github.com/Racer159/jackal@v0.32.7-0.20240401174413-0bd2339e4f2e/packages/jackal-agent/manifests/webhook.yaml (about) 1 apiVersion: admissionregistration.k8s.io/v1 2 kind: MutatingWebhookConfiguration 3 metadata: 4 name: jackal 5 webhooks: 6 - name: agent-pod.jackal.dev 7 namespaceSelector: 8 matchExpressions: 9 - key: "kubernetes.io/metadata.name" 10 operator: NotIn 11 values: 12 # Ensure we don't mess with kube-system 13 - "kube-system" 14 # Allow ignoring whole namespaces 15 - key: jackal.dev/agent 16 operator: NotIn 17 values: 18 - "skip" 19 - "ignore" 20 objectSelector: 21 matchExpressions: 22 # Always ignore specific resources if requested by annotation/label 23 - key: jackal.dev/agent 24 operator: NotIn 25 values: 26 - "skip" 27 - "ignore" 28 # Ignore K3s Klipper 29 - key: svccontroller.k3s.cattle.io/svcname 30 operator: DoesNotExist 31 clientConfig: 32 service: 33 name: agent-hook 34 namespace: jackal 35 path: "/mutate/pod" 36 caBundle: "###JACKAL_AGENT_CA###" 37 rules: 38 - operations: 39 - "CREATE" 40 - "UPDATE" 41 apiGroups: 42 - "" 43 apiVersions: 44 - "v1" 45 resources: 46 - "pods" 47 admissionReviewVersions: 48 - "v1" 49 - "v1beta1" 50 sideEffects: None 51 - name: agent-flux-gitrepo.jackal.dev 52 namespaceSelector: 53 matchExpressions: 54 # Ensure we don't mess with kube-system 55 - key: "kubernetes.io/metadata.name" 56 operator: NotIn 57 values: 58 - "kube-system" 59 # Allow ignoring whole namespaces 60 - key: jackal.dev/agent 61 operator: NotIn 62 values: 63 - "skip" 64 - "ignore" 65 objectSelector: 66 matchExpressions: 67 # Always ignore specific resources if requested by annotation/label 68 - key: jackal.dev/agent 69 operator: NotIn 70 values: 71 - "skip" 72 - "ignore" 73 clientConfig: 74 service: 75 name: agent-hook 76 namespace: jackal 77 path: "/mutate/flux-gitrepository" 78 caBundle: "###JACKAL_AGENT_CA###" 79 rules: 80 - operations: 81 - "CREATE" 82 - "UPDATE" 83 apiGroups: 84 - "source.toolkit.fluxcd.io" 85 apiVersions: 86 - "v1beta1" 87 - "v1beta2" 88 - "v1" 89 resources: 90 - "gitrepositories" 91 admissionReviewVersions: 92 - "v1" 93 - "v1beta1" 94 sideEffects: None 95 - name: agent-argocd-application.jackal.dev 96 namespaceSelector: 97 matchExpressions: 98 # Ensure we don't mess with kube-system 99 - key: "kubernetes.io/metadata.name" 100 operator: NotIn 101 values: 102 - "kube-system" 103 # Allow ignoring whole namespaces 104 - key: jackal.dev/agent 105 operator: NotIn 106 values: 107 - "skip" 108 - "ignore" 109 objectSelector: 110 matchExpressions: 111 # Always ignore specific resources if requested by annotation/label 112 - key: jackal.dev/agent 113 operator: NotIn 114 values: 115 - "skip" 116 - "ignore" 117 clientConfig: 118 service: 119 name: agent-hook 120 namespace: jackal 121 path: "/mutate/argocd-application" 122 caBundle: "###JACKAL_AGENT_CA###" 123 rules: 124 - operations: 125 - "CREATE" 126 - "UPDATE" 127 apiGroups: 128 - "argoproj.io" 129 apiVersions: 130 - "v1alpha1" 131 resources: 132 - "applications" 133 admissionReviewVersions: 134 - "v1" 135 - "v1beta1" 136 sideEffects: None 137 - name: agent-argocd-repository.jackal.dev 138 namespaceSelector: 139 matchExpressions: 140 # Ensure we don't mess with kube-system 141 - key: "kubernetes.io/metadata.name" 142 operator: NotIn 143 values: 144 - "kube-system" 145 # Allow ignoring whole namespaces 146 - key: jackal.dev/agent 147 operator: NotIn 148 values: 149 - "skip" 150 - "ignore" 151 objectSelector: 152 matchExpressions: 153 # Always ignore specific resources if requested by annotation/label 154 - key: jackal.dev/agent 155 operator: NotIn 156 values: 157 - "skip" 158 - "ignore" 159 - key: argocd.argoproj.io/secret-type 160 operator: In 161 values: 162 - repository 163 clientConfig: 164 service: 165 name: agent-hook 166 namespace: jackal 167 path: "/mutate/argocd-repository" 168 caBundle: "###JACKAL_AGENT_CA###" 169 rules: 170 - operations: 171 - "CREATE" 172 - "UPDATE" 173 apiGroups: 174 - "" 175 apiVersions: 176 - "v1" 177 resources: 178 - "secrets" 179 admissionReviewVersions: 180 - "v1" 181 - "v1beta1" 182 sideEffects: None