mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-02-14 18:09:58 +00:00
14e09ead3c
* chore(metrics): cleanup emitted metrics Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore(ci): bump kind 1.34 Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(chart): specific crd names for job rbac Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
656 lines
28 KiB
YAML
656 lines
28 KiB
YAML
# Default values for capsule.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
global:
|
|
jobs:
|
|
kubectl:
|
|
image:
|
|
# -- Set the image repository of the helm chart job
|
|
registry: docker.io
|
|
# -- Set the image repository of the helm chart job
|
|
repository: clastix/kubectl
|
|
# -- Set the image pull policy of the helm chart job
|
|
pullPolicy: IfNotPresent
|
|
# -- Set the image tag of the helm chart job
|
|
tag: ""
|
|
# -- ImagePullSecrets
|
|
imagePullSecrets: []
|
|
# -- Labels to add to the job pod
|
|
podLabels: {}
|
|
# -- Annotations to add to the job pod
|
|
podAnnotations: {}
|
|
# -- Labels to add to the job.
|
|
labels: {}
|
|
# -- Annotations to add to the job.
|
|
annotations: {}
|
|
# -- Set the restartPolicy
|
|
restartPolicy: Never
|
|
# -- Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete.
|
|
ttlSecondsAfterFinished: 60
|
|
# -- Security context for the job pods.
|
|
podSecurityContext:
|
|
enabled: true
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
# -- Security context for the job containers.
|
|
securityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 1002
|
|
runAsNonRoot: true
|
|
runAsUser: 1002
|
|
# -- Job resources
|
|
resources: {}
|
|
# -- Set the node selector
|
|
nodeSelector: {}
|
|
# -- Set list of tolerations
|
|
tolerations: []
|
|
# -- Set affinity rules
|
|
affinity: {}
|
|
# -- Set Topology Spread Constraints
|
|
topologySpreadConstraints: []
|
|
# -- Set a pod priorityClassName
|
|
priorityClassName: ""
|
|
# -- Backofflimit for jobs
|
|
backoffLimit: 4
|
|
|
|
# Manage CRD Lifecycle
|
|
crds:
|
|
# -- Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations)
|
|
install: true
|
|
# -- Only install the CRDs, no other primitives
|
|
exclusive: false
|
|
# -- Create additionally CapsuleConfiguration even if CRDs are exclusive
|
|
createConfig: false
|
|
# -- Extra Labels for CRDs
|
|
labels: {}
|
|
# -- Extra Annotations for CRDs
|
|
annnotations: {}
|
|
|
|
# Secret Options
|
|
tls:
|
|
# -- Start the Capsule controller that injects the CA into mutating and validating webhooks, and CRD as well.
|
|
enableController: true
|
|
# -- When cert-manager is disabled, Capsule will generate the TLS certificate for webhook and CRDs conversion.
|
|
create: true
|
|
# -- Override name of the Capsule TLS Secret name when externally managed.
|
|
name: ""
|
|
|
|
# Capsule Proxy
|
|
proxy:
|
|
# -- Enable Installation of Capsule Proxy
|
|
enabled: false
|
|
|
|
# These are ClusterRoles which grant permissions for Capsule CRDs to Tenant Owners
|
|
rbac:
|
|
resources:
|
|
create: false
|
|
labels:
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
resourcepoolclaims:
|
|
create: false
|
|
labels:
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
|
|
# Manager Options
|
|
manager:
|
|
|
|
# Manager RBAC
|
|
rbac:
|
|
# -- Specifies whether RBAC resources should be created.
|
|
create: true
|
|
# -- Specifies further cluster roles to be added to the Capsule manager service account.
|
|
existingClusterRoles: []
|
|
# - cluster-admin
|
|
# -- Specifies further cluster roles to be added to the Capsule manager service account.
|
|
existingRoles: []
