1apiVersion: v1
2kind: Service
3metadata:
4 name: tolerator
5 namespace: tolerator
6 labels:
7 app: tolerator
8spec:
9 selector:
10 app: tolerator
11 ports:
12 - port: 443
13 targetPort: 8443
14---
15apiVersion: v1
16kind: ServiceAccount
17metadata:
18 name: tolerator
19 namespace: tolerator
20 labels:
21 app: tolerator
22---
23apiVersion: rbac.authorization.k8s.io/v1
24kind: ClusterRole
25metadata:
26 name: tolerator
27 labels:
28 app: tolerator
29rules:
30- resources: ["mutatingwebhookconfigurations"]
31 apiGroups: ["admissionregistration.k8s.io"]
32 verbs: ["create", "get", "delete", "list", "patch", "update", "watch"]
33---
34apiVersion: rbac.authorization.k8s.io/v1
35kind: ClusterRoleBinding
36metadata:
37 name: tolerator
38 labels:
39 app: tolerator
40roleRef:
41 name: tolerator
42 kind: ClusterRole
43 apiGroup: rbac.authorization.k8s.io
44subjects:
45- name: tolerator
46 namespace: tolerator
47 kind: ServiceAccount
48---
49apiVersion: apps/v1
50kind: Deployment
51metadata:
52 name: tolerator
53 namespace: tolerator
54 labels:
55 app: tolerator
56spec:
57 selector:
58 matchLabels:
59 app: tolerator
60 template:
61 metadata:
62 labels:
63 app: tolerator
64 spec:
65 serviceAccountName: tolerator
66 priorityClassName: edge-p1-critical-infra
67 containers:
68 - name: tolerator
69 image: bzl://cmd/sds/tolerator:container_push
70 args:
71 - -service-name=tolerator
72 ports:
73 - containerPort: 8443
74 env:
75 - name: POD_NAMESPACE
76 valueFrom:
77 fieldRef:
78 fieldPath: metadata.namespace
79 volumeMounts:
80 - name: cert
81 readOnly: true
82 mountPath: "/var/cert"
83 lifecycle:
84 preStop:
85 exec:
86 command: ["/bin/sh", "-c", "/prestop.sh"]
87 imagePullPolicy: IfNotPresent
88 volumes:
89 - name: cert
90 secret:
91 secretName: tolerator-webhook-certificate
92 imagePullSecrets:
93 - name: edge-docker-pull-secret
View as plain text