apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: gateway-api-admission webhooks: - name: validate.gateway.networking.k8s.io matchPolicy: Equivalent rules: - operations: [ "CREATE" , "UPDATE" ] apiGroups: [ "gateway.networking.k8s.io" ] apiVersions: [ "v1alpha2", "v1beta1" ] resources: [ "gateways", "gatewayclasses", "httproutes" ] failurePolicy: Fail sideEffects: None admissionReviewVersions: - v1 clientConfig: service: name: gateway-api-admission-server namespace: gateway-system path: "/validate" --- apiVersion: v1 kind: Service metadata: labels: name: gateway-api-webhook-server name: gateway-api-admission-server namespace: gateway-system spec: type: ClusterIP ports: - name: https-webhook port: 443 targetPort: 8443 selector: name: gateway-api-admission-server --- apiVersion: apps/v1 kind: Deployment metadata: name: gateway-api-admission-server namespace: gateway-system labels: name: gateway-api-admission-server spec: replicas: 1 selector: matchLabels: name: gateway-api-admission-server template: metadata: name: gateway-api-admission-server labels: name: gateway-api-admission-server spec: containers: - name: webhook image: registry.k8s.io/gateway-api/admission-server:v1.0.0-rc1 imagePullPolicy: IfNotPresent args: - -logtostderr - --tlsCertFile=/etc/certs/cert - --tlsKeyFile=/etc/certs/key - -v=10 - 2>&1 ports: - containerPort: 8443 name: webhook resources: limits: memory: 50Mi cpu: 100m requests: memory: 50Mi cpu: 100m volumeMounts: - name: webhook-certs mountPath: /etc/certs readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 capabilities: drop: - "ALL" seccompProfile: type: RuntimeDefault volumes: - name: webhook-certs secret: secretName: gateway-api-admission