diff --git a/deploy/base/profiles/kustomization.yaml b/deploy/base/profiles/kustomization.yaml new file mode 100644 index 0000000000..4185cd50ac --- /dev/null +++ b/deploy/base/profiles/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +sortOptions: + order: legacy + +resources: +- spo-apparmor.yaml +- bpfrecorder-apparmor.yaml diff --git a/deploy/helm/templates/static-resources.yaml b/deploy/helm/templates/static-resources.yaml index d496b4be2e..af1cc7f7fe 100644 --- a/deploy/helm/templates/static-resources.yaml +++ b/deploy/helm/templates/static-resources.yaml @@ -1,53 +1,2535 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app: '{{.Release.Name}}' + name: selfsigned-issuer + namespace: '{{ .Release.Namespace }}' +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app: '{{.Release.Name}}' + name: webhook-cert + namespace: '{{ .Release.Namespace }}' +spec: + dnsNames: + - webhook-service.{{.Release.Namespace}}.svc + - webhook-service.{{.Release.Namespace}}.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}-webhook' + namespace: '{{ .Release.Namespace }}' +spec: + replicas: '{{ .Values.replicaCount }}' + selector: + matchLabels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}-webhook' + template: + metadata: + annotations: + openshift.io/scc: privileged + labels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}-webhook' + spec: + containers: + - args: + - webhook + env: + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest + imagePullPolicy: Always + name: security-profiles-operator + ports: + - containerPort: 9443 + name: webhook + protocol: TCP + resources: + limits: + cpu: 500m + memory: 64Mi + requests: + cpu: 250m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: spo-webhook + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- apiVersion: v1 -kind: ServiceAccount +kind: Service +metadata: + labels: + app: '{{.Release.Name}}' + name: webhook-service + name: webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9443 + selector: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}-webhook' +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app: '{{.Release.Name}}' + name: metrics-cert + namespace: '{{ .Release.Namespace }}' +spec: + dnsNames: + - metrics.{{.Release.Namespace}} + - metrics.{{.Release.Namespace}}.svc + - metrics.{{.Release.Namespace}}.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert + subject: + organizations: + - security-profiles-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: profilebindings.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: ProfileBinding + listKind: ProfileBindingList + plural: profilebindings + singular: profilebinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ProfileBinding is the Schema for the profilebindings API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProfileBindingSpec defines the desired state of ProfileBinding. + properties: + image: + description: |- + Image name within pod containers to match to the profile. + Use the "*" string to bind the profile to all pods. + type: string + profileRef: + description: ProfileRef references a SeccompProfile or other profile + type in the current namespace. + properties: + kind: + description: Kind of object to be bound. + enum: + - SeccompProfile + - SelinuxProfile + type: string + name: + description: Name of the profile within the current namespace + to which to bind the selected pods. + type: string + required: + - kind + - name + type: object + required: + - image + - profileRef + type: object + status: + description: ProfileBindingStatus contains status of the Profilebinding. + properties: + activeWorkloads: + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: profilerecordings.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: ProfileRecording + listKind: ProfileRecordingList + plural: profilerecordings + singular: profilerecording + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.podSelector + name: PodSelector + priority: 10 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProfileRecording is the Schema for the profilerecordings API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProfileRecordingSpec defines the desired state of ProfileRecording. + properties: + containers: + description: |- + Containers is a set of containers to record. This allows to select + only specific containers to record instead of all containers present + in the pod. + items: + type: string + type: array + disableProfileAfterRecording: + default: false + description: |- + DisableProfileAfterRecording indicates whether the profile should be disabled + after recording and thus skipped during reconcile. In case of SELinux profiles, + reconcile can take a significant amount of time and for all profiles might not be needed. + This Defaults to false. + type: boolean + kind: + description: Kind of object to be recorded. + enum: + - SeccompProfile + - SelinuxProfile + - ApparmorProfile + type: string + mergeStrategy: + default: none + description: |- + Whether or how to merge recorded profiles. Can be one of "none" or "containers". + Default is "none". + enum: + - none + - containers + type: string + podSelector: + description: |- + PodSelector selects the pods to record. This field follows standard + label selector semantics. An empty podSelector matches all pods in this + namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + recorder: + description: Recorder to be used. + enum: + - bpf + - logs + type: string + required: + - kind + - podSelector + - recorder + type: object + status: + description: ProfileRecordingStatus contains status of the ProfileRecording. + properties: + activeWorkloads: + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: seccompprofiles.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: SeccompProfile + listKind: SeccompProfileList + plural: seccompprofiles + shortNames: + - sp + singular: seccompprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.localhostProfile + name: LocalhostProfile + priority: 10 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + SeccompProfile is a cluster level specification for a seccomp profile. + See https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SeccompProfileSpec defines the desired state of SeccompProfile. + properties: + architectures: + description: the architecture used for system calls + items: + enum: + - SCMP_ARCH_NATIVE + - SCMP_ARCH_X86 + - SCMP_ARCH_X86_64 + - SCMP_ARCH_X32 + - SCMP_ARCH_ARM + - SCMP_ARCH_AARCH64 + - SCMP_ARCH_MIPS + - SCMP_ARCH_MIPS64 + - SCMP_ARCH_MIPS64N32 + - SCMP_ARCH_MIPSEL + - SCMP_ARCH_MIPSEL64 + - SCMP_ARCH_MIPSEL64N32 + - SCMP_ARCH_PPC + - SCMP_ARCH_PPC64 + - SCMP_ARCH_PPC64LE + - SCMP_ARCH_S390 + - SCMP_ARCH_S390X + - SCMP_ARCH_PARISC + - SCMP_ARCH_PARISC64 + - SCMP_ARCH_RISCV64 + type: string + type: array + baseProfileName: + description: |- + BaseProfileName is the name of base profile (in the same namespace) that + will be unioned into this profile. Base profiles can be references as + remote OCI artifacts as well when prefixed with `oci://`. + type: string + defaultAction: + description: the default action for seccomp + enum: + - SCMP_ACT_KILL + - SCMP_ACT_KILL_PROCESS + - SCMP_ACT_KILL_THREAD + - SCMP_ACT_TRAP + - SCMP_ACT_ERRNO + - SCMP_ACT_TRACE + - SCMP_ACT_ALLOW + - SCMP_ACT_LOG + - SCMP_ACT_NOTIFY + type: string + disabled: + default: false + description: Whether the profile is disabled and should be skipped + during reconciliation. + type: boolean + flags: + description: list of flags to use with seccomp(2) + items: + enum: + - SECCOMP_FILTER_FLAG_TSYNC + - SECCOMP_FILTER_FLAG_LOG + - SECCOMP_FILTER_FLAG_SPEC_ALLOW + - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV + type: string + type: array + listenerMetadata: + description: opaque data to pass to the seccomp agent + type: string + listenerPath: + description: path of UNIX domain socket to contact a seccomp agent + for SCMP_ACT_NOTIFY + type: string + syscalls: + description: |- + match a syscall in seccomp. While this property is OPTIONAL, some values + of defaultAction are not useful without syscalls entries. For example, + if defaultAction is SCMP_ACT_KILL and syscalls is empty or unset, the + kernel will kill the container process on its first syscall + items: + description: Syscall defines a syscall in seccomp. + properties: + action: + description: the action for seccomp rules + enum: + - SCMP_ACT_KILL + - SCMP_ACT_KILL_PROCESS + - SCMP_ACT_KILL_THREAD + - SCMP_ACT_TRAP + - SCMP_ACT_ERRNO + - SCMP_ACT_TRACE + - SCMP_ACT_ALLOW + - SCMP_ACT_LOG + - SCMP_ACT_NOTIFY + type: string + args: + description: the specific syscall in seccomp + items: + description: Arg defines the specific syscall in seccomp. + properties: + index: + description: the index for syscall arguments in seccomp + minimum: 0 + type: integer + op: + description: the operator for syscall arguments in seccomp + enum: + - SCMP_CMP_NE + - SCMP_CMP_LT + - SCMP_CMP_LE + - SCMP_CMP_EQ + - SCMP_CMP_GE + - SCMP_CMP_GT + - SCMP_CMP_MASKED_EQ + type: string + value: + description: the value for syscall arguments in seccomp + format: int64 + minimum: 0 + type: integer + valueTwo: + description: the value for syscall arguments in seccomp + format: int64 + minimum: 0 + type: integer + required: + - index + - op + type: object + maxItems: 6 + type: array + errnoRet: + description: |- + the errno return code to use. Some actions like SCMP_ACT_ERRNO and + SCMP_ACT_TRACE allow to specify the errno code to return + type: integer + names: + description: the names of the syscalls + items: + type: string + type: array + required: + - action + - names + type: object + type: array + required: + - defaultAction + type: object + status: + description: SeccompProfileStatus contains status of the deployed SeccompProfile. + properties: + activeWorkloads: + items: + type: string + type: array + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + localhostProfile: + description: |- + The path that should be provided to the `securityContext.seccompProfile.localhostProfile` + field of a Pod or container spec + type: string + path: + type: string + status: + description: |- + ProfileState defines the state that the profile is in. A profile in this context + refers to a SeccompProfile or a SELinux profile, the states are shared between them + as well as the management API. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: securityprofilenodestatuses.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: SecurityProfileNodeStatus + listKind: SecurityProfileNodeStatusList + plural: securityprofilenodestatuses + shortNames: + - spns + singular: securityprofilenodestatus + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .nodeName + name: Node + priority: 10 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityProfileNodeStatus is a per-node status of a security + profile + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + nodeName: + type: string + spec: + type: object + status: + description: |- + ProfileState defines the state that the profile is in. A profile in this context + refers to a SeccompProfile or a SELinux profile, the states are shared between them + as well as the management API. + type: string + required: + - nodeName + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: securityprofilesoperatordaemons.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: SecurityProfilesOperatorDaemon + listKind: SecurityProfilesOperatorDaemonList + plural: securityprofilesoperatordaemons + shortNames: + - spod + singular: securityprofilesoperatordaemon + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecurityProfilesOperatorDaemon is the Schema to configure the + spod deployment. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SPODStatus defines the desired state of SPOD. + properties: + affinity: + description: Affinity if specified, the SPOD's affinity. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + allowedSeccompActions: + description: AllowedSeccompActions if specified, a list of allowed + seccomp actions. + items: + description: Action taken upon Seccomp rule match + type: string + type: array + allowedSyscalls: + description: |- + AllowedSyscalls if specified, a list of system calls which are allowed + in seccomp profiles. + items: + type: string + type: array + daemonResourceRequirements: + description: |- + DaemonResourceRequirements if defined, overwrites the default resource requirements + of SPOD daemon. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + disableOciArtifactSignatureVerification: + description: |- + DisableOCIArtifactSignatureVerification can be used to disable OCI + artifact signature verification. + type: boolean + enableAppArmor: + description: |- + tells the operator whether or not to enable AppArmor support for this + SPOD instance. + type: boolean + enableBpfRecorder: + description: |- + tells the operator whether or not to enable bpf recorder support for this + SPOD instance. + type: boolean + enableLogEnricher: + description: |- + tells the operator whether or not to enable log enrichment support for this + SPOD instance. + type: boolean + enableMemoryOptimization: + description: |- + EnableMemoryOptimization enables memory optimization in the controller + running inside of SPOD instance and watching for pods in the cluster. + This will make the controller loading in the cache memory only the pods + labelled explicitly for profile recording with 'spo.x-k8s.io/enable-recording=true'. + type: boolean + enableProfiling: + description: |- + EnableProfiling tells the operator