apiVersion: v1 kind: Pod metadata: name: k8s-admission namespace: kube-system labels: run: k8s-admission annotations: prometheus.io/path: /metrics prometheus.io/port: http-metrics prometheus.io/scrape: "true" spec: terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostname: k8s-admissions-controller initContainers: - name: init-admission-controller-tls-generate image: bzl://cmd/sds/admission/init:container_push command: ["/bin/sh", "/root/generate-tls.sh"] volumeMounts: - name: ca-cert mountPath: /etc/ca/ca.crt - name: ca-key mountPath: /etc/ca/ca.key - name: tls-certs mountPath: /var/certs containers: - name: k8s-admission image: bzl://cmd/sds/admission/controller:container_push args: - run ports: - protocol: TCP containerPort: 8543 env: - name: KUBECONFIG value: /root/.kube/config - name: PULLSECRET_NAMESPACE value: external-secrets - name: PULLSECRET_NAME value: edge-docker-pull-secret - name: WEBHOOK_NAME value: admission - name: WEBHOOK_DOMAIN value: edge.ncr.com - name: OLD_WEBHOOK_NAME value: admission-old - name: COSIGN_PUB_KEY value: /data/admission/public-keys/us-east1-docker.pkg.dev/edge-production.crt resources: limits: cpu: "100m" memory: 150Mi requests: cpu: 10m memory: 15Mi volumeMounts: - name: ca-cert mountPath: /ca/ca.crt - name: tls-certs mountPath: /var/certs - name: cosign mountPath: /data/admission/public-keys - name: kubeconfig mountPath: /root/.kube/config - name: etcd-certs mountPath: /etc/kubernetes/pki/etcd/ imagePullPolicy: IfNotPresent volumes: - name: ca-cert hostPath: type: File path: /etc/kubernetes/pki/ca.crt - name: ca-key hostPath: type: File path: /etc/kubernetes/pki/ca.key - name: cosign hostPath: type: DirectoryOrCreate path: /data/admission/public-keys - name: etcd-certs hostPath: type: Directory path: /etc/kubernetes/pki/etcd/ - name: kubeconfig hostPath: type: File path: /etc/kubernetes/zylevel0.conf - name: tls-certs emptyDir: {}