Merge pull request #4 from bryopsida/add-option-for-namespace-scoping

Add toggle for hook scope
bryopsida · Jul 1, 2023 · b866ef0 · b866ef0
2 parents 615e38a + 111681e
commit b866ef0
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 3 deletions.
diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: psa-restricted-patcher
 description: Automatically patches pods on creation to conform to the pod security restricted profile
 type: application
-version: 0.3.0
+version: 0.4.0
 appVersion: "0.1.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md
@@ -1,6 +1,6 @@
 # psa-restricted-patcher
 
-![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
 Automatically patches pods on creation to conform to the pod security restricted profile
 
@@ -34,6 +34,7 @@ Automatically patches pods on creation to conform to the pod security restricted
 | imagePullSecrets | list | `[]` |  |
 | logLevel | string | `"info"` |  |
 | nameOverride | string | `""` |  |
+| namespaceScoped | bool | `false` | If true, scopes the webhook to the namespace the webhook is deployed. |
 | namespaces | list | `[]` | The namespaces to automatically patch, if empty it will patch all namespaces |
 | nodeSelector | object | `{}` |  |
 | passthroughPatterns | list | `[]` | A list of regex patterns, that if matched, the pod passes through untouched  |

diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml
@@ -13,7 +13,11 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+    {{- if .Values.namespaceScoped }}
+    scope: "Namespaced"
+    {{- else }}
     scope: "*"
+    {{- end }}
   clientConfig:
     {{- /* if this is an upgrade and cm is enabled, and it's a self signed issuer, enforce hookCaBundle being set */}}
     {{- if and .Release.IsUpgrade .Values.certmanager.enabled .Values.certmanager.useSelfSignedIssuer }}

diff --git a/helm/psa-restricted-patcher/values.yaml b/helm/psa-restricted-patcher/values.yaml
@@ -16,7 +16,8 @@ serviceAccount:
   name: ""
 
 podAnnotations: {}
-
+# -- If true, scopes the webhook to the namespace the webhook is deployed.
+namespaceScoped: false
 podSecurityContext:
   seccompProfile:
     type: RuntimeDefault