Merge pull request #13 from bryopsida/10-add-hook-selector-and-match-…

…configurations Add namespaceSelector and objectSelector values
bryopsida · Jul 1, 2023 · 76b1ab8 · 76b1ab8
2 parents bfead00 + 34e118b
commit 76b1ab8
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: psa-restricted-patcher
 description: Automatically patches pods on creation to conform to the pod security restricted profile
 type: application
-version: 0.6.0
+version: 0.7.0
 appVersion: "0.2.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md
@@ -1,6 +1,6 @@
 # psa-restricted-patcher
 
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
 
 Automatically patches pods on creation to conform to the pod security restricted profile
 
@@ -37,8 +37,10 @@ Automatically patches pods on creation to conform to the pod security restricted
 | logLevel | string | `"info"` |  |
 | nameOverride | string | `""` |  |
 | namespaceScoped | bool | `false` | If true, scopes the webhook to the namespace the webhook is deployed. |
+| namespaceSelector | object | `{}` | Optional namespace selector: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector |
 | namespaces | list | `[]` | The namespaces to automatically patch, if empty it will patch all namespaces |
 | nodeSelector | object | `{}` |  |
+| objectSelector | object | `{}` | Optional object selector: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector |
 | passthroughPatterns | list | `[]` | A list of regex patterns, that if matched, the pod passes through untouched  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |

diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml
@@ -9,6 +9,10 @@ webhooks:
   timeoutSeconds: {{ .Values.timeoutSeconds | int }}
   failurePolicy: {{ .Values.failurePolicy | quote }}
   reinvocationPolicy: {{ .Values.reinvocationPolicy | quote }}
+  namespaceSelector:
+    {{- toYaml .Values.namespaceSelector | nindent 4 }}
+  objectSelector:
+    {{- toYaml .Values.objectSelector | nindent 4 }}
   rules:
   - operations: ["CREATE"]
     apiGroups: [""]

diff --git a/helm/psa-restricted-patcher/values.yaml b/helm/psa-restricted-patcher/values.yaml
@@ -59,6 +59,10 @@ defaultGid: 1001
 defaultFsGroup: 1001
 # -- A list of regex patterns, that if matched, the pod passes through untouched 
 passthroughPatterns: []
+# -- Optional namespace selector: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
+namespaceSelector: {}
+# -- Optional object selector: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector
+objectSelector: {}
 resources:
   requests:
     memory: "64Mi"