Merge pull request #12 from bryopsida/11-add-configuration-of-reinvoc…

…ationpolicy Add ability to configure timeout, reinvocationPolicy, and failure policy
bryopsida · Jul 1, 2023 · bfead00 · bfead00
2 parents 9bacb39 + 8de64c5
commit bfead00
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: psa-restricted-patcher
 description: Automatically patches pods on creation to conform to the pod security restricted profile
 type: application
-version: 0.5.0
+version: 0.6.0
 appVersion: "0.2.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md
@@ -1,6 +1,6 @@
 # psa-restricted-patcher
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
 
 Automatically patches pods on creation to conform to the pod security restricted profile
 
@@ -27,6 +27,7 @@ Automatically patches pods on creation to conform to the pod security restricted
 | defaultFsGroup | int | `1001` | the default FS Groupd ID |
 | defaultGid | int | `1001` | The default Groupd ID |
 | defaultUid | int | `1001` | The default UID |
+| failurePolicy | string | `"Ignore"` | Control the fail open or closed behavior, default is ignore to avoid breaking a cluster, this hook is intended to automatically patch to conform to the restricted security policy, the security policy is the actual gate |
 | fullnameOverride | string | `""` |  |
 | ignoredAnnotations | list | `[]` | provide an array of maps of annotations that when present on a pod, patcher will ignore mutating pod, if empty it will not ignore any pods |
 | image.pullPolicy | string | `"Always"` |  |
@@ -41,6 +42,7 @@ Automatically patches pods on creation to conform to the pod security restricted
 | passthroughPatterns | list | `[]` | A list of regex patterns, that if matched, the pod passes through untouched  |
 | podAnnotations | object | `{}` |  |
 | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| reinvocationPolicy | string | `"IfNeeded"` | ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default. |
 | replicaCount | int | `1` |  |
 | resources.limits.cpu | string | `"0.2"` |  |
 | resources.limits.memory | string | `"128Mi"` |  |
@@ -57,6 +59,7 @@ Automatically patches pods on creation to conform to the pod security restricted
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
 | targettedAnnotations | list | `[]` | provide an array of maps of annotations that when present on a pod, patcher will mutate pod, if empty it will mutate all pods |
+| timeoutSeconds | int | `1` | amount of time to allot for the hook to respond, if failurePolicy is set to ignore the request will go through without modifying the resource |
 | tlsSecretName | string | `"psa-restricted-patcher"` |  |
 | tolerations | list | `[]` |  |
 

diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml
@@ -6,8 +6,9 @@ webhooks:
 - name:  {{ include "psa-restricted-patcher.fullname" . }}.{{ .Release.Namespace }}.svc
   admissionReviewVersions: ["v1"]
   sideEffects: None
-  timeoutSeconds: 1
-  failurePolicy: Ignore
+  timeoutSeconds: {{ .Values.timeoutSeconds | int }}
+  failurePolicy: {{ .Values.failurePolicy | quote }}
+  reinvocationPolicy: {{ .Values.reinvocationPolicy | quote }}
   rules:
   - operations: ["CREATE"]
     apiGroups: [""]

diff --git a/helm/psa-restricted-patcher/values.yaml b/helm/psa-restricted-patcher/values.yaml
@@ -28,7 +28,12 @@ namespaceScoped: false
 podSecurityContext:
   seccompProfile:
     type: RuntimeDefault
-
+# -- amount of time to allot for the hook to respond, if failurePolicy is set to ignore the request will go through without modifying the resource
+timeoutSeconds: 1
+# -- Control the fail open or closed behavior, default is ignore to avoid breaking a cluster, this hook is intended to automatically patch to conform to the restricted security policy, the security policy is the actual gate
+failurePolicy: Ignore
+# -- ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default.
+reinvocationPolicy: IfNeeded
 securityContext:
   runAsUser: 1000
   runAsGroup: 1000