Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurity: update webhook manifest for beta #106106

Merged
merged 4 commits into from
Nov 3, 2021
Merged

PodSecurity: update webhook manifest for beta #106106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4986780
PodSecurity: update webhook manifest for beta
liggitt Nov 3, 2021
d92e0db
PodSecurity: update webhook manifest to label namespace as restricted
liggitt Nov 3, 2021
f6456d0
PodSecurity: update webhook manifest to target linux/amd64 node
liggitt Nov 3, 2021
9f92fb0
PodSecurity: update webhook manifest to use named port
liggitt Nov 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 5 additions & 1 deletion staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: pod-security-webhook
name: pod-security-webhook
labels:
# Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
# the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
pod-security.kubernetes.io/enforce: restricted
liggitt marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
namespace: pod-security-webhook
data:
podsecurityconfiguration.yaml: |
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
# Defaults applied when a mode label is not set.
#
Expand Down
13 changes: 10 additions & 3 deletions staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ spec:
spec:
serviceAccountName: pod-security-webhook
priorityClassName: system-cluster-critical
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
volumes:
- name: config
configMap:
Expand All @@ -25,10 +28,14 @@ spec:
secretName: pod-security-webhook
containers:
- name: pod-security-webhook
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0
terminationMessagePolicy: FallbackToLogsOnError
ports:
- containerPort: 8443
- name: webhook
# A port > 1024 avoids needing low port bind privileges.
# Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules.
# The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet.
containerPort: 10250
liggitt marked this conversation as resolved.
Show resolved Hide resolved
args:
[
"--config",
Expand All @@ -38,7 +45,7 @@ spec:
"--tls-private-key-file",
"/etc/pki/tls.key",
"--secure-port",
"8443",
"10250",
]
resources:
requests:
Expand Down
2 changes: 1 addition & 1 deletion staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 8443
targetPort: webhook
protocol: TCP
name: https
selector:
Expand Down