1apiVersion: v1
2kind: ServiceAccount
3metadata:
4 name: gateway-api-admission
5 labels:
6 name: gateway-api-webhook
7 namespace: gateway-system
8---
9apiVersion: rbac.authorization.k8s.io/v1
10kind: ClusterRole
11metadata:
12 name: gateway-api-admission
13 labels:
14 name: gateway-api
15rules:
16- apiGroups:
17 - admissionregistration.k8s.io
18 resources:
19 - validatingwebhookconfigurations
20 verbs:
21 - get
22 - update
23---
24apiVersion: rbac.authorization.k8s.io/v1
25kind: ClusterRoleBinding
26metadata:
27 name: gateway-api-admission
28 annotations:
29 labels:
30 name: gateway-api-webhook
31roleRef:
32 apiGroup: rbac.authorization.k8s.io
33 kind: ClusterRole
34 name: gateway-api-admission
35subjects:
36- kind: ServiceAccount
37 name: gateway-api-admission
38 namespace: gateway-system
39---
40apiVersion: rbac.authorization.k8s.io/v1
41kind: Role
42metadata:
43 name: gateway-api-admission
44 annotations:
45 labels:
46 name: gateway-api-webhook
47 namespace: gateway-system
48rules:
49- apiGroups:
50 - ''
51 resources:
52 - secrets
53 verbs:
54 - get
55 - create
56---
57apiVersion: rbac.authorization.k8s.io/v1
58kind: RoleBinding
59metadata:
60 name: gateway-api-admission
61 annotations:
62 labels:
63 name: gateway-api-webhook
64 namespace: gateway-system
65roleRef:
66 apiGroup: rbac.authorization.k8s.io
67 kind: Role
68 name: gateway-api-admission
69subjects:
70- kind: ServiceAccount
71 name: gateway-api-admission
72 namespace: gateway-system
73---
74apiVersion: batch/v1
75kind: Job
76metadata:
77 name: gateway-api-admission
78 annotations:
79 labels:
80 name: gateway-api-webhook
81 namespace: gateway-system
82spec:
83 template:
84 metadata:
85 name: gateway-api-admission-create
86 labels:
87 name: gateway-api-webhook
88 spec:
89 containers:
90 - name: create
91 image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
92 imagePullPolicy: IfNotPresent
93 args:
94 - create
95 - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc
96 - --namespace=$(POD_NAMESPACE)
97 - --secret-name=gateway-api-admission
98 env:
99 - name: POD_NAMESPACE
100 valueFrom:
101 fieldRef:
102 fieldPath: metadata.namespace
103 securityContext:
104 allowPrivilegeEscalation: false
105 readOnlyRootFilesystem: true
106 runAsNonRoot: true
107 runAsUser: 2000
108 runAsGroup: 2000
109 capabilities:
110 drop:
111 - "ALL"
112 seccompProfile:
113 type: RuntimeDefault
114 restartPolicy: OnFailure
115 serviceAccountName: gateway-api-admission
116 securityContext:
117 runAsNonRoot: true
118 runAsUser: 2000
119 runAsGroup: 2000
120---
121apiVersion: batch/v1
122kind: Job
123metadata:
124 name: gateway-api-admission-patch
125 labels:
126 name: gateway-api-webhook
127 namespace: gateway-system
128spec:
129 template:
130 metadata:
131 name: gateway-api-admission-patch
132 labels:
133 name: gateway-api-webhook
134 spec:
135 containers:
136 - name: patch
137 image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
138 imagePullPolicy: IfNotPresent
139 args:
140 - patch
141 - --webhook-name=gateway-api-admission
142 - --namespace=$(POD_NAMESPACE)
143 - --patch-mutating=false
144 - --patch-validating=true
145 - --secret-name=gateway-api-admission
146 - --patch-failure-policy=Fail
147 env:
148 - name: POD_NAMESPACE
149 valueFrom:
150 fieldRef:
151 fieldPath: metadata.namespace
152 securityContext:
153 allowPrivilegeEscalation: false
154 readOnlyRootFilesystem: true
155 runAsNonRoot: true
156 runAsUser: 2000
157 runAsGroup: 2000
158 capabilities:
159 drop:
160 - "ALL"
161 seccompProfile:
162 type: RuntimeDefault
163 restartPolicy: OnFailure
164 serviceAccountName: gateway-api-admission
165 securityContext:
166 runAsNonRoot: true
167 runAsUser: 2000
168 runAsGroup: 2000
View as plain text