From ffa2c439bd0a1a76443dc41439f048a2fc41e016 Mon Sep 17 00:00:00 2001 From: Hayk Kocharyan Date: Mon, 21 Aug 2023 12:05:35 +0200 Subject: [PATCH 1/2] feat(admission-controller): internal test (#1297) --- charts/admission-controller/Chart.yaml | 2 +- charts/admission-controller/README.md | 4 +- .../webhook/admissioncontrollerconfigmap.yaml | 13 +++++ .../webhook/admissionregistration.yaml | 2 +- .../templates/webhook/clusterrole.yaml | 13 +++++ .../templates/webhook/deployment.yaml | 6 ++ .../tests/configmap_test.yaml | 56 +++++++++++++++++++ charts/admission-controller/values.yaml | 1 + 8 files changed, 93 insertions(+), 4 deletions(-) create mode 100644 charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml create mode 100644 charts/admission-controller/tests/configmap_test.yaml diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index cf79bdc7e..df3a7207a 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.12.3 +version: 0.12.4 appVersion: 3.9.26 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index cca9b8125..303ea0da3 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -68,7 +68,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.3 \ + --create-namespace -n sysdig-admission-controller --version=0.12.4 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -80,7 +80,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.3 \ + --create-namespace -n sysdig-admission-controller --version=0.12.4 \ --values values.yaml ``` diff --git a/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml b/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml new file mode 100644 index 000000000..16c0daf1f --- /dev/null +++ b/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml @@ -0,0 +1,13 @@ +# Warning! This file is for internal tests only. +{{- if .Values.webhook.acConfig }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: admissioncontrollerconfigmap + namespace: {{ include "admissionController.namespace" . }} + labels: + {{ include "admissionController.webhook.labels" . | nindent 4 }} +data: + acConfig: | + {{ .Values.webhook.acConfig | nindent 4 }} +{{- end }} diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml index 7b578787a..7a46d5dbd 100644 --- a/charts/admission-controller/templates/webhook/admissionregistration.yaml +++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml @@ -30,7 +30,7 @@ metadata: labels: app.kubernetes.io/managed-by: Helm webhooks: -{{- if .Values.scanner.enabled }} +{{- if or .Values.scanner.enabled .Values.webhook.acConfig }} - name: scanning.secure.sysdig.com matchPolicy: Equivalent rules: diff --git a/charts/admission-controller/templates/webhook/clusterrole.yaml b/charts/admission-controller/templates/webhook/clusterrole.yaml index 2372501de..7b5861ae2 100644 --- a/charts/admission-controller/templates/webhook/clusterrole.yaml +++ b/charts/admission-controller/templates/webhook/clusterrole.yaml @@ -16,8 +16,21 @@ rules: - "" resources: - pods +{{- if .Values.webhook.acConfig }} + - configmaps +{{- end }} + verbs: + - get +{{- if .Values.webhook.acConfig }} +- apiGroups: + - "batch" + resources: + - jobs verbs: + - create - get + - delete +{{- end }} - apiGroups: - "apps" resources: diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index 2171000c7..db831c3c4 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -83,11 +83,17 @@ spec: value: {{ include "webhook.httpsProxy" . }} - name: NO_PROXY value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }} + - name: AC_NAMESPACE + value: {{ include "admissionController.namespace" . }} {{- end }} {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: SSL_CERT_DIR value: /ca-certs {{- end }} + {{- if .Values.webhook.acConfig }} + - name: VM_ENGINE_V2_ENABLED + value: "true" + {{- end }} ports: - name: http containerPort: {{ .Values.webhook.http.port }} diff --git a/charts/admission-controller/tests/configmap_test.yaml b/charts/admission-controller/tests/configmap_test.yaml new file mode 100644 index 000000000..fedf29101 --- /dev/null +++ b/charts/admission-controller/tests/configmap_test.yaml @@ -0,0 +1,56 @@ +suite: Test admissioncontrollerconfigmap +templates: + - templates/webhook/admissioncontrollerconfigmap.yaml + - templates/webhook/clusterrole.yaml +tests: + - it: Creates the configmap if webhook.acConfig is present + set: + webhook: + acConfig: | + foo: bar + fizz: buzz + asserts: + - containsDocument: + kind: ConfigMap + apiVersion: v1 + template: templates/webhook/admissioncontrollerconfigmap.yaml + - it: Creates the clusterrole if webhook.acConfig is present + set: + webhook: + acConfig: | + foo: bar + fizz: buzz + asserts: + - isSubset: + path: rules[2] + content: + apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "delete"] + template: templates/webhook/clusterrole.yaml + - isSubset: + path: rules[1] + content: + apiGroups: [""] + resources: ["pods", "configmaps"] + verbs: ["get"] + template: templates/webhook/clusterrole.yaml + - it: Does not create the configmap if webhook.acConfig is not present + set: {} + asserts: + - notContains: + path: rules + content: + apiGroups: [ "batch" ] + template: templates/webhook/clusterrole.yaml + - isSubset: + path: rules[1] + content: + apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + template: templates/webhook/clusterrole.yaml +# asserts: +# - isNullOrEmpty: +# path: data +# template: templates/webhook/admissioncontrollerconfigmap.yaml diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 85f3b5625..b7beb7854 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -208,6 +208,7 @@ webhook: # The image pull secrets for webhook. imagePullSecrets: [] + # Resource request and limits for webhook. resources: # +doc-gen:break limits: From 101b78306e8de4b942ffc4b571ad4133d5c0f182 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Mon, 21 Aug 2023 10:07:21 +0000 Subject: [PATCH 2/2] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for admission-controller-0.12.4 --- charts/admission-controller/CHANGELOG.md | 3 +++ charts/admission-controller/RELEASE-NOTES.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/admission-controller/CHANGELOG.md b/charts/admission-controller/CHANGELOG.md index b480dd47e..f2e96acc4 100644 --- a/charts/admission-controller/CHANGELOG.md +++ b/charts/admission-controller/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.12.4 +### New Features +* **admission-controller** [ffa2c439](https://github.com/sysdiglabs/charts/commit/ffa2c439bd0a1a76443dc41439f048a2fc41e016): internal test ([#1297](https://github.com/sysdiglabs/charts/issues/1297)) # v0.12.3 ### Documentation * **admission-controller, cluster-scanner, registry-scanner, cloud-connector, node-analyzer, rapid-response, sysdig-deploy, agent** [df733e62](https://github.com/sysdiglabs/charts/commit/df733e6294eae1967197e3521473a5fab0282b67): update maintainers list ([#1283](https://github.com/sysdiglabs/charts/issues/1283)) diff --git a/charts/admission-controller/RELEASE-NOTES.md b/charts/admission-controller/RELEASE-NOTES.md index c4f7a51ed..5eec7842b 100644 --- a/charts/admission-controller/RELEASE-NOTES.md +++ b/charts/admission-controller/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Documentation -- **admission-controller, cluster-scanner, registry-scanner, cloud-connector, node-analyzer, rapid-response, sysdig-deploy, agent** [df733e62](https://github.com/sysdiglabs/charts/commit/df733e6294eae1967197e3521473a5fab0282b67): update maintainers list ([#1283](https://github.com/sysdiglabs/charts/issues/1283)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.12.2...admission-controller-0.12.3 +### New Features +- **admission-controller** [ffa2c439](https://github.com/sysdiglabs/charts/commit/ffa2c439bd0a1a76443dc41439f048a2fc41e016): internal test ([#1297](https://github.com/sysdiglabs/charts/issues/1297)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.12.3...admission-controller-0.12.4