apiVersion: v1 kind: ServiceAccount metadata: name: gateway-api-admission labels: name: gateway-api-webhook namespace: gateway-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gateway-api-admission labels: name: gateway-api rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gateway-api-admission annotations: labels: name: gateway-api-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gateway-api-admission subjects: - kind: ServiceAccount name: gateway-api-admission namespace: gateway-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: gateway-api-admission annotations: labels: name: gateway-api-webhook namespace: gateway-system rules: - apiGroups: - '' resources: - secrets verbs: - get - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: gateway-api-admission annotations: labels: name: gateway-api-webhook namespace: gateway-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gateway-api-admission subjects: - kind: ServiceAccount name: gateway-api-admission namespace: gateway-system --- apiVersion: batch/v1 kind: Job metadata: name: gateway-api-admission annotations: labels: name: gateway-api-webhook namespace: gateway-system spec: template: metadata: name: gateway-api-admission-create labels: name: gateway-api-webhook spec: containers: - name: create image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 imagePullPolicy: IfNotPresent args: - create - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - --secret-name=gateway-api-admission env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000 capabilities: drop: - "ALL" seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: gateway-api-admission securityContext: runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000 --- apiVersion: batch/v1 kind: Job metadata: name: gateway-api-admission-patch labels: name: gateway-api-webhook namespace: gateway-system spec: template: metadata: name: gateway-api-admission-patch labels: name: gateway-api-webhook spec: containers: - name: patch image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 imagePullPolicy: IfNotPresent args: - patch - --webhook-name=gateway-api-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --patch-validating=true - --secret-name=gateway-api-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000 capabilities: drop: - "ALL" seccompProfile: type: RuntimeDefault restartPolicy: OnFailure serviceAccountName: gateway-api-admission securityContext: runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000