From 3c88c57eadab91bef6a6c4b790695b09f116f8b0 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sat, 1 Jul 2023 13:17:25 -0500 Subject: [PATCH 1/2] add ability to configure timeout, reinvocationPolicy, and failure policy --- helm/psa-restricted-patcher/Chart.yaml | 2 +- helm/psa-restricted-patcher/README.md | 5 ++++- .../psa-restricted-patcher/templates/mutating-webhook.yaml | 5 +++-- helm/psa-restricted-patcher/values.yaml | 7 ++++++- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/helm/psa-restricted-patcher/Chart.yaml b/helm/psa-restricted-patcher/Chart.yaml index 3c25122..8ba942b 100644 --- a/helm/psa-restricted-patcher/Chart.yaml +++ b/helm/psa-restricted-patcher/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: psa-restricted-patcher description: Automatically patches pods on creation to conform to the pod security restricted profile type: application -version: 0.5.0 +version: 0.6.0 appVersion: "0.2.0" maintainers: - name: bryopsida \ No newline at end of file diff --git a/helm/psa-restricted-patcher/README.md b/helm/psa-restricted-patcher/README.md index 72b95bf..cc5a6a1 100644 --- a/helm/psa-restricted-patcher/README.md +++ b/helm/psa-restricted-patcher/README.md @@ -1,6 +1,6 @@ # psa-restricted-patcher -![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square) Automatically patches pods on creation to conform to the pod security restricted profile @@ -27,6 +27,7 @@ Automatically patches pods on creation to conform to the pod security restricted | defaultFsGroup | int | `1001` | the default FS Groupd ID | | defaultGid | int | `1001` | The default Groupd ID | | defaultUid | int | `1001` | The default UID | +| failurePolicy | string | `"Ignore"` | Control the fail open or closed behavior, default is ignore to avoid breaking a cluster, this hook is intended to automatically patch to conform to the restricted security policy, the security policy is the actual gate | | fullnameOverride | string | `""` | | | ignoredAnnotations | list | `[]` | provide an array of maps of annotations that when present on a pod, patcher will ignore mutating pod, if empty it will not ignore any pods | | image.pullPolicy | string | `"Always"` | | @@ -41,6 +42,7 @@ Automatically patches pods on creation to conform to the pod security restricted | passthroughPatterns | list | `[]` | A list of regex patterns, that if matched, the pod passes through untouched | | podAnnotations | object | `{}` | | | podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| reinvocationPolicy | string | `"IfNeeded"` | ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default. | | replicaCount | int | `1` | | | resources.limits.cpu | string | `"0.2"` | | | resources.limits.memory | string | `"128Mi"` | | @@ -57,6 +59,7 @@ Automatically patches pods on creation to conform to the pod security restricted | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | | targettedAnnotations | list | `[]` | provide an array of maps of annotations that when present on a pod, patcher will mutate pod, if empty it will mutate all pods | +| timeoutSeconds | int | `1` | amount of time to allot for the hook to respond, if failurePolicy is set to ignore the request will go through without modifying the resource | | tlsSecretName | string | `"psa-restricted-patcher"` | | | tolerations | list | `[]` | | diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml index 0353904..d494514 100644 --- a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml +++ b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml @@ -6,8 +6,9 @@ webhooks: - name: {{ include "psa-restricted-patcher.fullname" . }}.{{ .Release.Namespace }}.svc admissionReviewVersions: ["v1"] sideEffects: None - timeoutSeconds: 1 - failurePolicy: Ignore + timeoutSeconds: {{ .Values.timeSeconds | int }} + failurePolicy: {{ .Values.failurePolicy | quote }} + reinvocationPolicy: {{ .Values.reinvocationPolicy | quote }} rules: - operations: ["CREATE"] apiGroups: [""] diff --git a/helm/psa-restricted-patcher/values.yaml b/helm/psa-restricted-patcher/values.yaml index 2d7bc79..6b2b4f8 100644 --- a/helm/psa-restricted-patcher/values.yaml +++ b/helm/psa-restricted-patcher/values.yaml @@ -28,7 +28,12 @@ namespaceScoped: false podSecurityContext: seccompProfile: type: RuntimeDefault - +# -- amount of time to allot for the hook to respond, if failurePolicy is set to ignore the request will go through without modifying the resource +timeoutSeconds: 1 +# -- Control the fail open or closed behavior, default is ignore to avoid breaking a cluster, this hook is intended to automatically patch to conform to the restricted security policy, the security policy is the actual gate +failurePolicy: Ignore +# -- ReinvocationPolicy can be Never or IfNeeded, this hook operates in a idempotent manner so IfNeeded is the default. +reinvocationPolicy: IfNeeded securityContext: runAsUser: 1000 runAsGroup: 1000 From 8de64c52f68d6a88ae5c84a17fac8df5f004782a Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sat, 1 Jul 2023 13:28:36 -0500 Subject: [PATCH 2/2] fix incorrect value reference for timeoutSeconds --- helm/psa-restricted-patcher/templates/mutating-webhook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml index d494514..580eff1 100644 --- a/helm/psa-restricted-patcher/templates/mutating-webhook.yaml +++ b/helm/psa-restricted-patcher/templates/mutating-webhook.yaml @@ -6,7 +6,7 @@ webhooks: - name: {{ include "psa-restricted-patcher.fullname" . }}.{{ .Release.Namespace }}.svc admissionReviewVersions: ["v1"] sideEffects: None - timeoutSeconds: {{ .Values.timeSeconds | int }} + timeoutSeconds: {{ .Values.timeoutSeconds | int }} failurePolicy: {{ .Values.failurePolicy | quote }} reinvocationPolicy: {{ .Values.reinvocationPolicy | quote }} rules: