Skip to content

Commit

Permalink
feat: allow webhook configuration (kyverno#143)
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
  • Loading branch information
@eddycharly
eddycharly authored Oct 25, 2024
1 parent aefe4d8 commit c5b16ce
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 22 deletions.
14 changes: 14 additions & 0 deletions .chainsaw.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha2.json
apiVersion: chainsaw.kyverno.io/v1alpha2
kind: Configuration
metadata:
name: configuration
spec:
cleanup:
delayBeforeCleanup: 3s
discovery:
fullName: true
execution:
failFast: true
forceTerminationGracePeriod: 5s
parallel: 1
35 changes: 18 additions & 17 deletions charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ metadata:
name: {{ template "kyverno.sidecar-injector.name" . }}
labels:
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }}
{{- with .Values.sidecarInjector.webhook.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
webhooks:
- name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
clientConfig:
Expand All @@ -33,24 +37,21 @@ webhooks:
namespace: {{ template "kyverno.namespace" . }}
path: "/mutate"
caBundle: {{ $ca.Cert | b64enc }}
failurePolicy: Fail
failurePolicy: {{ .Values.sidecarInjector.webhook.failurePolicy }}
sideEffects: None
admissionReviewVersions:
- v1
admissionReviewVersions: [ v1 ]
rules:
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
scope: '*'
- apiGroups: [ '' ]
apiVersions: [ v1 ]
resources: [ pods ]
operations: [ CREATE ]
scope: '*'
{{- with .Values.sidecarInjector.webhook.objectSelector }}
objectSelector:
matchExpressions:
- key: kyverno-envoy-sidecar/injection
operator: In
values:
- enabled
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.sidecarInjector.webhook.namespaceSelector }}
namespaceSelector:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- end -}}
20 changes: 20 additions & 0 deletions charts/kyverno-envoy-plugin/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ sidecarInjector:
create: true

serviceAccount:

# -- The ServiceAccount name
name:

Expand Down Expand Up @@ -119,6 +120,7 @@ sidecarInjector:
nodeAffinity: {}

containers:

injector:

image:
Expand Down Expand Up @@ -232,4 +234,22 @@ sidecarInjector:

webhook:

# -- Webhook annotations
annotations: {}
# example.com/annotation: value

# -- Webhook object selector
objectSelector: ~

# -- Webhook failure policy
failurePolicy: Fail

# -- Webhook namespace selector
namespaceSelector:
matchExpressions:
- key: kyverno-injection
operator: In
values:
- enabled

pdb:
6 changes: 5 additions & 1 deletion ...-test/sidecar-injector/chainsaw-test.yaml → ...ecar-injector/injected/chainsaw-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: sidecar-injector
name: injected
spec:
namespaceTemplate:
metadata:
labels:
kyverno-injection: enabled
steps:
- try:
- create:
Expand Down
2 changes: 0 additions & 2 deletions ...e2e-test/sidecar-injector/pod-assert.yaml → ...sidecar-injector/injected/pod-assert.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: pod
labels:
kyverno-envoy-sidecar/injection: enabled
spec:
containers:
- name: busybox
Expand Down
2 changes: 0 additions & 2 deletions tests/e2e-test/sidecar-injector/pod.yaml → ...e-test/sidecar-injector/injected/pod.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ apiVersion: v1
kind: Pod
metadata:
name: pod
labels:
kyverno-envoy-sidecar/injection: enabled
spec:
containers:
- name: busybox
Expand Down
15 changes: 15 additions & 0 deletions tests/e2e-test/sidecar-injector/not-injected/chainsaw-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: not-injected
spec:
namespaceTemplate:
metadata:
labels:
kyverno-injection: disabled
steps:
- try:
- create:
file: ./pod.yaml
- assert:
file: ./pod-assert.yaml
6 changes: 6 additions & 0 deletions tests/e2e-test/sidecar-injector/not-injected/pod-assert.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
(length(containers)): 1
11 changes: 11 additions & 0 deletions tests/e2e-test/sidecar-injector/not-injected/pod.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: pod
spec:
containers:
- name: busybox
image: busybox
args:
- sleep
- 1d

0 comments on commit c5b16ce

Please sign in to comment.