whether or not to enable profiling + support for this SPOD instance. + type: boolean + enableSelinux: + description: |- + tells the operator whether or not to enable SELinux support for this + SPOD instance. + type: boolean + hostProcVolumePath: + description: |- + HostProcVolumePath is the path for specifying a custom host /proc + volume, which is required for the log-enricher as well as bpf-recorder + to retrieve the container ID for a process ID. This can be helpful for + nested environments, for example when using "kind". + type: string + imagePullSecrets: + description: |- + ImagePullSecrets if defined, list of references to secrets in the security-profiles-operator's + namespace to use for pulling the images from SPOD pod from a private registry. + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + type: array + priorityClassName: + default: system-node-critical + description: PriorityClassName if defined, indicates the spod pod + priority class. + type: string + selinuxOptions: + description: |- + Defines options specific to the SELinux + functionality of the SecurityProfilesOperator + properties: + allowedSystemProfiles: + default: + - container + description: |- + Lists the profiles coming from the system itself that are + allowed to be inherited by workloads. Use this with care, + as this might provide a lot of permissions depending on the + policy. + items: + type: string + type: array + type: object + selinuxTypeTag: + default: spc_t + description: If specified, the SELinux type tag applied to the security + context of SPOD. + type: string + staticWebhookConfig: + description: |- + StaticWebhookConfig indicates whether the webhook configuration and its + related resources are statically deployed. In this case, the operator will + not create or update the webhook configuration and its related resources. + type: boolean + tolerations: + description: If specified, the SPOD's tolerations. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + verbosity: + description: Verbosity specifies the logging verbosity of the daemon. + type: integer + webhookOptions: + description: |- + WebhookOpts set custom namespace selectors and failure mode for + SPO's webhooks + items: + properties: + failurePolicy: + description: FailurePolicy sets the webhook failure policy + type: string + name: + description: Name specifies which webhook do we configure + type: string + namespaceSelector: + description: NamespaceSelector sets webhook's namespace selector + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + objectSelector: + description: ObjectSelector sets webhook's object selector + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + type: object + status: + description: SPODStatus defines the observed state of SPOD. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + state: + description: |- + Represents the state that the policy is in. Can be: + PENDING, IN-PROGRESS, RUNNING or ERROR + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: rawselinuxprofiles.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: RawSelinuxProfile + listKind: RawSelinuxProfileList + plural: rawselinuxprofiles + singular: rawselinuxprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.usage + name: Usage + type: string + - jsonPath: .status.status + name: State + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: RawSelinuxProfile is the Schema for the rawselinuxprofiles API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RawSelinuxProfileSpec defines the desired state of RawSelinuxProfile. + properties: + disabled: + default: false + description: Whether the profile is disabled and should be skipped + during reconciliation. + type: boolean + policy: + type: string + type: object + status: + description: SelinuxProfileStatus defines the observed state of SelinuxProfile. + properties: + activeWorkloads: + items: + type: string + type: array + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + status: + description: |- + ProfileState defines the state that the profile is in. A profile in this context + refers to a SeccompProfile or a SELinux profile, the states are shared between them + as well as the management API. + type: string + usage: + description: |- + Represents the string that the SelinuxProfile object can be + referenced as in a pod seLinuxOptions section. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.2 + labels: + app: '{{.Release.Name}}' + name: selinuxprofiles.