|
|
# - namespace-admin
|
|
|
|
# -- Set the controller deployment mode as `Deployment` or `DaemonSet`.
|
|
kind: Deployment
|
|
|
|
# -- [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
|
|
deploymentStrategy:
|
|
type: "RollingUpdate"
|
|
# rollingUpdate:
|
|
# maxUnavailable: 1
|
|
|
|
# -- [Daemonset Strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#creating-a-daemonset-with-rollingupdate-update-strategy)
|
|
daemonsetStrategy:
|
|
type: "RollingUpdate"
|
|
# rollingUpdate:
|
|
# maxUnavailable: 1
|
|
|
|
image:
|
|
# -- Set the image registry of capsule.
|
|
registry: ghcr.io
|
|
# -- Set the image repository of capsule.
|
|
repository: projectcapsule/capsule
|
|
# -- Set the image pull policy.
|
|
pullPolicy: IfNotPresent
|
|
# -- Overrides the image tag whose default is the chart appVersion.
|
|
tag: ''
|
|
|
|
# -- Specifies if the container should be started in hostNetwork mode.
|
|
#
|
|
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
|
|
# CNI (such as calico), because control-plane managed by AWS cannot communicate
|
|
# with pods' IP CIDR and admission webhooks are not working
|
|
hostNetwork: false
|
|
|
|
# -- Specifies if the container should be started in hostPID mode.
|
|
hostPID: false
|
|
|
|
# -- Don't use Host Users (User Namespaces)
|
|
hostUsers: true
|
|
|
|
# -- Set an alternative to the default container port.
|
|
#
|
|
# Useful for use in some kubernetes clusters (such as GKE Private) with
|
|
# aggregator routing turned on, because pod ports have to be opened manually
|
|
# on the firewall side
|
|
webhookPort: 9443
|
|
|
|
# Additional Capsule Controller Options
|
|
options:
|
|
# -- Change the default name of the capsule configuration name
|
|
capsuleConfiguration: default
|
|
# -- Set the log verbosity of the capsule with a value from 1 to 10
|
|
logLevel: '4'
|
|
# -- Names of the users considered as Capsule users.
|
|
userNames: []
|
|
# -- Names of the groups considered as Capsule users.
|
|
capsuleUserGroups: ["projectcapsule.dev"]
|
|
# -- Define groups which when found in the request of a user will be ignored by the Capsule
|
|
# this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
|
|
ignoreUserWithGroups: []
|
|
# -- ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant
|
|
# this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
|
|
# However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
|
|
allowServiceAccountPromotion: false
|
|
# -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash
|
|
forceTenantPrefix: false
|
|
# -- If specified, disallows creation of namespaces matching the passed regexp
|
|
protectedNamespaceRegex: ""
|
|
# -- Specifies whether capsule webhooks certificates should be generated by capsule operator
|
|
generateCertificates: true
|
|
# -- Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant
|
|
nodeMetadata:
|
|
forbiddenLabels:
|
|
denied: []
|
|
deniedRegex: ""
|
|
forbiddenAnnotations:
|
|
denied: []
|
|
deniedRegex: ""
|
|
|
|
# -- A list of extra arguments for the capsule controller
|
|
extraArgs:
|
|
- "--enable-leader-election=true"
|
|
|
|
# -- Additional Environment Variables
|
|
env: []
|
|
|
|
# -- Configure the liveness probe using Deployment probe spec
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 10080
|
|
|
|
# -- Configure the readiness probe using Deployment probe spec
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: 10080
|
|
|
|
# -- Set the resource requests/limits for the Capsule manager container
|
|
resources: {}
|
|
|
|
# -- Set the additional volumes needed for the Capsule manager container
|
|
volumes: []
|
|
|
|
# -- Set the additional volumeMounts needed for the Capsule manager container
|
|
volumeMounts: []
