diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index cf79bdc7e..df3a7207a 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.12.3 +version: 0.12.4 appVersion: 3.9.26 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index cca9b8125..303ea0da3 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -68,7 +68,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.3 \ + --create-namespace -n sysdig-admission-controller --version=0.12.4 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -80,7 +80,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.12.3 \ + --create-namespace -n sysdig-admission-controller --version=0.12.4 \ --values values.yaml ``` diff --git a/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml b/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml new file mode 100644 index 000000000..16c0daf1f --- /dev/null +++ b/charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml @@ -0,0 +1,13 @@ +# Warning! This file is for internal tests only. +{{- if .Values.webhook.acConfig }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: admissioncontrollerconfigmap + namespace: {{ include "admissionController.namespace" . }} + labels: + {{ include "admissionController.webhook.labels" . | nindent 4 }} +data: + acConfig: | + {{ .Values.webhook.acConfig | nindent 4 }} +{{- end }} diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml index 7b578787a..7a46d5dbd 100644 --- a/charts/admission-controller/templates/webhook/admissionregistration.yaml +++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml @@ -30,7 +30,7 @@ metadata: labels: app.kubernetes.io/managed-by: Helm webhooks: -{{- if .Values.scanner.enabled }} +{{- if or .Values.scanner.enabled .Values.webhook.acConfig }} - name: scanning.secure.sysdig.com matchPolicy: Equivalent rules: diff --git a/charts/admission-controller/templates/webhook/clusterrole.yaml b/charts/admission-controller/templates/webhook/clusterrole.yaml index 2372501de..7b5861ae2 100644 --- a/charts/admission-controller/templates/webhook/clusterrole.yaml +++ b/charts/admission-controller/templates/webhook/clusterrole.yaml @@ -16,8 +16,21 @@ rules: - "" resources: - pods +{{- if .Values.webhook.acConfig }} + - configmaps +{{- end }} + verbs: + - get +{{- if .Values.webhook.acConfig }} +- apiGroups: + - "batch" + resources: + - jobs verbs: + - create - get + - delete +{{- end }} - apiGroups: - "apps" resources: diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index 2171000c7..db831c3c4 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -83,11 +83,17 @@ spec: value: {{ include "webhook.httpsProxy" . }} - name: NO_PROXY value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }} + - name: AC_NAMESPACE + value: {{ include "admissionController.namespace" . }} {{- end }} {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: SSL_CERT_DIR value: /ca-certs {{- end }} + {{- if .Values.webhook.acConfig }} + - name: VM_ENGINE_V2_ENABLED + value: "true" + {{- end }} ports: - name: http containerPort: {{ .Values.webhook.http.port }} diff --git a/charts/admission-controller/tests/configmap_test.yaml b/charts/admission-controller/tests/configmap_test.yaml new file mode 100644 index 000000000..fedf29101 --- /dev/null +++ b/charts/admission-controller/tests/configmap_test.yaml @@ -0,0 +1,56 @@ +suite: Test admissioncontrollerconfigmap +templates: + - templates/webhook/admissioncontrollerconfigmap.yaml + - templates/webhook/clusterrole.yaml +tests: + - it: Creates the configmap if webhook.acConfig is present + set: + webhook: + acConfig: | + foo: bar + fizz: buzz + asserts: + - containsDocument: + kind: ConfigMap + apiVersion: v1 + template: templates/webhook/admissioncontrollerconfigmap.yaml + - it: Creates the clusterrole if webhook.acConfig is present + set: + webhook: + acConfig: | + foo: bar + fizz: buzz + asserts: + - isSubset: + path: rules[2] + content: + apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "delete"] + template: templates/webhook/clusterrole.yaml + - isSubset: + path: rules[1] + content: + apiGroups: [""] + resources: ["pods", "configmaps"] + verbs: ["get"] + template: templates/webhook/clusterrole.yaml + - it: Does not create the configmap if webhook.acConfig is not present + set: {} + asserts: + - notContains: + path: rules + content: + apiGroups: [ "batch" ] + template: templates/webhook/clusterrole.yaml + - isSubset: + path: rules[1] + content: + apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + template: templates/webhook/clusterrole.yaml +# asserts: +# - isNullOrEmpty: +# path: data +# template: templates/webhook/admissioncontrollerconfigmap.yaml diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 85f3b5625..b7beb7854 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -208,6 +208,7 @@ webhook: # The image pull secrets for webhook. imagePullSecrets: [] + # Resource request and limits for webhook. resources: # +doc-gen:break limits: