diff --git a/Makefile b/Makefile index f34355ca247..7b083019dc6 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ ENABLE_PUBSUB ?= false AUDIT_CONNECTION ?= "audit" AUDIT_CHANNEL ?= "audit" -VERSION := v3.15.0-beta.0 +VERSION := v3.15.0-rc.0 KIND_VERSION ?= 0.17.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index 72ec81b9ca1..e7d025ee5b3 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.15.0-beta.0 +version: 3.15.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.15.0-beta.0 +appVersion: v3.15.0-rc.0 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index f7bdc1af3d3..453e0386fd1 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -120,7 +120,7 @@ information._ | preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | | preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| psp.enabled | Enabled PodSecurityPolicy | `true` | +| psp.enabled | Enabled PodSecurityPolicy | `false` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | | upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | @@ -150,7 +150,7 @@ information._ | enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | -| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` | | mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | @@ -168,7 +168,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.15.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.15.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml index 737e3aff15b..afc89d03bdf 100644 --- a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh diff --git a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml index 95e66a8b8aa..177afbb6780 100644 --- a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh diff --git a/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml new file mode 100644 index 00000000000..c5c51f9da4a --- /dev/null +++ b/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: syncsets.syncset.gatekeeper.sh +spec: + group: syncset.gatekeeper.sh + names: + kind: SyncSet + listKind: SyncSetList + plural: syncsets + singular: syncset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + properties: + gvks: + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 1dc1ebac29c..33c1cbeccd5 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -33,7 +33,7 @@ spec: {{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }} {{- end }} labels: -{{- include "gatekeeper.podLabels" . }} +{{- include "gatekeeper.podLabels" . | nindent 8 }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller @@ -104,6 +104,8 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager + - name: OTEL_RESOURCE_ATTRIBUTES + value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 70c7571c2ce..9edd16218df 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -32,7 +32,7 @@ spec: {{- toYaml .Values.podAnnotations | trim | nindent 8 }} {{- end }} labels: -{{- include "gatekeeper.podLabels" . }} +{{- include "gatekeeper.podLabels" . | nindent 8 }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: controller-manager @@ -117,6 +117,8 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager + - name: OTEL_RESOURCE_ATTRIBUTES + value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index cb783bf0e4d..f406c040ee3 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -44,20 +44,20 @@ externaldataProviderResponseCacheTTL: 3m image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 + release: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -88,7 +88,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -129,7 +129,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" @@ -264,7 +264,7 @@ pdb: service: {} disabledBuiltins: ["{http.send}"] psp: - enabled: true + enabled: false upgradeCRDs: enabled: true extraRules: [] diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 72ec81b9ca1..e7d025ee5b3 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.15.0-beta.0 +version: 3.15.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.15.0-beta.0 +appVersion: v3.15.0-rc.0 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index f68d2341d15..453e0386fd1 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -168,7 +168,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.15.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.15.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index f69d0e30de7..f406c040ee3 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -44,20 +44,20 @@ externaldataProviderResponseCacheTTL: 3m image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 + release: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -88,7 +88,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -129,7 +129,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index bafddc26dde..24f0d74c999 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -56,7 +56,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 imagePullPolicy: Always name: manager ports: @@ -150,7 +150,7 @@ spec: - --disable-cert-rotation command: - /manager - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 env: # used by Gatekeeper - name: POD_NAMESPACE diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 258fde22728..6734b1344ea 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -1927,7 +1927,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -3296,7 +3296,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 + controller-gen.kubebuilder.io/version: v0.10.0 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh @@ -3371,6 +3371,59 @@ spec: served: true storage: true --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: syncsets.syncset.gatekeeper.sh +spec: + group: syncset.gatekeeper.sh + names: + kind: SyncSet + listKind: SyncSetList + plural: syncsets + singular: syncset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + properties: + gvks: + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -3694,7 +3747,9 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + - name: OTEL_RESOURCE_ATTRIBUTES + value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -3811,7 +3866,9 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + - name: OTEL_RESOURCE_ATTRIBUTES + value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 72ec81b9ca1..e7d025ee5b3 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.15.0-beta.0 +version: 3.15.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.15.0-beta.0 +appVersion: v3.15.0-rc.0 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index f68d2341d15..453e0386fd1 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.15.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -168,7 +168,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.15.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.15.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index f69d0e30de7..f406c040ee3 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -44,20 +44,20 @@ externaldataProviderResponseCacheTTL: 3m image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.15.0-beta.0 + release: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -88,7 +88,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -129,7 +129,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.15.0-beta.0 + tag: v3.15.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index b43ac3af055..6734b1344ea 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -3749,7 +3749,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -3868,7 +3868,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.15.0-beta.0 + image: openpolicyagent/gatekeeper:v3.15.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/website/docs/install.md b/website/docs/install.md index 188bd6fde4d..ebfb3db52e8 100644 --- a/website/docs/install.md +++ b/website/docs/install.md @@ -28,7 +28,7 @@ For either installation method, make sure you have cluster admin permissions: If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: ```sh -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.15.0-rc.0/deploy/gatekeeper.yaml ``` ### Deploying a Release using development image @@ -92,7 +92,7 @@ You can alter the variables in `charts/gatekeeper/values.yaml` to customize your If you used a prebuilt image to deploy Gatekeeper, then you can delete all the Gatekeeper components with the following command: ```sh - kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml + kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.15.0-rc.0/deploy/gatekeeper.yaml ``` ### Using make