHandler(sub, eventHandler); err != nil {
 		log.Fatalf("error adding topic subscription: %v", err)
 	}
diff --git a/test/pubsub/fake-subscriber/manifest/subscriber.yaml b/test/pubsub/fake-subscriber/manifest/subscriber.yaml
index d0372ed6350..4c656ccd577 100644
--- a/test/pubsub/fake-subscriber/manifest/subscriber.yaml
+++ b/test/pubsub/fake-subscriber/manifest/subscriber.yaml
@@ -41,3 +41,6 @@ spec:
       - name: go-sub
         image: fake-subscriber:latest
         imagePullPolicy: Never
+        env:
+        - name: AUDIT_CHANNEL
+          value: "audit-channel"
diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index 08babf33921..aac6a766728 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -161,7 +161,7 @@ Dapr: https://dapr.io/
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
     echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
-    helm upgrade --install gatekeeper/gatekeeper --namespace gatekeeper-system \
+    helm upgrade --install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \
     --set audit.channel=audit-channel \
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index 570354aceb3..1b8b215097d 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -161,7 +161,7 @@ Dapr: https://dapr.io/
     ```shell
     # auditPodAnnotations is used to add annotations required by Dapr to inject sidecar to audit pod
     echo 'auditPodAnnotations: {dapr.io/enabled: "true", dapr.io/app-id: "audit", dapr.io/metrics-port: "9999", dapr.io/sidecar-seccomp-profile-type: "RuntimeDefault"}' > /tmp/annotations.yaml
-    helm upgrade --install gatekeeper/gatekeeper --namespace gatekeeper-system \
+    helm upgrade --install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system \
     --set audit.enablePubsub=true \
     --set audit.connection=audit-connection \
     --set audit.channel=audit-channel \

From 919e807e6f3c0e04ccb5ca3ef8a0cbe4bd23720c Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Wed, 25 Oct 2023 21:14:37 +0000
Subject: [PATCH 6/6] updating pubsub docs

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 website/docs/pubsub.md                           | 6 +++---
 website/versioned_docs/version-v3.13.x/pubsub.md | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/website/docs/pubsub.md b/website/docs/pubsub.md
index aac6a766728..8c1df5fb3c0 100644
--- a/website/docs/pubsub.md
+++ b/website/docs/pubsub.md
@@ -52,7 +52,7 @@ Dapr: https://dapr.io/
    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
     > [!IMPORTANT]
     > - Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`.
-    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors. We are setting required Dapr annotation for audit pod while deploying Gatekeeper later in this quick start to avoid getting `PodSecurity violation` error.
 
     > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
@@ -68,7 +68,7 @@ Dapr: https://dapr.io/
 
     ```shell
     kubectl create ns fake-subscriber
-    # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
+    # creating redis secret in subscriber namespace to allow Dapr sidecar to connect to redis instance
     kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f -
     ```
 
@@ -168,7 +168,7 @@ Dapr: https://dapr.io/
     --values /tmp/annotations.yaml
     ```
 
-    **Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
+    **Note:** Verify that after the audit pod is running there is a Dapr sidecar injected and running along side `manager` container.
 
 3. Create connection config to establish a connection.
 
diff --git a/website/versioned_docs/version-v3.13.x/pubsub.md b/website/versioned_docs/version-v3.13.x/pubsub.md
index 1b8b215097d..b083fbd22b5 100644
--- a/website/versioned_docs/version-v3.13.x/pubsub.md
+++ b/website/versioned_docs/version-v3.13.x/pubsub.md
@@ -52,7 +52,7 @@ Dapr: https://dapr.io/
    To install Dapr with specific requirements and configuration, please refer to [Dapr docs](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-deploy/).
     > [!IMPORTANT]
     > - Make sure to set `SIDECAR_DROP_ALL_CAPABILITIES` environment variable on `dapr-sidecar` injector pod to `true` to avoid getting `PodSecurity violation` errors for the injected sidecar container as Gatekeeper by default requires workloads to run with [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) policy. If using helm charts to install Dapr, you can use `--set dapr_sidecar_injector.sidecarDropALLCapabilities=true`.
-    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors.
+    > - Additionally, [configure appropriate seccompProfile for sidecar containers](https://docs.dapr.io/operations/hosting/kubernetes/kubernetes-production/#configure-seccompprofile-for-sidecar-containers) injected by Dapr to avoid getting `PodSecurity violation` errors. We are setting required annotation for audit pod while deploying Gatekeeper later in this quick start to avoid getting `PodSecurity violation` error.
 
     > Dapr is installed with mtls enabled by default, for more details on the same please refer to [Dapr security](https://docs.dapr.io/operations/security/mtls/#setting-up-mtls-with-the-configuration-resource).
 
@@ -68,7 +68,7 @@ Dapr: https://dapr.io/
 
     ```shell
     kubectl create ns fake-subscriber
-    # creating redis secret in subscriber namespace to allow dapr sidecar to connect to redis instance
+    # creating redis secret in subscriber namespace to allow Dapr sidecar to connect to redis instance
     kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: fake-subscriber/' | kubectl apply -f -
     ```
 
@@ -168,7 +168,7 @@ Dapr: https://dapr.io/
     --values /tmp/annotations.yaml
     ```
 
-    **Note:** Verify that after the audit pod is running there is a dapr sidecar injected and running along side `manager` container.
+    **Note:** Verify that after the audit pod is running there is a Dapr sidecar injected and running along side `manager` container.
 
 3. Create connection config to establish a connection.