|
|
|
|
# -- Set the securityContext for the Capsule container
|
|
securityContext: {}
|
|
|
|
# -- Configuration for `imagePullSecrets` so that you can use a private images registry.
|
|
imagePullSecrets: []
|
|
|
|
# -- Labels to add to the capsule pod.
|
|
podLabels: {}
|
|
|
|
# -- Annotations to add to the capsule pod.
|
|
podAnnotations: {}
|
|
# The following annotations guarantee scheduling for critical add-on pods
|
|
# podAnnotations:
|
|
# scheduler.alpha.kubernetes.io/critical-pod: ''
|
|
|
|
# -- Set the priority class name of the Capsule pod
|
|
priorityClassName: '' # system-cluster-critical
|
|
|
|
# -- Set the securityContext for the Capsule pod
|
|
podSecurityContext:
|
|
enabled: true
|
|
seccompProfile:
|
|
type: "RuntimeDefault"
|
|
runAsGroup: 1002
|
|
runAsNonRoot: true
|
|
runAsUser: 1002
|
|
|
|
# -- Set the securityContext for the Capsule container
|
|
securityContext:
|
|
enabled: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
|
|
# -- Set the node selector for the Capsule pod
|
|
nodeSelector: {}
|
|
# node-role.kubernetes.io/master: ""
|
|
|
|
# -- Set list of tolerations for the Capsule pod
|
|
tolerations: []
|
|
# - key: CriticalAddonsOnly
|
|
# operator: Exists
|
|
# - effect: NoSchedule
|
|
# key: node-role.kubernetes.io/master
|
|
|
|
# -- Set the replica count for capsule pod
|
|
replicaCount: 1
|
|
|
|
# -- Set additional ports for the deployment
|
|
ports: []
|
|
|
|
# -- Set affinity rules for the Capsule pod
|
|
affinity: {}
|
|
|
|
# -- Set topology spread constraints for the Capsule pod
|
|
topologySpreadConstraints: []
|
|
|
|
# -- Deprecated, use .global.jobs.kubectl instead
|
|
jobs: {}
|
|
|
|
# ServiceAccount
|
|
serviceAccount:
|
|
# -- Specifies whether a service account should be created.
|
|
create: true
|
|
# -- Annotations to add to the service account.
|
|
annotations: {}
|
|
# -- The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
certManager:
|
|
# -- Specifies whether capsule webhooks certificates should be generated using cert-manager
|
|
generateCertificates: false
|
|
# -- Specify additional SANS to add to the certificate
|
|
additionalSANS: []
|
|
# -- Additional labels which will be added to all resources created by Capsule helm chart
|
|
customLabels: {}
|
|
|
|
# -- Additional annotations which will be added to all resources created by Capsule helm chart
|
|
customAnnotations: {}
|
|
|
|
# Monitoring Settings
|
|
monitoring:
|
|
|
|
dashboards:
|
|
# -- Enable Dashboards to be deployed
|
|
enabled: false
|
|
# -- Annotations for dashboard configmaps
|
|
annotations: {}
|
|
# -- Labels for dashboard configmaps
|
|
labels: {}
|
|
# grafana_dashboard: "1"
|
|
# -- Custom namespace for dashboard configmaps
|
|
namespace: ""
|
|
# Grafana Operator
|
|
operator:
|
|
# -- Enable Operator Resources (GrafanaDashboard)
|
|
enabled: false
|
|
# -- Allow the Operator to match this resource with Grafanas outside the current namespace
|
|
allowCrossNamespaceImport: true
|
|
# -- How often the resource is synced, defaults to 10m0s if not set
|
|
resyncPeriod: "10m"
|
|
# -- Selects Grafana instances for import
|
|
instanceSelector: {}
|
|
# -- folder assignment for dashboard
|
|
folder: ""
|
|
|
|
# ServiceMonitor
|
|
serviceMonitor:
|
|
# -- Enable ServiceMonitor
|
|
enabled: false
|
|
# -- Install the ServiceMonitor into a different Namespace, as the monitoring stack one (default: the release one)
|
|
namespace: ''
|
|
# -- Assign additional labels according to Prometheus' serviceMonitorSelector matching labels
|
|
labels: {}
|
|
# -- Assign additional Annotations
|
|
annotations: {}
|
|
# -- Change matching labels
|
|
matchLabels: {}
|
|
# -- Set targetLabels for the serviceMonitor
|
|
targetLabels: []
|
|
endpoint:
|
|
# -- Set the scrape interval for the endpoint of the serviceMonitor
|
|
interval: "15s"
|
|
# -- Set the scrape timeout for the endpoint of the serviceMonitor
|
