ingress-nginx-helm/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml

{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: admission-webhook
    {{- with .Values.controller.admissionWebhooks.patch.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
{{- if .Values.podSecurityPolicy.enabled }}
  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
    resources:      ['podsecuritypolicies']
    verbs:          ['use']
    {{- with .Values.controller.admissionWebhooks.existingPsp }}
    resourceNames:  [{{ . }}]
    {{- else }}
    resourceNames:  [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
    {{- end }}
{{- end }}
{{- end }}
Chart: Make admission webhook patch job RBAC configurable. (#11376) * Add an option to skip rbac resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add an option to skip rbac resources creation in helm chart update README (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add helm chart tests for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Chart make admission webhook patch job RBAC configurable (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> --------- Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> Co-authored-by: Marco Ebert <marco_ebert@icloud.com> 2024-06-03 09:17:23 +00:00			`{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}}`
Start migration of helm chart (#5159) 2020-02-24 19:25:57 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
Admission Webhook: Truncate name. (#10523) 2023-10-29 17:26:05 +00:00			`name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}`
Start migration of helm chart (#5159) 2020-02-24 19:25:57 +00:00			`annotations:`
			`"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade`
			`"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded`
			`labels:`
Update helm templates to match new chart name 2020-02-28 14:53:24 +00:00			`{{- include "ingress-nginx.labels" . \| nindent 4 }}`
			`app.kubernetes.io/component: admission-webhook`
[Helm] Add labels to resources (#6992) * Add labels to RBAC resources * Add labels to all resources * Fix labels indentaton in patch jobs * Add controller and default backend labels to pods Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com> * Bump chart version and update changelog Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com> 2021-11-19 14:52:52 +00:00			`{{- with .Values.controller.admissionWebhooks.patch.labels }}`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 19:25:57 +00:00			`rules:`
			`- apiGroups:`
			`- admissionregistration.k8s.io`
			`resources:`
			`- validatingwebhookconfigurations`
			`verbs:`
			`- get`
			`- update`
			`{{- if .Values.podSecurityPolicy.enabled }}`
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks..securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. Values: Tighten `defaultBackend.image`. 2023-11-07 17:52:36 +00:00			`- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]`
			`resources: ['podsecuritypolicies']`
			`verbs: ['use']`
Support existing PSPs in Helm chart 2021-02-24 00:31:56 +00:00			`{{- with .Values.controller.admissionWebhooks.existingPsp }}`
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks..securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. Values: Tighten `defaultBackend.image`. 2023-11-07 17:52:36 +00:00			`resourceNames: [{{ . }}]`
Support existing PSPs in Helm chart 2021-02-24 00:31:56 +00:00			`{{- else }}`
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks..securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. Values: Tighten `defaultBackend.image`. 2023-11-07 17:52:36 +00:00			`resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]`
Support existing PSPs in Helm chart 2021-02-24 00:31:56 +00:00			`{{- end }}`
Start migration of helm chart (#5159) 2020-02-24 19:25:57 +00:00			`{{- end }}`
			`{{- end }}`