Merge branch 'master' into ac-eks-friendly-ports

charts/admission-controller/CHANGELOG.md

@@ -10,6 +10,12 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v0.13.5
+### New Features
+* **admission-controller** [08aacd04](https://github.com/sysdiglabs/charts/commit/08aacd04c4ad67baa5ab041bcae658e1a1173a3e): support policies for worker ([#1318](https://github.com/sysdiglabs/charts/issues/1318))
+# v0.13.4
+### New Features
+* **admission-controller** [640fa2e8](https://github.com/sysdiglabs/charts/commit/640fa2e83bbb989eef40cc565555a0b5ff4c65dc): Add support for worker skiptls ([#1317](https://github.com/sysdiglabs/charts/issues/1317))
 # v0.13.3
 ### New Features
 * **admission-controller** [60074372](https://github.com/sysdiglabs/charts/commit/60074372b0970726b1fe100853be7d7ffb01bdef): add watch job permission ([#1312](https://github.com/sysdiglabs/charts/issues/1312))

charts/admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: admission-controller
 description: Sysdig Admission Controller using Sysdig Secure inline image scanner
 type: application
-version: 0.13.4
+version: 0.13.6
 appVersion: 3.9.26
 home: https://sysdiglabs.github.io/admission-controller/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4

charts/admission-controller/README.md

@@ -68,7 +68,7 @@ For example:
 
 ```bash
 helm upgrade --install admission-controller sysdig/admission-controller \
-    --create-namespace -n sysdig-admission-controller --version=0.13.4  \
+    --create-namespace -n sysdig-admission-controller --version=0.13.6  \
     --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
 ```
 
@@ -80,7 +80,7 @@ For example:
 
 ```bash
 helm upgrade --install admission-controller sysdig/admission-controller \
-     --create-namespace -n sysdig-admission-controller --version=0.13.4  \
+     --create-namespace -n sysdig-admission-controller --version=0.13.6  \
     --values values.yaml
 
 ```

charts/admission-controller/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
 ### New Features
-- **admission-controller** [60074372](https://github.com/sysdiglabs/charts/commit/60074372b0970726b1fe100853be7d7ffb01bdef): add watch job permission ([#1312](https://github.com/sysdiglabs/charts/issues/1312))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.13.2...admission-controller-0.13.3
+- **admission-controller** [08aacd04](https://github.com/sysdiglabs/charts/commit/08aacd04c4ad67baa5ab041bcae658e1a1173a3e): support policies for worker ([#1318](https://github.com/sysdiglabs/charts/issues/1318))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.13.4...admission-controller-0.13.5

charts/admission-controller/templates/webhook/configmap.yaml

@@ -25,4 +25,11 @@ data:
   EXTERNAL_NATS_URL:  {{ include "admissionController.natsUrl" . }}
   NATS_INSECURE: "{{.Values.webhook.v2.nats.insecure}}"
   {{- end}}
-  WORKERS: "{{.Values.webhook.workers | default 2 }}"
+  {{- if .Values.webhook.workers }}
+  WORKERS: "{{.Values.webhook.workers.number | default 2 }}"
+  WORKER_SKIPTLS: "{{.Values.webhook.workers.skiptlsverify | default "true" }}"
+  POLICIES: {{ toJson .Values.webhook.workers.scanningPolicies | quote }}
+  {{- else }}
+  WORKERS: "2"
+  WORKER_SKIPTLS: "true"
+  {{- end}}

charts/admission-controller/tests/admissioncontrollerconfigmap_test.yaml

@@ -0,0 +1,57 @@
+suite: Test admissioncontrollerconfigmap
+templates:
+  - templates/webhook/admissioncontrollerconfigmap.yaml
+  - templates/webhook/clusterrole.yaml
+tests:
+  - it: Creates the configmap if webhook.acConfig is present
+    set:
+      clusterName: test-k8s
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+        template: templates/webhook/admissioncontrollerconfigmap.yaml
+  - it: Creates the clusterrole if webhook.acConfig is present
+    set:
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - isSubset:
+          path: rules[2]
+          content:
+            apiGroups: [ "batch" ]
+            resources: [ "jobs" ]
+            verbs: [ "create", "get", "delete", "watch" ]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [ "" ]
+            resources: [ "pods", "configmaps", "secrets" ]
+            verbs: [ "get" ]
+        template: templates/webhook/clusterrole.yaml
+  - it: Does not create the configmap if webhook.acConfig is not present
+    set: {}
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups: [ "batch" ]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [""]
+            resources: ["pods"]
+            verbs: ["get"]
+        template: templates/webhook/clusterrole.yaml
+#    asserts:
+#      - isNullOrEmpty:
+#          path: data
+#        template: templates/webhook/admissioncontrollerconfigmap.yaml

charts/admission-controller/tests/configmap_test.yaml

@@ -1,56 +1,22 @@
 suite: Test admissioncontrollerconfigmap
 templates:
-  - templates/webhook/admissioncontrollerconfigmap.yaml
-  - templates/webhook/clusterrole.yaml
+  - templates/webhook/configmap.yaml
 tests:
   - it: Creates the configmap if webhook.acConfig is present
     set:
+      clusterName: test-k8s
       webhook:
-        acConfig: |
-          foo: bar
-          fizz: buzz
+        workers:
+          scanningPolicies:
+            - one
+            - two
     asserts:
       - containsDocument:
           kind: ConfigMap
           apiVersion: v1
-        template: templates/webhook/admissioncontrollerconfigmap.yaml
-  - it: Creates the clusterrole if webhook.acConfig is present
-    set:
-      webhook:
-        acConfig: |
-          foo: bar
-          fizz: buzz
-    asserts:
-      - isSubset:
-          path: rules[2]
-          content:
-            apiGroups: ["batch"]
-            resources: ["jobs"]
-            verbs: ["create", "get", "delete", "watch"]
-        template: templates/webhook/clusterrole.yaml
-      - isSubset:
-          path: rules[1]
-          content:
-            apiGroups: [""]
-            resources: ["pods", "configmaps", "secrets"]
-            verbs: ["get"]
-        template: templates/webhook/clusterrole.yaml
-  - it: Does not create the configmap if webhook.acConfig is not present
-    set: {}
-    asserts:
-      - notContains:
-          path: rules
-          content:
-            apiGroups: [ "batch" ]
-        template: templates/webhook/clusterrole.yaml
+        template: templates/webhook/configmap.yaml
       - isSubset:
-          path: rules[1]
+          path: data
           content:
-            apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get"]
-        template: templates/webhook/clusterrole.yaml
-#    asserts:
-#      - isNullOrEmpty:
-#          path: data
-#        template: templates/webhook/admissioncontrollerconfigmap.yaml
+            POLICIES: '["one","two"]'
+          template: templates/webhook/configmap.yaml