admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: kubesphere 4.0 (#6115)

Browse Source 
* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

---------

Signed-off-by: ci-bot <ci-bot@kubesphere.io>
Co-authored-by: ks-ci-bot <ks-ci-bot@example.com>
Co-authored-by: joyceliu <joyceliu@yunify.com>
This commit is contained in:
KubeSphere CI Bot
2024-09-06 11:05:52 +08:00
committed by GitHub
parent b5015ec7b9
commit 447a51f08b
8557 changed files with 546695 additions and 1146174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

409
config/ks-core/templates/webhook.yaml
View File

@@ -1,4 +1,4 @@
{{- $ca := genCA "ks-controller-manager-ca" 3650 }}
{{- $ca := genCA "self-signed-ca" 3650 }}
{{- $cn := printf "%s-admission-webhook" .Release.Name }}
{{- $altName1 := printf "ks-controller-manager.%s" .Release.Namespace }}
{{- $altName2 := printf "ks-controller-manager.%s.svc" .Release.Namespace }}
@@ -13,78 +13,82 @@ kind: Secret
metadata:
name: ks-controller-manager-webhook-cert
type: Opaque
{{ if eq (include "role" .) "host" }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: users.iam.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: {{ .Release.Namespace }}
path: /validate-email-iam-kubesphere-io-v1alpha2
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: users.iam.kubesphere.io
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
objectSelector: {}
rules:
- apiGroups:
- iam.kubesphere.io
apiVersions:
- v1alpha2
operations:
- CREATE
- UPDATE
resources:
- users
scope: '*'
sideEffects: None
timeoutSeconds: 30
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: network.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: {{ .Release.Namespace }}
path: /validate-network-kubesphere-io-v1alpha1
namespace: kubesphere-system
path: /validate-iam-kubesphere-io-v1beta1-user
port: 443
failurePolicy: Fail
failurePolicy: Ignore
matchPolicy: Exact
name: validating-network.kubesphere.io
namespaceSelector:
name: users.iam.kubesphere.io
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
objectSelector: {}
- key: app.kubernetes.io/managed-by
operator: NotIn
values:
- Helm
rules:
- apiGroups:
- network.kubesphere.io
- iam.kubesphere.io
apiVersions:
- v1alpha1
- v1beta1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- ippools
- users
scope: '*'
sideEffects: None
timeoutSeconds: 30
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: defaulter.installplan.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /mutate-kubesphere-io-v1alpha1-installplan
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: installplans.kubesphere.io
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: app.kubernetes.io/managed-by
operator: NotIn
values:
- Helm
rules:
- apiGroups:
- kubesphere.io
apiVersions:
- 'v1alpha1'
operations:
- CREATE
- UPDATE
resources:
- installplans
scope: '*'
sideEffects: None
timeoutSeconds: 30
@@ -93,15 +97,55 @@ webhooks:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: resourcesquotas.quota.kubesphere.io
name: validator.installplan.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: {{ .Release.Namespace }}
namespace: kubesphere-system
path: /validate-kubesphere-io-v1alpha1-installplan
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: installplans.kubesphere.io
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: app.kubernetes.io/managed-by
operator: NotIn
values:
- Helm
rules:
- apiGroups:
- kubesphere.io
apiVersions:
- 'v1alpha1'
operations:
- CREATE
- UPDATE
resources:
- installplans
scope: '*'
sideEffects: None
timeoutSeconds: 30
{{ end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: resourcesquotas.quota.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /validate-quota-kubesphere-io-v1alpha2
port: 443
failurePolicy: Ignore
@@ -111,13 +155,15 @@ webhooks:
objectSelector: {}
rules:
- apiGroups:
- '*'
- ''
apiVersions:
- '*'
- v1
operations:
- CREATE
resources:
- pods
- persistentvolumeclaims
- services
scope: '*'
sideEffects: None
@@ -125,32 +171,259 @@ webhooks:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: storageclass-accessor.storage.kubesphere.io
name: extensions.kubesphere.io
webhooks:
{{- if eq (include "role" .) "host" }}
- admissionReviewVersions:
- v1beta1
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: {{ .Release.Namespace }}
path: /persistentvolumeclaims
namespace: kubesphere-system
path: /validate-extensions-kubesphere-io-v1alpha1-jsbundle
port: 443
failurePolicy: Ignore
failurePolicy: Fail
matchPolicy: Exact
name: storageclass-accessor.storage.kubesphere.io
name: jsbundles.extensions.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- '*'
- extensions.kubesphere.io
apiVersions:
- '*'
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- persistentvolumeclaims
- jsbundles
scope: '*'
sideEffects: None
sideEffects: None
timeoutSeconds: 30
{{- end }}
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /validate-extensions-kubesphere-io-v1alpha1-apiservice
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: apiservices.extensions.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- extensions.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- apiservices
scope: '*'
sideEffects: None
timeoutSeconds: 30
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /validate-extensions-kubesphere-io-v1alpha1-reverseproxy
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: reverseproxies.extensions.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- extensions.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- reverseproxies
scope: '*'
sideEffects: None
timeoutSeconds: 30
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /validate-extensions-kubesphere-io-v1alpha1-extensionentry
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: extensionentries.extensions.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- extensions.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- extensionentries
scope: '*'
sideEffects: None
timeoutSeconds: 30
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validator.config.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /validate--v1-secret
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: validator.config.kubesphere.io
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: config.kubesphere.io/type
operator: Exists
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
scope: '*'
sideEffects: None
timeoutSeconds: 30
{{- if eq (include "role" .) "host" }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: extensions.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /mutate-extensions-kubesphere-io-v1alpha1-jsbundle
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: jsbundles.extensions.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- extensions.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- jsbundles
scope: '*'
sideEffects: None
timeoutSeconds: 30
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: serviceaccount.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /serviceaccount-pod-injector
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: serviceaccount-pod-injector.kubesphere.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
scope: '*'
sideEffects: None
timeoutSeconds: 30
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: defaulter.config.kubesphere.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ b64enc $ca.Cert | quote }}
service:
name: ks-controller-manager
namespace: kubesphere-system
path: /mutate--v1-secret
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: defaulter.config.kubesphere.io
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: config.kubesphere.io/type
operator: Exists
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
scope: '*'
sideEffects: None
timeoutSeconds: 30