README.md
Rendering markdown...
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: webhook
name: externalip-validation-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: externalip-validation-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: externalip-validation-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: externalip-validation-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: externalip-validation-proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: externalip-validation-system
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: webhook
name: externalip-validation-webhook-metrics-service
namespace: externalip-validation-system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: webhook
---
apiVersion: v1
kind: Service
metadata:
name: externalip-validation-webhook-service
namespace: externalip-validation-system
spec:
ports:
- port: 443
targetPort: 9443
selector:
control-plane: webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
control-plane: webhook
name: externalip-validation-webhook
namespace: externalip-validation-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: webhook
template:
metadata:
labels:
control-plane: webhook
spec:
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=10
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
- args:
- --metrics-addr=127.0.0.1:8080
command:
- /webhook
image: dviejo/externalip-webhook:1.0.0
name: webhook
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8443
name: webhook-metrics
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: externalip-validation-serving-cert
namespace: externalip-validation-system
spec:
dnsNames:
- externalip-validation-webhook-service.externalip-validation-system.svc
- externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local
issuerRef:
kind: Issuer
name: externalip-validation-selfsigned-issuer
secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: externalip-validation-selfsigned-issuer
namespace: externalip-validation-system
spec:
selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: externalip-validation-system/externalip-validation-serving-cert
name: externalip-validation-validating-webhook-configuration
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: externalip-validation-webhook-service
namespace: externalip-validation-system
path: /validate-service
failurePolicy: Ignore
name: validate-externalip.webhook.svc
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- services