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: SelinuxProfile + listKind: SelinuxProfileList + plural: selinuxprofiles + singular: selinuxprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.usage + name: Usage + type: string + - jsonPath: .status.status + name: State + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: SelinuxProfile is the Schema for the selinuxprofiles API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SelinuxProfileSpec defines the desired state of SelinuxProfile. + properties: + allow: + additionalProperties: + additionalProperties: + items: + type: string + type: array + type: object + description: Defines the allow policy for the profile + type: object + disabled: + default: false + description: Whether the profile is disabled and should be skipped + during reconciliation. + type: boolean + inherit: + default: + - kind: System + name: container + description: |- + A SELinuxProfile or set of profiles that this inherits from. + Note that they need to be in the same namespace. + items: + properties: + kind: + default: System + description: |- + The Kind of the policy that this inherits from. + Can be a SelinuxProfile object Or "System" if an already + installed policy will be used. + The allowed "System" policies are available in the + SecurityProfilesOperatorDaemon instance. + enum: + - System + - SelinuxProfile + type: string + name: + description: The name of the policy that this inherits from. + type: string + required: + - name + type: object + type: array + permissive: + default: false + description: |- + Permissive, when true will cause the SELinux profile to only + log violations instead of enforcing them. + type: boolean + type: object + status: + description: SelinuxProfileStatus defines the observed state of SelinuxProfile. + properties: + activeWorkloads: + items: + type: string + type: array + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + status: + description: |- + ProfileState defines the state that the profile is in. A profile in this context + refers to a SeccompProfile or a SELinux profile, the states are shared between them + as well as the management API. + type: string + usage: + description: |- + Represents the string that the SelinuxProfile object can be + referenced as in a pod seLinuxOptions section. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' + controller-gen.kubebuilder.io/version: v0.17.2 labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator - name: security-profiles-operator + app: '{{.Release.Name}}' + name: apparmorprofiles.security-profiles-operator.x-k8s.io +spec: + group: security-profiles-operator.x-k8s.io + names: + kind: AppArmorProfile + listKind: AppArmorProfileList + plural: apparmorprofiles + shortNames: + - aa + singular: apparmorprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: AppArmorProfile is a cluster level specification for an AppArmor + profile. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AppArmorProfileSpec defines the desired state of AppArmorProfile. + properties: + abstract: + description: Abstract stores the apparmor profile allow lists for + executable, file, network and capabilities access. + properties: + capability: + description: Capability rules for Linux capabilities. + properties: + allowedCapabilities: + description: AllowedCapabilities lost of allowed capabilities. + items: + type: string + type: array + type: object + executable: + description: Executable rules for allowed executables. + properties: + allowedExecutables: + description: AllowedExecutables list of allowed executables. + items: + type: string + type: array + allowedLibraries: + description: AllowedLibraries list of allowed libraries. + items: + type: string + type: array + type: object + filesystem: + description: Filesystem rules for filesystem access. + properties: + readOnlyPaths: + description: ReadOnlyPaths list of allowed read only file + paths. + items: + type: string + type: array + readWritePaths: + description: ReadWritePaths list of allowed read write file + paths. + items: + type: string + type: array + writeOnlyPaths: + description: WriteOnlyPaths list of allowed write only file + paths. + items: + type: string + type: array + type: object + network: + description: Network rules for network access. + properties: + allowRaw: + description: AllowRaw allows raw sockets. + type: boolean + allowedProtocols: + description: Protocols keeps the allowed networking protocols. + properties: + allowTcp: + description: AllowTCP allows TCP socket connections. + type: boolean + allowUdp: + description: AllowUDP allows UDP sockets connections. + type: boolean + type: object + type: object + type: object + complainMode: + description: |- + ComplainMode places the apparmor profile into "complain" mode, by default is placed in "enforce" mode. + In complain mode, if a given action is not allowed, it will be allowed, but this violation will be + logged with a tag of access being "ALLOWED unconfined". + type: boolean + disabled: + default: false + description: Whether the profile is disabled and should be skipped + during reconciliation. + type: boolean + type: object + status: + description: AppArmorProfileStatus defines the observed state of AppArmorProfile. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + status: + description: |- + ProfileState defines the state that the profile is in. A profile in this context + refers to a SeccompProfile or a SELinux profile, the states are shared between them + as well as the management API. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' namespace: '{{ .Release.Namespace }}' --- apiVersion: v1 kind: ServiceAccount metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spod namespace: '{{ .Release.Namespace }}' --- apiVersion: v1 kind: ServiceAccount metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-webhook namespace: '{{ .Release.Namespace }}' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator - name: security-profiles-operator + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' rules: - apiGroups: - "" @@ -72,17 +2554,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - patch - - update - - watch - apiGroups: - admissionregistration.k8s.io resources: @@ -237,14 +2708,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator - name: security-profiles-operator + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' namespace: '{{ .Release.Namespace }}' rules: - apiGroups: @@ -265,13 +2731,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spod rules: - apiGroups: @@ -376,13 +2837,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spod namespace: '{{ .Release.Namespace }}' rules: @@ -396,13 +2852,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-webhook rules: - apiGroups: @@ -463,13 +2914,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-webhook namespace: '{{ .Release.Namespace }}' rules: @@ -499,54 +2945,39 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator - name: security-profiles-operator + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: security-profiles-operator + name: '{{ include "security-profiles-operator.name" . }}' subjects: - kind: ServiceAccount - name: security-profiles-operator + name: '{{ include "security-profiles-operator.name" . }}' namespace: '{{ .Release.Namespace }}' --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator - name: security-profiles-operator + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' namespace: '{{ .Release.Namespace }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: security-profiles-operator + name: '{{ include "security-profiles-operator.name" . }}' subjects: - kind: ServiceAccount - name: security-profiles-operator + name: '{{ include "security-profiles-operator.name" . }}' namespace: '{{ .Release.Namespace }}' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spod roleRef: apiGroup: rbac.authorization.k8s.io @@ -560,13 +2991,8 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spod namespace: '{{ .Release.Namespace }}' roleRef: @@ -581,13 +3007,8 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -601,13 +3022,8 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-webhook namespace: '{{ .Release.Namespace }}' roleRef: @@ -623,24 +3039,87 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' + cert-manager.io/inject-ca-from: '{{.Release.Namespace}}/webhook-cert' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: '{{ .Release.Namespace }}' + path: /mutate-v1-pod-binding + failurePolicy: Fail + name: binding.spo.io + namespaceSelector: + matchExpressions: + - key: spo.x-k8s.io/enable-binding + operator: Exists + objectSelector: + matchExpressions: + - key: name + operator: NotIn + values: + - '{{ include "security-profiles-operator.name" . }}' + - '{{ include "security-profiles-operator.name" . }}-webhook' + rules: + - apiGroups: + - '*' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - pods + sideEffects: None + timeoutSeconds: 5 +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: '{{ .Release.Namespace }}' + path: /mutate-v1-pod-recording + failurePolicy: Fail + name: recording.spo.io + namespaceSelector: + matchExpressions: + - key: spo.x-k8s.io/enable-recording + operator: Exists + objectSelector: + matchExpressions: + - key: name + operator: NotIn + values: + - '{{ include "security-profiles-operator.name" . }}' + - '{{ include "security-profiles-operator.name" . }}-webhook' + rules: + - apiGroups: + - '*' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - pods + sideEffects: None + timeoutSeconds: 5 --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-metrics-client rules: - nonResourceURLs: @@ -652,13 +3131,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: spo-metrics-client roleRef: apiGroup: rbac.authorization.k8s.io @@ -674,12 +3148,8 @@ kind: Secret metadata: annotations: kubernetes.io/service-account.name: default - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: metrics-token namespace: '{{ .Release.Namespace }}' type: kubernetes.io/service-account-token @@ -1069,12 +3539,174 @@ data: disabled: false kind: ConfigMap metadata: - annotations: - meta.helm.sh/release-name: security-profiles-operator - meta.helm.sh/release-namespace: '{{ .Release.Namespace }}' labels: - app: security-profiles-operator - app.kubernetes.io/managed-by: Helm - helm.sh/chart: security-profiles-operator + app: '{{.Release.Name}}' name: security-profiles-operator-profile namespace: '{{ .Release.Namespace }}' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' + namespace: '{{ .Release.Namespace }}' +spec: + replicas: '{{ .Values.replicaCount }}' + selector: + matchLabels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' + template: + metadata: + labels: + app: '{{.Release.Name}}' + name: '{{ include "security-profiles-operator.name" . }}' + spec: + containers: + - args: + - manager + - --webhook=false + env: + - name: RELATED_IMAGE_SELINUXD + value: quay.io/security-profiles-operator/selinuxd + - name: RELATED_IMAGE_SELINUXD_EL8 + value: quay.io/security-profiles-operator/selinuxd-el8:latest + - name: RELATED_IMAGE_SELINUXD_EL9 + value: quay.io/security-profiles-operator/selinuxd-el9:latest + - name: RELATED_IMAGE_SELINUXD_FEDORA + value: quay.io/security-profiles-operator/selinuxd-fedora:latest + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: KUBELET_DIR + value: /var/lib/kubelet + image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest + imagePullPolicy: Always + name: security-profiles-operator + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 250m + memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: '{{ include "security-profiles-operator.name" . }}' + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists +--- +apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 +kind: AppArmorProfile +metadata: + labels: + app: '{{.Release.Name}}' + spo.x-k8s.io/container-id: security-profiles-operator + name: spo-apparmor + namespace: '{{ .Release.Namespace }}' +spec: + abstract: + capability: + allowedCapabilities: + - dac_override + - dac_read_search + - mac_admin + - sys_admin + - sys_chroot + executable: + allowedExecutables: + - /security-profiles-operator + - /usr/sbin/apparmor_parser + filesystem: + readOnlyPaths: + - / + - /etc/apparmor/parser.conf + - /proc/@{pid}/maps + - /proc/@{pid}/mounts + - /proc/sys/kernel/osrelease + - /proc/sys/net/core/somaxconn + - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - /var/run/secrets/kubernetes.io/serviceaccount/** + - /var/run/secrets/metrics/** + - /sys/module/apparmor/parameters/enabled + - /sys/devices/system/cpu/possible + readWritePaths: + - 'ptrace (read), # ugly template injection hack' + - /var/run/grpc/metrics.sock + - /tmp/aa_profile_bin_* + - /etc/apparmor.d/** + - /sys/kernel/security/apparmor/ + - /sys/kernel/security/apparmor/** + - /var/lib/kubelet/seccomp/operator/** + network: + allowedProtocols: + allowTcp: true + allowUdp: true + disabled: false +--- +apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 +kind: AppArmorProfile +metadata: + labels: + app: '{{.Release.Name}}' + spo.x-k8s.io/container-id: bpf-recorder + name: bpfrecorder-apparmor + namespace: '{{ .Release.Namespace }}' +spec: + abstract: + capability: + allowedCapabilities: + - bpf + - chown + - perfmon + - sys_resource + executable: + allowedExecutables: + - /security-profiles-operator + filesystem: + readOnlyPaths: + - /proc/@{pid}/cgroup + - /proc/@{pid}/maps + - /proc/sys/net/core/somaxconn + - /sys/devices/kprobe/type + - /sys/devices/system/cpu/online + - /sys/fs/bpf/ + - /sys/kernel/btf/vmlinux + - /sys/kernel/debug/tracing/events/**/id + - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + - /sys/kernel/security/lsm + - /var/run/secrets/kubernetes.io/serviceaccount/** + - /var/run/secrets/kubernetes.io/serviceaccount/** + readWritePaths: + - |- + ptrace (read), + # ugly template injection hack + - /var/run/grpc/bpf-recorder.sock + network: + allowedProtocols: + allowTcp: true + allowUdp: true + disabled: false diff --git a/deploy/overlays/helm/kustomization.yaml b/deploy/overlays/helm/kustomization.yaml index a4f7fbe978..2344b41cce 100644 --- a/deploy/overlays/helm/kustomization.yaml +++ b/deploy/overlays/helm/kustomization.yaml @@ -7,7 +7,13 @@ sortOptions: order: fifo resources: -- ../../base +- ../webhook +- ../../base/profiles + +labels: +- pairs: { app: "{{.Release.Name}}" } + includeSelectors: true + patches: # Target all namespaced resources present in the project. - patch: | @@ -25,36 +31,73 @@ patches: target: kind: (ClusterRoleBinding|RoleBinding) -# TODO: get webhook deployment replicas from values file - patch: | - op: replace path: /spec/replicas value: "{{ .Values.replicaCount }}" - target: - kind: Deployment - name: security-profiles-operator-webhook - -# Labels and Annotations -# Kustomize doesn't support adding items as first child to a list, like: -# - op: add -# path: /metadata/labels -# value: "{{- include \"security-profiles-operator.labels\" . | nindent 4 }}" -# So values will be hardcoded. -- patch: |- - - op: add - path: "/metadata/labels/helm.sh~1chart" - value: "security-profiles-operator" - - op: add - path: "/metadata/labels/app.kubernetes.io~1managed-by" - value: "Helm" - - op: add - path: "/metadata/annotations/meta.helm.sh~1release-name" - value: "security-profiles-operator" - - op: add - path: "/metadata/annotations/meta.helm.sh~1release-namespace" - value: "{{ .Release.Namespace }}" - target: - kind: (ClusterRole|ClusterRoleBinding|ConfigMap|MutatingWebhookConfiguration|Namespace|Role|RoleBinding|Secret|ServiceAccount) + target: { kind: Deployment } + +# Respect fullnameOverride +- target: { name: security-profiles-operator } + patch: | + - op: replace + path: /metadata/name + value: '{{ include "security-profiles-operator.name" . }}' +- target: { name: security-profiles-operator-webhook } + patch: | + - op: replace + path: /metadata/name + value: &name '{{ include "security-profiles-operator.name" . }}-webhook' + - op: replace + path: /spec/template/metadata/labels/name + value: *name + - op: replace + path: /spec/selector/matchLabels/name + value: *name +- target: { kind: Deployment, name: security-profiles-operator } + patch: | + - op: replace + path: /spec/template/metadata/labels/name + value: &name '{{ include "security-profiles-operator.name" . }}' + - op: replace + path: /spec/selector/matchLabels/name + value: *name +- target: { name: webhook-service } + patch: | + - op: replace + path: /spec/selector/name + value: '{{ include "security-profiles-operator.name" . }}-webhook' + +# Fix webhook/cert namespaces +- target: { name: webhook-cert } + patch: | + - op: replace + path: /spec/dnsNames + value: + - webhook-service.{{.Release.Namespace}}.svc + - webhook-service.{{.Release.Namespace}}.svc.cluster.local +- target: { name: metrics-cert } + patch: | + - op: replace + path: /spec/dnsNames + value: + - metrics.{{.Release.Namespace}} + - metrics.{{.Release.Namespace}}.svc + - metrics.{{.Release.Namespace}}.svc.cluster.local +- target: { name: spo-mutating-webhook-configuration } + patch: | + - op: replace + path: /metadata/annotations/cert-manager.io~1inject-ca-from + value: "{{.Release.Namespace}}/webhook-cert" + - op: replace + path: /webhooks/0/objectSelector/matchExpressions/0/values + value: &val + - '{{ include "security-profiles-operator.name" . }}' + - '{{ include "security-profiles-operator.name" . }}-webhook' + - op: replace + path: /webhooks/1/objectSelector/matchExpressions/0/values + value: *val + # Remove the namespace resource. -- path: delete-ns.yaml \ No newline at end of file +- path: delete-ns.yaml diff --git a/deploy/overlays/webhook/webhook_service.yaml b/deploy/overlays/webhook/webhook_service.yaml index c9798d0b73..3200f6ddf0 100644 --- a/deploy/overlays/webhook/webhook_service.yaml +++ b/deploy/overlays/webhook/webhook_service.yaml @@ -5,7 +5,7 @@ metadata: name: webhook-service namespace: security-profiles-operator labels: - name: security-profiles-operator + name: webhook-service spec: selector: app: security-profiles-operator @@ -13,6 +13,6 @@ spec: ports: - name: webhook protocol: TCP - port: 443 + port: 443 targetPort: 9443