-
Notifications
You must be signed in to change notification settings - Fork 0
/
admission-registration.yaml
186 lines (186 loc) · 4.2 KB
/
admission-registration.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
---
apiVersion: v1
kind: Namespace
metadata:
name: eviction-webhook
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: eviction-webhook
namespace: eviction-webhook
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: eviction-webhook
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eviction-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: eviction-webhook
subjects:
- kind: ServiceAccount
name: eviction-webhook
namespace: eviction-webhook
---
apiVersion: v1
kind: Service
metadata:
name: eviction-webhook
namespace: eviction-webhook
spec:
ports:
- port: 443
targetPort: 8443
selector:
app: eviction-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: eviction-webhook
namespace: eviction-webhook
spec:
replicas: 1
selector:
matchLabels:
app: eviction-webhook
template:
metadata:
labels:
app: eviction-webhook
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8443"
prometheus.io/scheme: "https"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: eviction-webhook
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
containers:
- name: server
image: quay.io/mrincompetent/eviction-webhook:v0.0.3
command: [ "/eviction-webhook" ]
args: [
"-listen-address", "0.0.0.0:8443",
"-tls.cert-path", "/etc/webhook/certs/tls.crt",
"-tls.key-path", "/etc/webhook/certs/tls.key",
]
ports:
- containerPort: 8443
name: webhook
readinessProbe:
httpGet:
path: /ready
port: webhook
scheme: HTTPS
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 100m
memory: 100Mi
lifecycle:
preStop:
exec:
command: [ "/bin/sleep", "10" ]
volumeMounts:
- name: certs
mountPath: /etc/webhook/certs
readOnly: true
volumes:
- name: certs
secret:
secretName: eviction-webhook-certs
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: eviction-webhook-self-signed-issuer
namespace: eviction-webhook
spec:
selfSigned: { }
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: eviction-webhook-root-cert
namespace: eviction-webhook
spec:
secretName: eviction-webhook-root-cert
issuerRef:
name: eviction-webhook-self-signed-issuer
commonName: "ca.webhook.eviction-webhook"
isCA: true
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: eviction-webhook-root-issuer
namespace: eviction-webhook
spec:
ca:
secretName: eviction-webhook-root-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: eviction-webhook-cert
namespace: eviction-webhook
spec:
secretName: eviction-webhook-certs
duration: 1h0m0s
renewBefore: 55m
issuerRef:
name: eviction-webhook-root-issuer
dnsNames:
- eviction-webhook
- eviction-webhook.eviction-webhook
- eviction-webhook.eviction-webhook.svc
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: "eviction-webhook.mrincompetent.io"
annotations:
cert-manager.io/inject-ca-from: eviction-webhook/eviction-webhook-cert
webhooks:
- name: "eviction-webhook.mrincompetent.io"
rules:
- apiGroups: [ "" ]
apiVersions: [ "v1" ]
operations: [ "CREATE" ]
resources: [ "pods/eviction" ]
scope: "Namespaced"
clientConfig:
service:
name: eviction-webhook
namespace: eviction-webhook
path: "/validate-eviction"
admissionReviewVersions: [ "v1" ]
sideEffects: None
timeoutSeconds: 30