-
Notifications
You must be signed in to change notification settings - Fork 7
/
webhook-k8s-resources.template.yaml
132 lines (131 loc) · 3.51 KB
/
webhook-k8s-resources.template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
apiVersion: v1
kind: Secret
metadata:
name: k8s-delete-validation-webhook-secret
namespace: default
data:
tls_private_key: ${WEBHOOK_TLS_PRIVATE_KEY_B64}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-delete-validation-webhook-config
namespace: default
data:
tls_cert: |
${WEBHOOK_TLS_CERT}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-delete-validation-webhook
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: k8s-delete-validation-webhook
template:
metadata:
labels:
app: k8s-delete-validation-webhook
spec:
containers:
- name: k8s-delete-validation-webhook
image: ${WEBHOOK_IMAGE}
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
env:
#ANNOTATION_PREFIX_NAME_PLACEHOLDER
#ANNOTATION_PREFIX_VALUE_PLACEHOLDER
- name: TLS_CERT_FILE
value: /data/ssl_certs/server-cert.pem
- name: TLS_PRIVATE_KEY_FILE
value: /data/ssl_keys/server-key.pem
- name: LISTEN_PORT
value: "443"
- name: DEPLOYMENT_DELETION_FAILED_MESSAGE
value: "The deployment cannot be deleted as deletions are locked for this deployment"
- name: DEPLOYMENT_DELETION_LOCK_LABEL_KEY
value: "deleteLock"
- name: DEPLOYMENT_DELETION_LOCK_LABEL_VALUE
value: "enabled"
volumeMounts:
- name: ssl-certs
mountPath: "/data/ssl_certs"
readOnly: true
- name: ssl-keys
mountPath: "/data/ssl_keys"
readOnly: true
volumes:
- name: ssl-certs
configMap:
name: k8s-delete-validation-webhook-config
items:
- key: tls_cert
path: server-cert.pem
- name: ssl-keys
secret:
secretName: k8s-delete-validation-webhook-secret
items:
- key: tls_private_key
path: server-key.pem
---
apiVersion: v1
kind: Service
metadata:
name: k8s-delete-validation-webhook
namespace: default
spec:
ports:
- port: 443
targetPort: 443
selector:
app: k8s-delete-validation-webhook
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-delete-validation-webhook-cfg
webhooks:
- name: k8s-deletion-validation-webhook.test.com
clientConfig:
service:
name: k8s-delete-validation-webhook
namespace: default
path: "/validate"
caBundle: ${WEBHOOK_CA_BUNDLE}
rules:
- operations: ["DELETE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["deployments"]
failurePolicy: Fail
namespaceSelector:
matchLabels:
webhook: enabled
---
# ClusterRole and ClusterRoleBinding are required only for ingress validation.
# Service account permissions are needed to read the cluster ingresses from all namespaces for the validation.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-delete-validation-webhook
rules:
- apiGroups: ["*"]
resources: ["deployments"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-delete-validation-webhook-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-delete-validation-webhook
subjects:
- kind: ServiceAccount
name: default
namespace: default