2021-09-22 16:56:10 -04:00
|
|
|
{{/* vim: set filetype=mustache: */}}
|
|
|
|
|
{{/* Expand the name of the chart. */}}
|
|
|
|
|
{{- define "kyverno-policies.name" -}}
|
|
|
|
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Create chart name and version as used by the chart label. */}}
|
|
|
|
|
{{- define "kyverno-policies.chart" -}}
|
|
|
|
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Helm required labels */}}
|
|
|
|
|
{{- define "kyverno-policies.labels" -}}
|
|
|
|
|
app.kubernetes.io/component: kyverno
|
|
|
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
|
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
|
|
|
app.kubernetes.io/name: {{ template "kyverno-policies.name" . }}
|
|
|
|
|
app.kubernetes.io/part-of: {{ template "kyverno-policies.name" . }}
|
|
|
|
|
app.kubernetes.io/version: "{{ .Chart.Version }}"
|
|
|
|
|
helm.sh/chart: {{ template "kyverno-policies.chart" . }}
|
|
|
|
|
{{- if .Values.customLabels }}
|
|
|
|
|
{{ toYaml .Values.customLabels }}
|
|
|
|
|
{{- end }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Set if a baseline policy is managed */}}
|
|
|
|
|
{{- define "kyverno-policies.podSecurityBaseline" -}}
|
|
|
|
|
{{- if or (eq .Values.podSecurityStandard "baseline") (eq .Values.podSecurityStandard "restricted") }}
|
|
|
|
|
{{- true }}
|
|
|
|
|
{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
|
|
|
|
|
{{- true }}
|
|
|
|
|
{{- else -}}
|
|
|
|
|
{{- false }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Set if a restricted policy is managed */}}
|
|
|
|
|
{{- define "kyverno-policies.podSecurityRestricted" -}}
|
|
|
|
|
{{- if eq .Values.podSecurityStandard "restricted" }}
|
|
|
|
|
{{- true }}
|
|
|
|
|
{{- else if and (eq .Values.podSecurityStandard "custom") (has .name .Values.podSecurityPolicies) }}
|
|
|
|
|
{{- true }}
|
2022-08-29 19:45:29 +02:00
|
|
|
{{- else if has .name .Values.includeRestrictedPolicies }}
|
|
|
|
|
{{- true }}
|
2021-09-22 16:56:10 -04:00
|
|
|
{{- else -}}
|
|
|
|
|
{{- false }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
2022-02-04 01:47:36 -05:00
|
|
|
|
|
|
|
|
{{/* Set if a other policies are managed */}}
|
|
|
|
|
{{- define "kyverno-policies.podSecurityOther" -}}
|
|
|
|
|
{{- if has .name .Values.includeOtherPolicies }}
|
|
|
|
|
{{- true }}
|
|
|
|
|
{{- else -}}
|
|
|
|
|
{{- false }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Get deployed Kyverno version from Kubernetes */}}
|
|
|
|
|
{{- define "kyverno-policies.kyvernoVersion" -}}
|
|
|
|
|
{{- $version := "" -}}
|
2022-09-03 03:41:02 +12:00
|
|
|
{{- if eq .Values.kyvernoVersion "autodetect" }}
|
2022-02-04 01:47:36 -05:00
|
|
|
{{- with (lookup "apps/v1" "Deployment" .Release.Namespace "kyverno") -}}
|
|
|
|
|
{{- with (first .spec.template.spec.containers) -}}
|
2022-05-31 11:02:19 -04:00
|
|
|
{{- $imageTag := (last (splitList ":" .image)) -}}
|
2022-02-04 01:47:36 -05:00
|
|
|
{{- $version = trimPrefix "v" $imageTag -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{ $version }}
|
2022-09-03 03:41:02 +12:00
|
|
|
{{- else -}}
|
|
|
|
|
{{ .Values.kyvernoVersion }}
|
|
|
|
|
{{- end -}}
|
2022-02-04 01:47:36 -05:00
|
|
|
{{- end -}}
|
|
|
|
|
|
|
|
|
|
{{/* Fail if deployed Kyverno does not match */}}
|
|
|
|
|
{{- define "kyverno-policies.supportedKyvernoCheck" -}}
|
|
|
|
|
{{- $supportedKyverno := index . "ver" -}}
|
|
|
|
|
{{- $top := index . "top" }}
|
|
|
|
|
{{- if (include "kyverno-policies.kyvernoVersion" $top) -}}
|
|
|
|
|
{{- if not ( semverCompare $supportedKyverno (include "kyverno-policies.kyvernoVersion" $top) ) -}}
|
|
|
|
|
{{- fail (printf "Kyverno version is too low, expected %s" $supportedKyverno) -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
{{- end -}}
|
