mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-10 11:16:57 +00:00
7c9f01639b
* Start working on updating dependencies: * Fix webhook * Rollback jsonschema update * Checkin new config * Fix run as root * Update versions of kind * Fix typo in kind URL * Fix kind config * Add csr permissions * Fix weird image thing * Fixed certificates * Add to logging * Approve cert manually * Fix approval * Add cert script * Fix deployment * Add requests/limits * Wait if certificate doesn't exist yet * Add check for file size * Add variable * Try a different imagE * Fix command * Update certificate logic * Add healthz * Don't check cert size * Remove stat * Fix vet * Put in change that makes no sense * Fix cert names * Roll back * Try changing config * Add logging for each request * Cleanup code some * Remove bad deployments * Fix client injection * Update timeout * Add logging * Fixed e2e webhook tests * Add permissions for approval * Fix permissions for CSR * Remove logging code * Remove refresh certs file * Fix merge issues * Update deployments * Try beta of admission controller config * Target 1.15 for testing * Add beta versions of resourceS * Lower webhook timeout * Refactor out a method * Fix up PR issues * Fix more tabs * Remove unnecessary messageS * Fix go.sum * Fix go.sum
406 lines
8.5 KiB
YAML
406 lines
8.5 KiB
YAML
---
|
|
# Source: polaris/templates/0-namespace.yaml
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: polaris
|
|
---
|
|
# Source: polaris/templates/rbac.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: polaris
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
---
|
|
# Source: polaris/templates/webhook.rbac.yaml
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: polaris-certificates
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
---
|
|
# Source: polaris/templates/webhook.secret.yaml
|
|
# The name of this secret is static as it is populated by the webhook pod.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: ''
|
|
tls.key: ''
|
|
---
|
|
# Source: polaris/templates/rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: polaris
|
|
labels:
|
|
app: polaris
|
|
rules:
|
|
# required by controller-runtime code doing a cluster wide lookup
|
|
# when it seems namespace would suffice
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- 'nodes'
|
|
verbs:
|
|
- 'get'
|
|
- 'list'
|
|
---
|
|
# Source: polaris/templates/webhook.rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: polaris-webhook
|
|
labels:
|
|
app: polaris
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- 'secrets'
|
|
- 'services'
|
|
verbs:
|
|
- 'get'
|
|
- 'list'
|
|
- 'watch'
|
|
- apiGroups:
|
|
- 'certificates.k8s.io'
|
|
resources:
|
|
- 'certificatesigningrequests'
|
|
- 'certificatesigningrequests/approval'
|
|
verbs:
|
|
- 'get'
|
|
- 'update'
|
|
- 'create'
|
|
- 'delete'
|
|
- apiGroups:
|
|
- 'certificates.k8s.io'
|
|
resources:
|
|
- 'signers'
|
|
resourceNames:
|
|
- 'kubernetes.io/legacy-unknown'
|
|
verbs:
|
|
- 'approve'
|
|
- apiGroups:
|
|
- 'admissionregistration.k8s.io'
|
|
resources:
|
|
- 'validatingwebhookconfigurations'
|
|
verbs:
|
|
- '*'
|
|
---
|
|
# Source: polaris/templates/rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: polaris-view
|
|
labels:
|
|
app: polaris
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: view
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: polaris
|
|
namespace: polaris
|
|
---
|
|
# Source: polaris/templates/rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: polaris
|
|
labels:
|
|
app: polaris
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: polaris
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: polaris
|
|
namespace: polaris
|
|
---
|
|
# Source: polaris/templates/webhook.rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: polaris-webhook
|
|
labels:
|
|
app: polaris
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: polaris-webhook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: polaris-certificates
|
|
namespace: polaris
|
|
---
|
|
# Source: polaris/templates/webhook.rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: Role
|
