SLK-79184 - Fix namespaceSelector for KE admission controller

aquasecurity · Mar 6, 2024 · 20af075 · 20af075
1 parent e35f9da
commit 20af075
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ This repository includes the following charts; they can be deployed separately:
 | [Server](server/)                   | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component                                                                     | 2022.4.23            |
 | [Enforcer](enforcer/)               | Deploys the Aqua Enforcer daemonset                                                                                                                           | 2022.4.20            |
 | [Scanner](scanner/)                 | Deploys the Aqua Scanner deployment                                                                                                                           | 2022.4.6             |
-| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.41            |
+| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.42            |
 | [Gateway](gateway)                  | Deploys the Aqua Standalone Gateway                                                                                                                           | 2022.4.12            |
 | [Tenant-Manager](tenant-manager/)   | Deploys the Aqua Tenant Manager                                                                                                                               | 2022.4.0             |
 | [Cyber Center](cyber-center/)       | Deploys Aqua CyberCenter offline for air-gap environment                                                                                                      | 2022.4.3             |
@@ -81,7 +81,7 @@ aqua-helm/codesec-agent         1.2.7           2022.4          A Helm chart for
 aqua-helm/cloud-connector       2022.4.4        2022.4          A Helm chart for Aqua Cloud-Connector
 aqua-helm/cyber-center          2022.4.3        2022.4          A Helm chart for Aqua CyberCenter
 aqua-helm/enforcer              2022.4.20       2022.4          A Helm chart for the Aqua Enforcer
-aqua-helm/kube-enforcer         2022.4.41       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
+aqua-helm/kube-enforcer         2022.4.42       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
 aqua-helm/gateway               2022.4.12       2022.4          A Helm chart for the Aqua Gateway
 aqua-helm/scanner               2022.4.6        2022.4          A Helm chart for the Aqua Scanner CLI component
 aqua-helm/server                2022.4.23       2022.4          A Helm chart for the Aqua Console components

diff --git a/kube-enforcer/CHANGELOG.md b/kube-enforcer/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2022.4.42 ( Feb 19th, 2024 )
+* Fix namespaceSelector for KE admission controller
+
 ## 2022.4.41 ( Feb 19th, 2024 )
 * Add a new environment variable AQUA_HEALTH_MONITOR_PORT
 * Add namespaceSelector to KE admission controller

diff --git a/kube-enforcer/Chart.yaml b/kube-enforcer/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2022.4"
 description: A Helm chart for the Aqua KubeEnforcer
 name: kube-enforcer
-version: "2022.4.41"
+version: "2022.4.42"
 dependencies:
   - name: enforcer
     version: "2022.4.20"

diff --git a/kube-enforcer/templates/mutating-webhook.yaml b/kube-enforcer/templates/mutating-webhook.yaml
@@ -34,12 +34,9 @@ webhooks:
     timeoutSeconds: {{ .Values.webhooks.mutatingWebhook.timeout }}
     admissionReviewVersions: ["v1beta1"]
     sideEffects: "None"
+    {{- with .Values.webhooks.mutatingWebhook.namespaceSelector }}
     namespaceSelector:
-      matchExpressions:
-        - key: kubernetes.io/metadata.name
-          operator: NotIn
-          values:
-            - kube-system
-            - kube-node-lease
+    {{ toYaml . | nindent 8 }}
+    {{ end }}
 {{- end }}
 {{- end }}
diff --git a/kube-enforcer/templates/validating-webhook.yaml b/kube-enforcer/templates/validating-webhook.yaml
@@ -48,12 +48,9 @@ webhooks:
     timeoutSeconds: {{ .Values.webhooks.validatingWebhook.timeout }}
     admissionReviewVersions: ["v1beta1"]
     sideEffects: "None"
+    {{- with .Values.webhooks.validatingWebhook.namespaceSelector }}
     namespaceSelector:
-      matchExpressions:
-        - key: kubernetes.io/metadata.name
-          operator: NotIn
-          values:
-            - kube-system
-            - kube-node-lease
+    {{ toYaml . | nindent 8 }}
+    {{ end }}
 {{- end }}
 {{- end }}
diff --git a/kube-enforcer/values.yaml b/kube-enforcer/values.yaml
@@ -173,13 +173,27 @@ webhooks:
     name: "kube-enforcer-admission-hook-config"
     timeout: 2
     annotations: {}
+    namespaceSelector: {}
+    #  matchExpressions:
+    #    - key: kubernetes.io/metadata.name
+    #      operator: NotIn
+    #      values:
+    #        - kube-system
+    #        - kube-node-lease
   mutatingWebhook:
     enabled: true
     name: "kube-enforcer-me-injection-hook-config"
     timeout: 2
     annotations: {}
       # cert-manager.io/inject-ca-from: < namespace >/< certsSecret.name >
       # If you are using webhooks.certManager=true, so need to add cert-manager annotations
+    namespaceSelector: { }
+    #  matchExpressions:
+    #    - key: kubernetes.io/metadata.name
+    #      operator: NotIn
+    #      values:
+    #        - kube-system
+    #        - kube-node-lease
 
 securityContext:
   runAsUser: 11431