-
Notifications
You must be signed in to change notification settings - Fork 75
/
webhooks.yaml
38 lines (38 loc) · 1.25 KB
/
webhooks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{{ define "webhooks.yaml.tpl" }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: image-admission-config
{{ if .Values.UseCertManager }}
annotations:
cert-manager.io/inject-ca-from: {{ .Values.namespace }}/portieris-certs
{{ end }}
namespace: {{ .Values.namespace }}
labels:
app: {{ template "portieris.name" . }}
chart: {{ template "portieris.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
webhooks:
- name: trust.hooks.securityenforcement.admission.cloud.ibm.com
clientConfig:
service:
name: {{ template "portieris.name" . }}
namespace: {{ .Values.namespace }}
path: "/admit"
{{ if not .Values.UseCertManager }}
caBundle: {{ .Files.Get "certs/ca.crt" | b64enc }}
{{ end }}
rules:
- operations: [ "CREATE", "UPDATE" ]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: securityenforcement.admission.cloud.ibm.com/namespace
operator: NotIn
values:
- skip
{{ end }}