diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index b47e8fd58ec..97f1ba0cb07 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -145,6 +145,7 @@ spec: - --operation=audit - --operation=status - --operation=mutation-status + - --operation=generate - --logtostderr - --disable-opa-builtin={http.send} - --disable-cert-rotation diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index efa2ad83625..76de37b6f14 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -5084,6 +5084,7 @@ spec: - --operation=audit - --operation=status - --operation=mutation-status + - --operation=generate - --logtostderr - --disable-opa-builtin={http.send} - --disable-cert-rotation diff --git a/website/docs/operations.md b/website/docs/operations.md index 7eea4e0fc5f..01feb6ab407 100644 --- a/website/docs/operations.md +++ b/website/docs/operations.md @@ -50,7 +50,6 @@ At a high level, this requires: * It will also need the ability to write to the webhook secret in Gatekeeper's namespace * If you have events enabled, you will need permissions to create events in Gatekeeper's namespace - ## Mutating Webhook __--operation key:__ `mutation-webhook` @@ -176,6 +175,30 @@ At a high level, this requires: * The ability to read all objects in the group `mutations.gatekeeper.sh` (mutators) +## Generation + +__--operation key:__ `generate` + +This operation enables CRD and VAP/VAPB generation. + +To avoid write contention, the Generate operation should be run as a singleton. + +### Required Behaviors + +At a high level, this requires: + +* Creating CRDs for a corresponding constraint template +* Creating ValidatingAdmissionPolicies for ConstraintTemplates +* Creating ValidatingAdmissionPolicyBindings for Constraints + +### Permissions Required + +* The ability to read all `ConstraintTemplate` objects +* The ability to create CRDs (unfortunately RBAC doesn't have the syntax to scope this down to just CRDs in the `constraints.gatekeeper.sh` group) +* The ability to read all `Constraint` resources (members of the group `constraints.gatekeeper.sh`) +* The ability to create `ValidatingAdmissionPolicy` objects +* The ability to create `ValidatingAdmissionPolicyBinding` objects + # A Note on Permissions "Create" implies the `create` and `delete` permissions in addition to the permissions implied by "Read" and "Write". diff --git a/website/versioned_docs/version-v3.18.x/operations.md b/website/versioned_docs/version-v3.18.x/operations.md index 7eea4e0fc5f..8862ab55d95 100644 --- a/website/versioned_docs/version-v3.18.x/operations.md +++ b/website/versioned_docs/version-v3.18.x/operations.md @@ -176,6 +176,30 @@ At a high level, this requires: * The ability to read all objects in the group `mutations.gatekeeper.sh` (mutators) +## Generation + +__--operation key:__ `generate` + +This operation enables CRD and VAP/VAPB generation. + +To avoid write contention, the Generate operation should be run as a singleton. + +### Required Behaviors + +At a high level, this requires: + +* Creating CRDs for a corresponding constraint template +* Creating ValidatingAdmissionPolicies for ConstraintTemplates +* Creating ValidatingAdmissionPolicyBindings for Constraints + +### Permissions Required + +* The ability to read all `ConstraintTemplate` objects +* The ability to create CRDs (unfortunately RBAC doesn't have the syntax to scope this down to just CRDs in the `constraints.gatekeeper.sh` group) +* The ability to read all `Constraint` resources (members of the group `constraints.gatekeeper.sh`) +* The ability to create `ValidatingAdmissionPolicy` objects +* The ability to create `ValidatingAdmissionPolicyBinding` objects + # A Note on Permissions "Create" implies the `create` and `delete` permissions in addition to the permissions implied by "Read" and "Write".