mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
Enable webhooks configuration via Helm (#2032)
* helm - enable configurations of webhooks Signed-off-by: Shuting Zhao <shutting06@gmail.com> * retry on update failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update Readme Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address lint errors Signed-off-by: Shuting Zhao <shutting06@gmail.com>
This commit is contained in:
shuting
GitHub
parent
e61f6f9dd9
commit
65975a8b65
4 changed files with 12 additions and 0 deletions
|
|
@ -68,6 +68,7 @@ The following table lists the configurable parameters of the kyverno chart and t
|
|||
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
|
||||
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
|
||||
| `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` |
|
||||
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namesapceSelector` can be configured with Kyverno v1.4.0 | `nil` |
|
||||
| customLabels | object | `{}` | Additional labels |
|
||||
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
|
||||
| envVars | Extra environment variables to pass to kyverno | {} |
|
||||
|
|
|
|||
|
|
@ -17,4 +17,7 @@ data:
|
|||
{{- if .Values.config.excludeUsername }}
|
||||
excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.webhooks }}
|
||||
webhooks: {{ .Values.config.webhooks | toJson | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -141,6 +141,12 @@ config:
|
|||
# - ""
|
||||
excludeUsername:
|
||||
# - ""
|
||||
# Webhookconfigurations, this block defines the namespaceSelector in the webhookconfigurations.
|
||||
# Note that it takes a list of namespaceSelector in the JSON format, and only the first element
|
||||
# will be forwarded to the webhookconfigurations.
|
||||
webhooks:
|
||||
# webhooks: [{"namespaceSelector":{"matchExpressions":[{"key":"environment","operator":"In","values":["prod"]}]}}]
|
||||
|
||||
# existingConfig: init-config
|
||||
|
||||
service:
|
||||
|
|
|
|||
|
|
@ -179,12 +179,14 @@ func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface)
|
|||
|
||||
if err := wrc.updateResourceMutatingWebhookConfiguration(nsSelector); err != nil {
|
||||
logger.Error(err, "unable to update mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName())
|
||||
go func() { wrc.UpdateWebhookChan <- true }()
|
||||
} else {
|
||||
logger.Info("successfully updated mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName())
|
||||
}
|
||||
|
||||
if err := wrc.updateResourceValidatingWebhookConfiguration(nsSelector); err != nil {
|
||||
logger.Error(err, "unable to update validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName())
|
||||
go func() { wrc.UpdateWebhookChan <- true }()
|
||||
} else {
|
||||
logger.Info("successfully updated validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName())
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue