Upgrade opagatekeeper from v3.8.1 to v3.11.0

[nassereddinebelghith]

Upgrade opagatekeeper from v3.8.1 to v3.11.0:

• Update CRD definitions
• deloy new version I got this error {error: adding watch for networking.k8s.io/v1beta1, Kind=Ingress getting informer for kind: networking.k8s.io/v1beta1, Kind=Ingress no matches for kind "Ingress" in version "networking.k8s.io/v1beta1"

I tried to relauch many times the kubectl apply -f build without success follwing this procedure: https://github.com/open-policy-agent/gatekeeper/issues/351

Environment:

• Gatekeeper version: v3.11.0
• Kubernetes version: Client Version: v1.24.3 Kustomize Version: v4.5.4 Server Version: v1.24.8-gke.2000
• Kustomize Version: v4.5.4

[maxsmythe]

Did you also upgrade your K8s cluster? v1beta1 Ingress resources no longer exist.

Do you have Gatekeeper to configured to watch this resource? kubectl get -oyaml -n gatekeeper-system config config would show you what you're configured to sync. If so, then removing that sync should fix the problem, though not having that sync may impact enforcement of any policies that require that sync (hopefully they'd also work with the v1 flavor of that resource).

[nassereddinebelghith]

@maxsmythe thank you for response, I deleted the block since the v1beta ingress resource does no longer exixt in my cluster running your command I got :

To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"config.gatekeeper.sh/v1alpha1","kind":"Config","metadata":{"annotations":{},"labels":{"env":"dev"},"name":"config","namespace":"gatekeeper-system"},"spec":{"sync":{"syncOnly":[{"group":"networking.k8s.io","kind":"Ingress","version":"v1"},{"group":"kafka.phenix.carrefour.com","kind":"KafkaTopic","version":"v1alpha1"}]}}}
  creationTimestamp: "2022-05-25T16:07:45Z"
  generation: 16
  labels:
    env: dev
  name: config
  namespace: gatekeeper-system
  resourceVersion: "361786059"
  uid: ea57d102-6e44-428d-81e3-e32f87ac4027
spec:
  sync:
    syncOnly:
    - group: networking.k8s.io
      kind: Ingress
      version: v1
    - group: kafka.phenix.carrefour.com
      kind: KafkaTopic
      version: v1alpha1```

[maxsmythe]

What is your concern with that output? The link about kubectl auth changes?

[maxsmythe]

Also, did that fix the issue?

[nassereddinebelghith]

My concern after deleting the ingress v1beta1 , the gatekeeper-controller-manager is OK however the gatekeeper-audit is facing some problems (Readiness probe failed: Get "http://172.xx.yy.zz:9090/readyz": dial tcp 172.xx.yy.zz:9090: connect: connection refused)by inspecting logs of its pods i see this error:

{"level":"info","ts":1677010244.0703058,"msg":"Starting EventSource","controller":"cert-rotator","source":"&{{%!s(*v1.Secret=&{{ } { 0 {{0 0 <nil>}} <nil> <nil> map[] map[] [] [] []} <nil> map[] map[] }) %!s(*cache.informerCache=&{0xc00033a360}) %!s(chan error=<nil>) %!s(func()=<nil>)}}"}

from stackdriver logs i see this error:

{"error":"could not mount certs", "errorVerbose":"could not mount certs
github.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).Start
    /go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:205
sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1
    /go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:219
runtime.goexit
    /usr/local/go/src/runtime/asm_amd64.s:1594", "level":"error", "logger":"setup", "msg":"problem running manager", "stacktrace":"main.main
    /go/src/github.com/open-policy-agent/gatekeeper/main.go:259
runtime.main
    /usr/local/go/src/runtime/proc.go:250", "ts":1.6769980857925682E9}```

I didn't change the certs (i was running v3.8.1 before upgrading to v3.11.0) 

[maxsmythe]

{"level":"info","ts":1677010244.0703058,"msg":"Starting EventSource","controller":"cert-rotator","source":"&{{%!s(*v1.Secret=&{{ } { 0 {{0 0 <nil>}} <nil> <nil> map[] map[] [] [] []} <nil> map[] map[] }) %!s(*cache.informerCache=&{0xc00033a360}) %!s(chan error=<nil>) %!s(func()=<nil>)}}"}

This is not an error, though it is a pretty funky looking log line.

WRT the "could not mount certs" error... what does your audit pod look like? Is there a volume mount for the cert secret?

[nassereddinebelghith]

yes there is a volume mount for the cert secret , If it can help this is my yaml file:

kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: assignmetadata.mutations.gatekeeper.sh
spec:
  group: mutations.gatekeeper.sh
  names:
    kind: AssignMetadata
    listKind: AssignMetadataList
    plural: assignmetadata
    singular: assignmetadata
  preserveUnknownFields: false
  scope: Cluster
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        description: AssignMetadata is the Schema for the assignmetadata API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            properties:
              name:
                maxLength: 63
                type: string
            type: object
          spec:
            description: AssignMetadataSpec defines the desired state of AssignMetadata.
            properties:
              location:
                type: string
              match:
                description: Match selects objects to apply mutations to.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                properties:
                  assign:
                    description: Assign.value holds the value to be assigned
                    properties:
                      externalData:
                        description: ExternalData describes the external data provider
                          to be used for mutation.
                        properties:
                          dataSource:
                            default: ValueAtLocation
                            description: DataSource specifies where to extract the
                              data that will be sent to the external data provider
                              as parameters.
                            enum:
                            - ValueAtLocation
                            - Username
                            type: string
                          default:
                            description: Default specifies the default value to use
                              when the external data provider returns an error and
                              the failure policy is set to "UseDefault".
                            type: string
                          failurePolicy:
                            default: Fail
                            description: FailurePolicy specifies the policy to apply
                              when the external data provider returns an error.
                            enum:
                            - UseDefault
                            - Ignore
                            - Fail
                            type: string
                          provider:
                            description: Provider is the name of the external data
                              provider.
                            type: string
                        type: object
                      fromMetadata:
                        description: FromMetadata assigns a value from the specified
                          metadata field.
                        properties:
                          field:
                            description: Field specifies which metadata field provides
                              the assigned value. Valid fields are `namespace` and
                              `name`.
                            type: string
                        type: object
                      value:
                        description: Value is a constant value that will be assigned
                          to `location`
                        x-kubernetes-preserve-unknown-fields: true
                    type: object
                type: object
            type: object
          status:
            description: AssignMetadataStatus defines the observed state of AssignMetadata.
            properties:
              byPod:
                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
                  of cluster Important: Run "make" to regenerate code after modifying
                  this file'
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: AssignMetadata is the Schema for the assignmetadata API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: AssignMetadataSpec defines the desired state of AssignMetadata.
            properties:
              location:
                type: string
              match:
                description: Match selects objects to apply mutations to.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                properties:
                  assign:
                    description: Assign.value holds the value to be assigned
                    properties:
                      externalData:
                        description: ExternalData describes the external data provider
                          to be used for mutation.
                        properties:
                          dataSource:
                            default: ValueAtLocation
                            description: DataSource specifies where to extract the
                              data that will be sent to the external data provider
                              as parameters.
                            enum:
                            - ValueAtLocation
                            - Username
                            type: string
                          default:
                            description: Default specifies the default value to use
                              when the external data provider returns an error and
                              the failure policy is set to "UseDefault".
                            type: string
                          failurePolicy:
                            default: Fail
                            description: FailurePolicy specifies the policy to apply
                              when the external data provider returns an error.
                            enum:
                            - UseDefault
                            - Ignore
                            - Fail
                            type: string
                          provider:
                            description: Provider is the name of the external data
                              provider.
                            type: string
                        type: object
                      fromMetadata:
                        description: FromMetadata assigns a value from the specified
                          metadata field.
                        properties:
                          field:
                            description: Field specifies which metadata field provides
                              the assigned value. Valid fields are `namespace` and
                              `name`.
                            type: string
                        type: object
                      value:
                        description: Value is a constant value that will be assigned
                          to `location`
                        x-kubernetes-preserve-unknown-fields: true
                    type: object
                type: object
            type: object
          status:
            description: AssignMetadataStatus defines the observed state of AssignMetadata.
            properties:
              byPod:
                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
                  of cluster Important: Run "make" to regenerate code after modifying
                  this file'
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: AssignMetadata is the Schema for the assignmetadata API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: AssignMetadataSpec defines the desired state of AssignMetadata.
            properties:
              location:
                type: string
              match:
                description: Match selects objects to apply mutations to.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                properties:
                  assign:
                    description: Assign.value holds the value to be assigned
                    properties:
                      externalData:
                        description: ExternalData describes the external data provider
                          to be used for mutation.
                        properties:
                          dataSource:
                            default: ValueAtLocation
                            description: DataSource specifies where to extract the
                              data that will be sent to the external data provider
                              as parameters.
                            enum:
                            - ValueAtLocation
                            - Username
                            type: string
                          default:
                            description: Default specifies the default value to use
                              when the external data provider returns an error and
                              the failure policy is set to "UseDefault".
                            type: string
                          failurePolicy:
                            default: Fail
                            description: FailurePolicy specifies the policy to apply
                              when the external data provider returns an error.
                            enum:
                            - UseDefault
                            - Ignore
                            - Fail
                            type: string
                          provider:
                            description: Provider is the name of the external data
                              provider.
                            type: string
                        type: object
                      fromMetadata:
                        description: FromMetadata assigns a value from the specified
                          metadata field.
                        properties:
                          field:
                            description: Field specifies which metadata field provides
                              the assigned value. Valid fields are `namespace` and
                              `name`.
                            type: string
                        type: object
                      value:
                        description: Value is a constant value that will be assigned
                          to `location`
                        x-kubernetes-preserve-unknown-fields: true
                    type: object
                type: object
            type: object
          status:
            description: AssignMetadataStatus defines the observed state of AssignMetadata.
            properties:
              byPod:
                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
                  of cluster Important: Run "make" to regenerate code after modifying
                  this file'
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: configs.config.gatekeeper.sh
spec:
  group: config.gatekeeper.sh
  names:
    kind: Config
    listKind: ConfigList
    plural: configs
    singular: config
  preserveUnknownFields: false
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: Config is the Schema for the configs API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ConfigSpec defines the desired state of Config.
            properties:
              match:
                description: Configuration for namespace exclusion
                items:
                  properties:
                    excludedNamespaces:
                      items:
                        description: 'A string that supports globbing at its front
                          or end. Ex: "kube-*" will match "kube-system" or "kube-public",
                          "*-system" will match "kube-system" or "gatekeeper-system".  The
                          asterisk is required for wildcard matching.'
                        pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                        type: string
                      type: array
                    processes:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              readiness:
                description: Configuration for readiness tracker
                properties:
                  statsEnabled:
                    type: boolean
                type: object
              sync:
                description: Configuration for syncing k8s objects
                properties:
                  syncOnly:
                    description: If non-empty, only entries on this list will be replicated
                      into OPA
                    items:
                      properties:
                        group:
                          type: string
                        kind:
                          type: string
                        version:
                          type: string
                      type: object
                    type: array
                type: object
              validation:
                description: Configuration for validation
                properties:
                  traces:
                    description: List of requests to trace. Both "user" and "kinds"
                      must be specified
                    items:
                      properties:
                        dump:
                          description: Also dump the state of OPA with the trace.
                            Set to `All` to dump everything.
                          type: string
                        kind:
                          description: Only trace requests of the following GroupVersionKind
                          properties:
                            group:
                              type: string
                            kind:
                              type: string
                            version:
                              type: string
                          type: object
                        user:
                          description: Only trace requests from the specified user
                          type: string
                      type: object
                    type: array
                type: object
            type: object
          status:
            description: ConfigStatus defines the observed state of Config.
            type: object
        type: object
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: constraintpodstatuses.status.gatekeeper.sh
spec:
  group: status.gatekeeper.sh
  names:
    kind: ConstraintPodStatus
    listKind: ConstraintPodStatusList
    plural: constraintpodstatuses
    singular: constraintpodstatus
  preserveUnknownFields: false
  scope: Namespaced
  versions:
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: ConstraintPodStatus is the Schema for the constraintpodstatuses
          API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          status:
            description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
            properties:
              constraintUID:
                description: Storing the constraint UID allows us to detect drift,
                  such as when a constraint has been recreated after its CRD was deleted
                  out from under it, interrupting the watch
                type: string
              enforced:
                type: boolean
              errors:
                items:
                  description: Error represents a single error caught while adding
                    a constraint to OPA.
                  properties:
                    code:
                      type: string
                    location:
                      type: string
                    message:
                      type: string
                  required:
                  - code
                  - message
                  type: object
                type: array
              id:
                type: string
              observedGeneration:
                format: int64
                type: integer
              operations:
                items:
                  type: string
                type: array
            type: object
        type: object
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
  group: status.gatekeeper.sh
  names:
    kind: ConstraintTemplatePodStatus
    listKind: ConstraintTemplatePodStatusList
    plural: constrainttemplatepodstatuses
    singular: constrainttemplatepodstatus
  preserveUnknownFields: false
  scope: Namespaced
  versions:
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses
          API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          status:
            description: ConstraintTemplatePodStatusStatus defines the observed state
              of ConstraintTemplatePodStatus.
            properties:
              errors:
                items:
                  description: CreateCRDError represents a single error caught during
                    parsing, compiling, etc.
                  properties:
                    code:
                      type: string
                    location:
                      type: string
                    message:
                      type: string
                  required:
                  - code
                  - message
                  type: object
                type: array
              id:
                description: 'Important: Run "make" to regenerate code after modifying
                  this file'
                type: string
              observedGeneration:
                format: int64
                type: integer
              operations:
                items:
                  type: string
                type: array
              templateUID:
                description: UID is a type that holds unique ID values, including
                  UUIDs.  Because we don't ONLY use UUIDs, this is an alias to string.  Being
                  a type captures intent and helps make sure that UIDs and names do
                  not get conflated.
                type: string
            type: object
        type: object
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: constrainttemplates.templates.gatekeeper.sh
spec:
  group: templates.gatekeeper.sh
  names:
    kind: ConstraintTemplate
    listKind: ConstraintTemplateList
    plural: constrainttemplates
    singular: constrainttemplate
  preserveUnknownFields: false
  scope: Cluster
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        description: ConstraintTemplate is the Schema for the constrainttemplates
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
            properties:
              crd:
                properties:
                  spec:
                    properties:
                      names:
                        properties:
                          kind:
                            type: string
                          shortNames:
                            items:
                              type: string
                            type: array
                        type: object
                      validation:
                        default:
                          legacySchema: false
                        properties:
                          legacySchema:
                            default: false
                            type: boolean
                          openAPIV3Schema:
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                        type: object
                    type: object
                type: object
              targets:
                items:
                  properties:
                    libs:
                      items:
                        type: string
                      type: array
                    rego:
                      type: string
                    target:
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
            properties:
              byPod:
                items:
                  description: ByPodStatus defines the observed state of ConstraintTemplate
                    as seen by an individual controller
                  properties:
                    errors:
                      items:
                        description: CreateCRDError represents a single error caught
                          during parsing, compiling, etc.
                        properties:
                          code:
                            type: string
                          location:
                            type: string
                          message:
                            type: string
                        required:
                        - code
                        - message
                        type: object
                      type: array
                    id:
                      description: a unique identifier for the pod that wrote the
                        status
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
                type: array
              created:
                type: boolean
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ConstraintTemplate is the Schema for the constrainttemplates
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
            properties:
              crd:
                properties:
                  spec:
                    properties:
                      names:
                        properties:
                          kind:
                            type: string
                          shortNames:
                            items:
                              type: string
                            type: array
                        type: object
                      validation:
                        default:
                          legacySchema: true
                        properties:
                          legacySchema:
                            default: true
                            type: boolean
                          openAPIV3Schema:
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                        type: object
                    type: object
                type: object
              targets:
                items:
                  properties:
                    libs:
                      items:
                        type: string
                      type: array
                    rego:
                      type: string
                    target:
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
            properties:
              byPod:
                items:
                  description: ByPodStatus defines the observed state of ConstraintTemplate
                    as seen by an individual controller
                  properties:
                    errors:
                      items:
                        description: CreateCRDError represents a single error caught
                          during parsing, compiling, etc.
                        properties:
                          code:
                            type: string
                          location:
                            type: string
                          message:
                            type: string
                        required:
                        - code
                        - message
                        type: object
                      type: array
                    id:
                      description: a unique identifier for the pod that wrote the
                        status
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
                type: array
              created:
                type: boolean
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: ConstraintTemplate is the Schema for the constrainttemplates
          API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
            properties:
              crd:
                properties:
                  spec:
                    properties:
                      names:
                        properties:
                          kind:
                            type: string
                          shortNames:
                            items:
                              type: string
                            type: array
                        type: object
                      validation:
                        default:
                          legacySchema: true
                        properties:
                          legacySchema:
                            default: true
                            type: boolean
                          openAPIV3Schema:
                            type: object
                            x-kubernetes-preserve-unknown-fields: true
                        type: object
                    type: object
                type: object
              targets:
                items:
                  properties:
                    libs:
                      items:
                        type: string
                      type: array
                    rego:
                      type: string
                    target:
                      type: string
                  type: object
                type: array
            type: object
          status:
            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
            properties:
              byPod:
                items:
                  description: ByPodStatus defines the observed state of ConstraintTemplate
                    as seen by an individual controller
                  properties:
                    errors:
                      items:
                        description: CreateCRDError represents a single error caught
                          during parsing, compiling, etc.
                        properties:
                          code:
                            type: string
                          location:
                            type: string
                          message:
                            type: string
                        required:
                        - code
                        - message
                        type: object
                      type: array
                    id:
                      description: a unique identifier for the pod that wrote the
                        status
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
                type: array
              created:
                type: boolean
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: modifyset.mutations.gatekeeper.sh
spec:
  group: mutations.gatekeeper.sh
  names:
    kind: ModifySet
    listKind: ModifySetList
    plural: modifyset
    singular: modifyset
  preserveUnknownFields: false
  scope: Cluster
  versions:
  - name: v1
    schema:
      openAPIV3Schema:
        description: ModifySet allows the user to modify non-keyed lists, such as
          the list of arguments to a container.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            properties:
              name:
                maxLength: 63
                type: string
            type: object
          spec:
            description: ModifySetSpec defines the desired state of ModifySet.
            properties:
              applyTo:
                description: ApplyTo lists the specific groups, versions and kinds
                  a mutation will be applied to. This is necessary because every mutation
                  implies part of an object schema and object schemas are associated
                  with specific GVKs.
                items:
                  description: ApplyTo determines what GVKs items the mutation should
                    apply to. Globs are not allowed.
                  properties:
                    groups:
                      items:
                        type: string
                      type: array
                    kinds:
                      items:
                        type: string
                      type: array
                    versions:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              location:
                description: 'Location describes the path to be mutated, for example:
                  `spec.containers[name: main].args`.'
                type: string
              match:
                description: Match allows the user to limit which resources get mutated.
                  Individual match criteria are AND-ed together. An undefined match
                  criteria matches everything.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                description: Parameters define the behavior of the mutator.
                properties:
                  operation:
                    default: merge
                    description: Operation describes whether values should be merged
                      in ("merge"), or pruned ("prune"). Default value is "merge"
                    enum:
                    - merge
                    - prune
                    type: string
                  pathTests:
                    description: PathTests are a series of existence tests that can
                      be checked before a mutation is applied
                    items:
                      description: "PathTest allows the user to customize how the
                        mutation works if parent paths are missing. It traverses the
                        list in order. All sub paths are tested against the provided
                        condition, if the test fails, the mutation is not applied.
                        All `subPath` entries must be a prefix of `location`. Any
                        glob characters will take on the same value as was used to
                        expand the matching glob in `location`. \n Available Tests:
                        * MustExist    - the path must exist or do not mutate * MustNotExist
                        - the path must not exist or do not mutate."
                      properties:
                        condition:
                          description: Condition describes whether the path either
                            MustExist or MustNotExist in the original object
                          enum:
                          - MustExist
                          - MustNotExist
                          type: string
                        subPath:
                          type: string
                      type: object
                    type: array
                  values:
                    description: Values describes the values provided to the operation
                      as `values.fromList`.
                    type: object
                    x-kubernetes-preserve-unknown-fields: true
                type: object
            type: object
          status:
            description: ModifySetStatus defines the observed state of ModifySet.
            properties:
              byPod:
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ModifySet allows the user to modify non-keyed lists, such as
          the list of arguments to a container.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ModifySetSpec defines the desired state of ModifySet.
            properties:
              applyTo:
                description: ApplyTo lists the specific groups, versions and kinds
                  a mutation will be applied to. This is necessary because every mutation
                  implies part of an object schema and object schemas are associated
                  with specific GVKs.
                items:
                  description: ApplyTo determines what GVKs items the mutation should
                    apply to. Globs are not allowed.
                  properties:
                    groups:
                      items:
                        type: string
                      type: array
                    kinds:
                      items:
                        type: string
                      type: array
                    versions:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              location:
                description: 'Location describes the path to be mutated, for example:
                  `spec.containers[name: main].args`.'
                type: string
              match:
                description: Match allows the user to limit which resources get mutated.
                  Individual match criteria are AND-ed together. An undefined match
                  criteria matches everything.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                description: Parameters define the behavior of the mutator.
                properties:
                  operation:
                    default: merge
                    description: Operation describes whether values should be merged
                      in ("merge"), or pruned ("prune"). Default value is "merge"
                    enum:
                    - merge
                    - prune
                    type: string
                  pathTests:
                    description: PathTests are a series of existence tests that can
                      be checked before a mutation is applied
                    items:
                      description: "PathTest allows the user to customize how the
                        mutation works if parent paths are missing. It traverses the
                        list in order. All sub paths are tested against the provided
                        condition, if the test fails, the mutation is not applied.
                        All `subPath` entries must be a prefix of `location`. Any
                        glob characters will take on the same value as was used to
                        expand the matching glob in `location`. \n Available Tests:
                        * MustExist    - the path must exist or do not mutate * MustNotExist
                        - the path must not exist or do not mutate."
                      properties:
                        condition:
                          description: Condition describes whether the path either
                            MustExist or MustNotExist in the original object
                          enum:
                          - MustExist
                          - MustNotExist
                          type: string
                        subPath:
                          type: string
                      type: object
                    type: array
                  values:
                    description: Values describes the values provided to the operation
                      as `values.fromList`.
                    type: object
                    x-kubernetes-preserve-unknown-fields: true
                type: object
            type: object
          status:
            description: ModifySetStatus defines the observed state of ModifySet.
            properties:
              byPod:
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: ModifySet allows the user to modify non-keyed lists, such as
          the list of arguments to a container.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ModifySetSpec defines the desired state of ModifySet.
            properties:
              applyTo:
                description: ApplyTo lists the specific groups, versions and kinds
                  a mutation will be applied to. This is necessary because every mutation
                  implies part of an object schema and object schemas are associated
                  with specific GVKs.
                items:
                  description: ApplyTo determines what GVKs items the mutation should
                    apply to. Globs are not allowed.
                  properties:
                    groups:
                      items:
                        type: string
                      type: array
                    kinds:
                      items:
                        type: string
                      type: array
                    versions:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              location:
                description: 'Location describes the path to be mutated, for example:
                  `spec.containers[name: main].args`.'
                type: string
              match:
                description: Match allows the user to limit which resources get mutated.
                  Individual match criteria are AND-ed together. An undefined match
                  criteria matches everything.
                properties:
                  excludedNamespaces:
                    description: 'ExcludedNamespaces is a list of namespace names.
                      If defined, a constraint only applies to resources not in a
                      listed namespace. ExcludedNamespaces also supports a prefix
                      or suffix based glob.  For example, `excludedNamespaces: [kube-*]`
                      matches both `kube-system` and `kube-public`, and `excludedNamespaces:
                      [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  kinds:
                    items:
                      description: Kinds accepts a list of objects with apiGroups
                        and kinds fields that list the groups/kinds of objects to
                        which the mutation will apply. If multiple groups/kinds objects
                        are specified, only one match is needed for the resource to
                        be in scope.
                      properties:
                        apiGroups:
                          description: APIGroups is the API groups the resources belong
                            to. '*' is all groups. If '*' is present, the length of
                            the slice must be one. Required.
                          items:
                            type: string
                          type: array
                        kinds:
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  labelSelector:
                    description: 'LabelSelector is the combination of two optional
                      fields: `matchLabels` and `matchExpressions`.  These two fields
                      provide different methods of selecting or excluding k8s objects
                      based on the label keys and values included in object metadata.  All
                      selection expressions from both sections are ANDed to determine
                      if an object meets the cumulative requirements of the selector.'
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  name:
                    description: 'Name is the name of an object.  If defined, it will
                      match against objects with the specified name.  Name also supports
                      a prefix or suffix glob.  For example, `name: pod-*` would match
                      both `pod-a` and `pod-b`, and `name: *-pod` would match both
                      `a-pod` and `b-pod`.'
                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                    type: string
                  namespaceSelector:
                    description: NamespaceSelector is a label selector against an
                      object's containing namespace or the object itself, if the object
                      is a namespace.
                    properties:
                      matchExpressions:
                        description: matchExpressions is a list of label selector
                          requirements. The requirements are ANDed.
                        items:
                          description: A label selector requirement is a selector
                            that contains values, a key, and an operator that relates
                            the key and values.
                          properties:
                            key:
                              description: key is the label key that the selector
                                applies to.
                              type: string
                            operator:
                              description: operator represents a key's relationship
                                to a set of values. Valid operators are In, NotIn,
                                Exists and DoesNotExist.
                              type: string
                            values:
                              description: values is an array of string values. If
                                the operator is In or NotIn, the values array must
                                be non-empty. If the operator is Exists or DoesNotExist,
                                the values array must be empty. This array is replaced
                                during a strategic merge patch.
                              items:
                                type: string
                              type: array
                          required:
                          - key
                          - operator
                          type: object
                        type: array
                      matchLabels:
                        additionalProperties:
                          type: string
                        description: matchLabels is a map of {key,value} pairs. A
                          single {key,value} in the matchLabels map is equivalent
                          to an element of matchExpressions, whose key field is "key",
                          the operator is "In", and the values array contains only
                          "value". The requirements are ANDed.
                        type: object
                    type: object
                  namespaces:
                    description: 'Namespaces is a list of namespace names. If defined,
                      a constraint only applies to resources in a listed namespace.  Namespaces
                      also supports a prefix or suffix based glob.  For example, `namespaces:
                      [kube-*]` matches both `kube-system` and `kube-public`, and
                      `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
                    items:
                      description: 'A string that supports globbing at its front or
                        end. Ex: "kube-*" will match "kube-system" or "kube-public",
                        "*-system" will match "kube-system" or "gatekeeper-system".  The
                        asterisk is required for wildcard matching.'
                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                      type: string
                    type: array
                  scope:
                    description: Scope determines if cluster-scoped and/or namespaced-scoped
                      resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
                      (defaults to `*`)
                    type: string
                  source:
                    description: Source determines whether generated or original resources
                      are matched. Accepts `Generated`|`Original`|`All` (defaults
                      to `All`). A value of `Generated` will only match generated
                      resources, while `Original` will only match regular resources.
                    enum:
                    - All
                    - Generated
                    - Original
                    type: string
                type: object
              parameters:
                description: Parameters define the behavior of the mutator.
                properties:
                  operation:
                    default: merge
                    description: Operation describes whether values should be merged
                      in ("merge"), or pruned ("prune"). Default value is "merge"
                    enum:
                    - merge
                    - prune
                    type: string
                  pathTests:
                    description: PathTests are a series of existence tests that can
                      be checked before a mutation is applied
                    items:
                      description: "PathTest allows the user to customize how the
                        mutation works if parent paths are missing. It traverses the
                        list in order. All sub paths are tested against the provided
                        condition, if the test fails, the mutation is not applied.
                        All `subPath` entries must be a prefix of `location`. Any
                        glob characters will take on the same value as was used to
                        expand the matching glob in `location`. \n Available Tests:
                        * MustExist    - the path must exist or do not mutate * MustNotExist
                        - the path must not exist or do not mutate."
                      properties:
                        condition:
                          description: Condition describes whether the path either
                            MustExist or MustNotExist in the original object
                          enum:
                          - MustExist
                          - MustNotExist
                          type: string
                        subPath:
                          type: string
                      type: object
                    type: array
                  values:
                    description: Values describes the values provided to the operation
                      as `values.fromList`.
                    type: object
                    x-kubernetes-preserve-unknown-fields: true
                type: object
            type: object
          status:
            description: ModifySetStatus defines the observed state of ModifySet.
            properties:
              byPod:
                items:
                  description: MutatorPodStatusStatus defines the observed state of
                    MutatorPodStatus.
                  properties:
                    enforced:
                      type: boolean
                    errors:
                      items:
                        description: MutatorError represents a single error caught
                          while adding a mutator to a system.
                        properties:
                          message:
                            type: string
                          type:
                            description: Type indicates a specific class of error
                              for use by controller code. If not present, the error
                              should be treated as not matching any known type.
                            type: string
                        required:
                        - message
                        type: object
                      type: array
                    id:
                      type: string
                    mutatorUID:
                      description: Storing the mutator UID allows us to detect drift,
                        such as when a mutator has been recreated after its CRD was
                        deleted out from under it, interrupting the watch
                      type: string
                    observedGeneration:
                      format: int64
                      type: integer
                    operations:
                      items:
                        type: string
                      type: array
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: mutatorpodstatuses.status.gatekeeper.sh
spec:
  group: status.gatekeeper.sh
  names:
    kind: MutatorPodStatus
    listKind: MutatorPodStatusList
    plural: mutatorpodstatuses
    singular: mutatorpodstatus
  preserveUnknownFields: false
  scope: Namespaced
  versions:
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          status:
            description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
            properties:
              enforced:
                type: boolean
              errors:
                items:
                  description: MutatorError represents a single error caught while
                    adding a mutator to a system.
                  properties:
                    message:
                      type: string
                    type:
                      description: Type indicates a specific class of error for use
                        by controller code. If not present, the error should be treated
                        as not matching any known type.
                      type: string
                  required:
                  - message
                  type: object
                type: array
              id:
                type: string
              mutatorUID:
                description: Storing the mutator UID allows us to detect drift, such
                  as when a mutator has been recreated after its CRD was deleted out
                  from under it, interrupting the watch
                type: string
              observedGeneration:
                format: int64
                type: integer
              operations:
                items:
                  type: string
                type: array
            type: object
        type: object
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.10.0
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: providers.externaldata.gatekeeper.sh
spec:
  group: externaldata.gatekeeper.sh
  names:
    kind: Provider
    listKind: ProviderList
    plural: providers
    singular: provider
  preserveUnknownFields: false
  scope: Cluster
  versions:
  - deprecated: true
    deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1
      instead.
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: Provider is the Schema for the Provider API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines the Provider specifications.
            properties:
              caBundle:
                description: CABundle is a base64-encoded string that contains the
                  TLS CA bundle in PEM format. It is used to verify the signature
                  of the provider's certificate.
                type: string
              timeout:
                description: Timeout is the timeout when querying the provider.
                type: integer
              url:
                description: URL is the url for the provider. URL is prefixed with
                  http:// or https://.
                type: string
            type: object
        type: object
    served: true
    storage: true
  - name: v1beta1
    schema:
      openAPIV3Schema:
        description: Provider is the Schema for the providers API
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec defines the Provider specifications.
            properties:
              caBundle:
                description: CABundle is a base64-encoded string that contains the
                  TLS CA bundle in PEM format. It is used to verify the signature
                  of the provider's certificate.
                type: string
              timeout:
                description: Timeout is the timeout when querying the provider.
                type: integer
              url:
                description: URL is the url for the provider. URL is prefixed with
                  http:// or https://.
                type: string
            type: object
        type: object
    served: true
    storage: false
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-admin
  namespace: gatekeeper-system
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-admin
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 1
    rule: MustRunAs
  volumes:
  - configMap
  - projected
  - secret
  - downwardAPI
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-manager-role
  namespace: gatekeeper-system
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-manager-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - config.gatekeeper.sh
  resources:
  - configs
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - config.gatekeeper.sh
  resources:
  - configs/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - constraints.gatekeeper.sh
  resources:
  - '*'
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - policy
  resourceNames:
  - gatekeeper-admin
  resources:
  - podsecuritypolicies
  verbs:
  - use
- apiGroups:
  - status.gatekeeper.sh
  resources:
  - '*'
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - templates.gatekeeper.sh
  resources:
  - constrainttemplates
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - templates.gatekeeper.sh
  resources:
  - constrainttemplates/finalizers
  verbs:
  - delete
  - get
  - patch
  - update
- apiGroups:
  - templates.gatekeeper.sh
  resources:
  - constrainttemplates/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - admissionregistration.k8s.io
  resourceNames:
  - gatekeeper-validating-webhook-configuration
  resources:
  - validatingwebhookconfigurations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-manager-rolebinding
  namespace: gatekeeper-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
  name: gatekeeper-admin
  namespace: gatekeeper-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
  name: gatekeeper-admin
  namespace: gatekeeper-system
---
apiVersion: v1
kind: Secret
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-webhook-server-cert
  namespace: gatekeeper-system
---
apiVersion: v1
kind: Service
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-webhook-service
  namespace: gatekeeper-system
spec:
  ports:
  - port: 443
    targetPort: 8443
  selector:
    control-plane: controller-manager
    env: dev
    gatekeeper.sh/operation: webhook
    gatekeeper.sh/system: "yes"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    control-plane: controller-manager
    env: dev
    gatekeeper.sh/operation: audit
    gatekeeper.sh/system: "yes"
  name: gatekeeper-audit
  namespace: gatekeeper-system
spec:
  replicas: 1
  selector:
    matchLabels:
      control-plane: audit-controller
      gatekeeper.sh/operation: audit
      gatekeeper.sh/system: "yes"
  template:
    metadata:
      annotations:
        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
      labels:
        control-plane: audit-controller
        env: dev
        gatekeeper.sh/operation: audit
        gatekeeper.sh/system: "yes"
    spec:
      containers:
      - args:
        - --operation=audit
        - --operation=status
        - --logtostderr
        command:
        - /manager
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        image: europe-west1-docker.pkg.dev/project-id/openpolicyagent/gatekeeper:v3.11.0@sha256:5f139378901f2f782f8549f3d23a24046170f662d746b6a3200c4d4d5ac97244
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthz
            port: 9090
        name: manager
        ports:
        - containerPort: 8888
          name: metrics
          protocol: TCP
        - containerPort: 9090
          name: healthz
          protocol: TCP
        readinessProbe:
          failureThreshold: 30
          httpGet:
            path: /readyz
            port: 9090
          initialDelaySeconds: 1 # delay 1s after appllicaton started
          periodSeconds: 2 # 2s period
          successThreshold: 1
          timeoutSeconds: 3
        resources:
          limits:
            cpu: 1000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsGroup: 999
          runAsNonRoot: true
          runAsUser: 1000
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: gatekeeper-admin
      terminationGracePeriodSeconds: 60
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    control-plane: controller-manager
    env: dev
    gatekeeper.sh/operation: webhook
    gatekeeper.sh/system: "yes"
  name: gatekeeper-controller-manager
  namespace: gatekeeper-system
spec:
  replicas: 3
  selector:
    matchLabels:
      control-plane: controller-manager
      gatekeeper.sh/operation: webhook
      gatekeeper.sh/system: "yes"
  template:
    metadata:
      annotations:
        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
      labels:
        control-plane: controller-manager
        env: dev
        gatekeeper.sh/operation: webhook
        gatekeeper.sh/system: "yes"
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: gatekeeper.sh/operation
                  operator: In
                  values:
                  - webhook
              topologyKey: kubernetes.io/hostname
            weight: 100
      containers:
      - args:
        - --port=8443
        - --logtostderr
        - --exempt-namespace=gatekeeper-system
        - --operation=webhook
        command:
        - /manager
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        image: europe-west1-docker.pkg.dev/project-id/openpolicyagent/gatekeeper:v3.11.0@sha256:5f139378901f2f782f8549f3d23a24046170f662d746b6a3200c4d4d5ac97244
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthz
            port: 9090
        name: manager
        ports:
        - containerPort: 8443
          name: webhook-server
          protocol: TCP
        - containerPort: 8888
          name: metrics
          protocol: TCP
        - containerPort: 9090
          name: healthz
          protocol: TCP
        readinessProbe:
          failureThreshold: 30  # do probe 30 times
          httpGet:
            path: /readyz
            port: 9090
          initialDelaySeconds: 1 # delay 1s after appllicaton started
          periodSeconds: 2 # 2s period
          successThreshold: 1
          timeoutSeconds: 3  
        resources:
          limits:
            cpu: 1000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsGroup: 999
          runAsNonRoot: true
          runAsUser: 1000
        volumeMounts:
        - mountPath: /certs
          name: cert
          readOnly: true
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: gatekeeper-admin
      terminationGracePeriodSeconds: 60
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: gatekeeper-webhook-server-cert
---
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  labels:
    env: dev
  name: config
  namespace: gatekeeper-system
spec:
  sync:
    syncOnly:
    - group: networking.k8s.io
      kind: Ingress
      version: v1
    - group: kafka.phenix.carrefour.com
      kind: KafkaTopic
      version: v1alpha1
---
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  labels:
    env: dev
  name: ingressclassannotation
  namespace: gatekeeper-system
spec:
  crd:
    spec:
      names:
        kind: IngressClassAnnotation
      validation:
        openAPIV3Schema:
          properties:
            authorizedclass:
              type: string
          type: object
  targets:
  - rego: "package ingressclassannotation\n\nviolation[{\"msg\": msg}] {\n  annotation
      := input.review.object.metadata.annotations[\"kubernetes.io/ingress.class\"]
      \n  not annotation == input.parameters.authorizedclass\n  msg := sprintf(\"you
      must provide the right annotation kubernetes.io/ingress.class: %s\", [annotation])\n}\n"
    target: admission.k8s.gatekeeper.sh
---
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  labels:
    env: dev
  name: ingressduplicate
  namespace: gatekeeper-system
spec:
  crd:
    spec:
      names:
        kind: IngressDuplicate
  targets:
  - rego: |
      package ingressduplicate

      having_path(review) {
        path := review.object.spec.rules[_].http.paths[_].path
      }

      identical(obj, review) {
        obj.metadata.namespace == review.object.metadata.namespace
        obj.metadata.name == review.object.metadata.name
      }

      violation[{"msg": msg}] {
        input.review.kind.kind == "Ingress"
        re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
        input.review.operation == "CREATE"
        host := input.review.object.spec.rules[_].host
        path := input.review.object.spec.rules[_].http.paths[_].path
        other := data.inventory.namespace[ns][otherapiversion]["Ingress"][name]
        re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
        other.spec.rules[_].host == host;other.spec.rules[_].http.paths[_].path == path
        not identical(other, input.review)
        msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
      }

      violation[{"msg": msg}] {
        input.review.kind.kind == "Ingress"
        re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
        input.review.operation == "UPDATE"
        host := input.review.object.spec.rules[_].host
        path := input.review.object.spec.rules[_].http.paths[_].path
        other := data.inventory.namespace[ns][otherapiversion]["Ingress"][name]
        re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
        other.spec.rules[_].host == host;other.spec.rules[_].http.paths[_].path == path
        not identical(other, input.review)
        msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
      }

      violation[{"msg": msg}] {
        input.review.kind.kind == "Ingress"
        re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
        input.review.operation == "CREATE"
        host := input.review.object.spec.rules[_].host
        not having_path(input.review)
        other := data.inventory.namespace[ns][otherapiversion]["Ingress"][name]
        not having_path(other)
        re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
        other.spec.rules[_].host == host
        not identical(other, input.review)
        msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
      }

      violation[{"msg": msg}] {
        input.review.kind.kind == "Ingress"
        re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
        input.review.operation == "UPDATE"
        host := input.review.object.spec.rules[_].host
        not having_path(input.review)
        other := data.inventory.namespace[ns][otherapiversion]["Ingress"][name]
        not having_path(other)
        re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
        other.spec.rules[_].host == host
        not identical(other, input.review)
        msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
      }
    target: admission.k8s.gatekeeper.sh
---
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  labels:
    env: dev
  name: k8scontainerlimits
  namespace: gatekeeper-system
spec:
  crd:
    spec:
      names:
        kind: K8sContainerLimits
  targets:
  - rego: |
      package k8scontainerlimits

      missing(obj, field) = true {
        not obj[field]
      }
      missing(obj, field) = true {
        obj[field] == ""
      }

      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Pod"
        container := input.review.object.spec[field][_]
        not container.resources
        msg := sprintf("container <%v> has no resource limits", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Deployment"
        container := input.review.object.spec.template.spec[field][_]
        not container.resources
        msg := sprintf("container <%v> has no resource limits", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Pod"
        container := input.review.object.spec[field][_]
        not container.resources.limits
        msg := sprintf("container <%v> has no resource limits", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Deployment"
        container := input.review.object.spec.template.spec[field][_]
        not container.resources.limits
        msg := sprintf("container <%v> has no resource limits", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Pod"
        container := input.review.object.spec[field][_]
        missing(container.resources.limits, "cpu")
        msg := sprintf("container <%v> has no cpu limit", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Deployment"
        container := input.review.object.spec.template.spec[field][_]
        missing(container.resources.limits, "cpu")
        msg := sprintf("container <%v> has no cpu limit", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Pod"
        container := input.review.object.spec[field][_]
        missing(container.resources.limits, "memory")
        msg := sprintf("container <%v> has no memory limit", [container.name])
      }
      general_violation[{"msg": msg, "field": field}] {
        input.review.kind.kind == "Deployment"
        container := input.review.object.spec.template.spec[field][_]
        missing(container.resources.limits, "memory")
        msg := sprintf("container <%v> has no memory limit", [container.name])
      }
      violation[{"msg": msg}] {
        general_violation[{"msg": msg, "field": "containers"}]
      }
      violation[{"msg": msg}] {
        general_violation[{"msg": msg, "field": "initContainers"}]
      }
    target: admission.k8s.gatekeeper.sh
---
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  labels:
    env: dev
  name: kafkapartitionsprotection
  namespace: gatekeeper-system
spec:
  crd:
    spec:
      names:
        kind: KafkaPartitionsProtection
  targets:
  - rego: |
      package kafkapartitionsprotection

      identical(obj, review) {
        obj.metadata.namespace == review.object.metadata.namespace
        obj.metadata.name == review.object.metadata.name
      }

      violation[{"msg": msg}] {
        input.review.kind.kind == "KafkaTopic"
        re_match("^(kafka.phenix.carrefour.com)$", input.review.kind.group)
        part := input.review.object.spec.partitions
        existingtopic := data.inventory.namespace[ns][apigroup]["KafkaTopic"][name]
        identical(existingtopic,input.review)
        existingtopic.spec.partitions > part
        msg := sprintf("Can not reduce partition number on topic: <%v>, from %v to %v", [input.review.object.metadata.name,existingtopic.spec.partitions,part])
      }
    target: admission.k8s.gatekeeper.sh
---
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  labels:
    env: dev
  name: namespaceprotection
  namespace: gatekeeper-system
spec:
  crd:
    spec:
      names:
        kind: NamespaceProtection
      validation:
        openAPIV3Schema:
          properties:
            invinciblesuffix:
              type: string
          type: object
  targets:
  - rego: |
      package namespaceprotection

      violation[{"msg": msg}] {
        input.review.operation == "DELETE"
        missing_required_label[msg]
      }

      violation[{"msg": msg}] {
        input.review.operation == "DELETE"
        env_namespace[msg]
      }

      missing_required_label[msg] {
        label := input.review.object.metadata.labels["protected"]
        not label = "no"
        msg = "Namespaces labelled with protected=yes can not be deleted"
      }

      env_namespace[msg] {
        endswith(input.review.object.metadata.name,input.parameters.invinciblesuffix)
        msg = "Namespaces with this suffix can not be deleted"
      }
    target: admission.k8s.gatekeeper.sh
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    env: dev
    gatekeeper.sh/system: "yes"
  name: gatekeeper-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: gatekeeper-webhook-service
      namespace: gatekeeper-system
      path: /v1/admit
  failurePolicy: Ignore
  matchPolicy: Exact
  name: validation.gatekeeper.sh
  namespaceSelector:
    matchExpressions:
    - key: admission.gatekeeper.sh/ignore
      operator: DoesNotExist
  rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    - DELETE
    resources:
    - '*'
  sideEffects: None
  timeoutSeconds: 3
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: gatekeeper-webhook-service
      namespace: gatekeeper-system
      path: /v1/admitlabel
  failurePolicy: Fail
  matchPolicy: Exact
  name: check-ignore-label.gatekeeper.sh
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    - DELETE
    resources:
    - namespaces
  sideEffects: None
  timeoutSeconds: 3

[maxsmythe]

It doesn't look like the gatekeeper-audit deployment is mounting the secret.

[nassereddinebelghith]

I don't see a reason that it does not mount the volume:

kind: Deployment
metadata:
  labels:
    control-plane: controller-manager
    gatekeeper.sh/operation: audit
    gatekeeper.sh/system: "yes"
  name: gatekeeper-audit
  namespace: gatekeeper-system
spec:
  replicas: 1
  selector:
    matchLabels:
      control-plane: audit-controller
      gatekeeper.sh/operation: audit
      gatekeeper.sh/system: "yes"
  template:
    metadata:
      annotations:
        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
      labels:
        control-plane: audit-controller
        gatekeeper.sh/operation: audit
        gatekeeper.sh/system: "yes"
    spec:
      containers:
      - args:
        - --operation=audit
        - --operation=status
        - --logtostderr
        command:
        - /manager
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        image: openpolicyagent/gatekeeper
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthz
            port: 9090
        name: manager
        ports:
        - containerPort: 8888
          name: metrics
          protocol: TCP
        - containerPort: 9090
          name: healthz
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /readyz
            port: 9090
        resources:
          limits:
            cpu: 1000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsGroup: 999
          runAsNonRoot: true
          runAsUser: 1000
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: gatekeeper-admin
      terminationGracePeriodSeconds: 60
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    control-plane: controller-manager
    gatekeeper.sh/operation: webhook
    gatekeeper.sh/system: "yes"
  name: gatekeeper-controller-manager
  namespace: gatekeeper-system
spec:
  replicas: 3
  selector:
    matchLabels:
      control-plane: controller-manager
      gatekeeper.sh/operation: webhook
      gatekeeper.sh/system: "yes"
  template:
    metadata:
      annotations:
        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
      labels:
        control-plane: controller-manager
        gatekeeper.sh/operation: webhook
        gatekeeper.sh/system: "yes"
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: gatekeeper.sh/operation
                  operator: In
                  values:
                  - webhook
              topologyKey: kubernetes.io/hostname
            weight: 100
      containers:
      - args:
        - --port=8443
        - --logtostderr
        - --exempt-namespace=gatekeeper-system
        - --operation=webhook
        command:
        - /manager
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        image: openpolicyagent/gatekeeper
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthz
            port: 9090
        name: manager
        ports:
        - containerPort: 8443
          name: webhook-server
          protocol: TCP
        - containerPort: 8888
          name: metrics
          protocol: TCP
        - containerPort: 9090
          name: healthz
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /readyz
            port: 9090
        resources:
          limits:
            cpu: 1000m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          runAsGroup: 999
          runAsNonRoot: true
          runAsUser: 1000
        volumeMounts:
        - mountPath: /certs
          name: cert
          readOnly: true
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: gatekeeper-admin
      terminationGracePeriodSeconds: 60
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: gatekeeper-webhook-server-cert

[nassereddinebelghith]

The error is:
error: could not mount certs, errorVerbose: could not mount certs github.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).Start

[maxsmythe]

The audit deployment does not have the appropriate volumes entry and the associated mount:

      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: gatekeeper-webhook-server-cert

[ritazh]

Specifically https://github.com/open-policy-agent/gatekeeper/blob/8170c5f7dad05cc49d86f8a7dcebaf4a6600adc0/deploy/gatekeeper.yaml#L3228-L3230 and https://github.com/open-policy-agent/gatekeeper/blob/8170c5f7dad05cc49d86f8a7dcebaf4a6600adc0/deploy/gatekeeper.yaml#L3239-L3242 are missing from the audit deployment. This was added in v3.9.0.

[nassereddinebelghith]

@maxsmythe thank you sooo much for continuous support , @ritazh thank you for your details , it solved the problem

[maxsmythe]

Glad we could help :)