|
scrapeTimeout: ""
|
|
# -- Set metricRelabelings for the endpoint of the serviceMonitor
|
|
metricRelabelings: []
|
|
# -- Set relabelings for the endpoint of the serviceMonitor
|
|
relabelings: []
|
|
|
|
|
|
# Webhooks configurations
|
|
webhooks:
|
|
# -- When `crds.exclusive` is `true` the webhooks will be installed
|
|
exclusive: false
|
|
# -- Timeout in seconds for mutating webhooks
|
|
mutatingWebhooksTimeoutSeconds: 30
|
|
# -- Timeout in seconds for validating webhooks
|
|
validatingWebhooksTimeoutSeconds: 30
|
|
|
|
# Configure custom webhook service
|
|
service:
|
|
# -- The URL where the capsule webhook services are running (Overwrites cluster scoped service definition)
|
|
url: ""
|
|
# -- CABundle for the webhook service
|
|
caBundle: ""
|
|
# -- Custom service name for the webhook service
|
|
name: ""
|
|
# -- Custom service namespace for the webhook service
|
|
namespace: ""
|
|
# -- Custom service port for the webhook service
|
|
port:
|
|
|
|
# Admission Webhook Configuration
|
|
hooks:
|
|
|
|
resourcepools:
|
|
pools:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector: {}
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
claims:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector: {}
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
customresources:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
namespaces:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector: {}
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
|
|
reinvocationPolicy: Never
|
|
|
|
cordoning:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
- key: projectcapsule.dev/cordoned
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [Rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules)
|
|
rules:
|
|
- apiGroups:
|
|
- '*'
|
|
apiVersions:
|
|
- '*'
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
- DELETE
|
|
resources:
|
|
- '*'
|
|
scope: Namespaced
|
|
|
|
gateways:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
ingresses:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
|
|
reinvocationPolicy: Never
|
|
|
|
networkpolicies:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
pods:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
|
|
reinvocationPolicy: Never
|
|
|
|
persistentvolumeclaims:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Equivalent
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
|
|
reinvocationPolicy: Never
|
|
|
|
tenants:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector: {}
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
# -- [ReinvocationPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#reinvocation-policy)
|
|
reinvocationPolicy: Never
|
|
|
|
tenantResourceObjects:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
services:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
nodes:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector: {}
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
serviceaccounts:
|
|
# -- Enable the Hook
|
|
enabled: true
|
|
# -- [FailurePolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy)
|
|
failurePolicy: Fail
|
|
# -- [MatchPolicy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchPolicy: Exact
|
|
# -- [ObjectSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector)
|
|
objectSelector: {}
|
|
# -- [NamespaceSelector](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: capsule.clastix.io/tenant
|
|
operator: Exists
|
|
# -- [MatchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy)
|
|
matchConditions: []
|
|
|
|
# -- Deprecated, use webhooks.hooks.namespaces instead
|
|
namespaceOwnerReference: {}
|
|
|
|
defaults:
|
|
# -- Deprecated, use webhooks.hooks.ingresses instead
|
|
ingress: {}
|
|
# -- Deprecated, use webhooks.hooks.persistentvolumeclaims instead
|
|
pvc: {}
|
|
# -- Deprecated, use webhooks.hooks.pods instead
|
|
pods: {}
|