|
metadata:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
rules:
|
|
# required for current controller-runtime bootstrap method
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- 'secrets'
|
|
- 'services'
|
|
verbs:
|
|
- '*'
|
|
---
|
|
# Source: polaris/templates/webhook.rbac.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: polaris-webhook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: polaris-certificates
|
|
namespace: polaris
|
|
---
|
|
# Source: polaris/templates/webhook.service.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
spec:
|
|
ports:
|
|
- name: webhook
|
|
port: 443
|
|
protocol: TCP
|
|
targetPort: 9876
|
|
selector:
|
|
app: polaris
|
|
component: webhook
|
|
type: ClusterIP
|
|
---
|
|
# Source: polaris/templates/webhook.deployment.yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
labels:
|
|
app: polaris
|
|
component: webhook
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: polaris
|
|
component: webhook
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: polaris
|
|
component: webhook
|
|
spec:
|
|
containers:
|
|
- name: webhook
|
|
command:
|
|
- polaris
|
|
- webhook
|
|
image: 'quay.io/fairwinds/polaris:1.2'
|
|
imagePullPolicy: 'Always'
|
|
ports:
|
|
- containerPort: 9876
|
|
# These are fairly useless readiness/liveness probes for now
|
|
# Follow this issue for potential improvements:
|
|
# https://github.com/kubernetes-sigs/controller-runtime/issues/356
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- ps -ef | grep polaris
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- sh
|
|
- -c
|
|
- ps -ef | grep polaris
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
volumeMounts:
|
|
- name: secret
|
|
mountPath: /opt/cert/
|
|
readOnly: true
|
|
- name: cr-logs
|
|
mountPath: /tmp/
|
|
readOnly: false
|
|
serviceAccountName: polaris
|
|
nodeSelector:
|
|
tolerations:
|
|
volumes:
|
|
- name: secret
|
|
secret:
|
|
secretName: polaris-webhook
|
|
- name: cr-logs
|
|
emptyDir: {}
|
|
---
|
|
# Source: polaris/templates/webhook.job.yaml
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: polaris-certificate-updater
|
|
namespace: polaris
|
|
labels:
|
|
|
|
app: polaris
|
|
component: certificate-updater
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
|
|
app: polaris
|
|
component: certificate-updater
|
|
spec:
|
|
containers:
|
|
- name: webhook-certificate-generator
|
|
image: 'newrelic/k8s-webhook-cert-manager:1.3.0'
|
|
imagePullPolicy: Always
|
|
command:
|
|
- ./generate_certificate.sh
|
|
- --service
|
|
- polaris-webhook
|
|
- --namespace
|
|
- polaris
|
|
- --secret
|
|
- polaris-webhook
|
|
- --webhook
|
|
- polaris-webhook
|
|
- --webhook-kind
|
|
- ValidatingWebhookConfiguration
|
|
resources:
|
|
limits:
|
|
cpu: 150m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
volumeMounts:
|
|
- name: tmp
|
|
mountPath: /tmp/
|
|
readOnly: false
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
serviceAccountName: polaris-certificates
|
|
restartPolicy: Never
|
|
volumes:
|
|
- name: tmp
|
|
emptyDir: {}
|
|
---
|
|
# Source: polaris/templates/webhook.configuration.yaml
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: polaris-webhook
|
|
webhooks:
|
|
- admissionReviewVersions:
|
|
- v1beta1
|
|
clientConfig:
|
|
caBundle: ""
|
|
service:
|
|
name: polaris-webhook
|
|
namespace: polaris
|
|
path: /validate
|
|
port: 443
|
|
failurePolicy: Ignore
|
|
matchPolicy: Exact
|
|
name: polaris.fairwinds.com
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: control-plane
|
|
operator: DoesNotExist
|
|
objectSelector: {}
|
|
rules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
- v1beta1
|
|
- v1beta2
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- statefulsets
|
|
scope: Namespaced
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
- v1beta1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- jobs
|
|
- cronjobs
|
|
scope: Namespaced
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- pods
|
|
- replicationcontrollers
|
|
scope: Namespaced
|
|
sideEffects: None
|
|
timeoutSeconds: 30
|