github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/bindata/manifests/webhook/003-webhook.yaml

github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.1-0.20240408194816-2d2e5a45d453/bindata/manifests/webhook/003-webhook.yaml (about)

     1  ---
     2  apiVersion: admissionregistration.k8s.io/v1
     3  kind: MutatingWebhookConfiguration
     4  metadata:
     5    name: {{.SRIOVMutatingWebhookName}}
     6    annotations:
     7      {{- if eq .ClusterType "openshift" }}
     8      service.beta.openshift.io/inject-cabundle: "true"
     9      {{- else if and (.CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    10      # Limitation: Certificate must be named as the secret it produces to avoid overcomplicating the logic with
    11      # more variables.
    12      cert-manager.io/inject-ca-from: {{.Namespace}}/{{.InjectorWebhookSecretName}}
    13      {{- end }}
    14  webhooks:
    15    - name: network-resources-injector-config.k8s.io
    16      sideEffects: None
    17      admissionReviewVersions: ["v1", "v1beta1"]
    18      {{- if .resourceInjectorMatchCondition}}
    19      failurePolicy: Fail
    20      matchConditions:
    21        - name: 'include-networks-annotation'
    22          expression: 'has(object.metadata.annotations) && "k8s.v1.cni.cncf.io/networks" in object.metadata.annotations'
    23      {{- else }}
    24      failurePolicy: Ignore
    25      {{- end}}
    26      clientConfig:
    27        service:
    28          name: network-resources-injector-service
    29          namespace: {{.Namespace}}
    30          path: "/mutate"
    31        {{- if and (not .CertManagerEnabled) (eq .ClusterType "kubernetes") }}
    32        caBundle: "{{.InjectorWebhookCA}}"
    33        {{- end }}
    34      rules:
    35        - operations: [ "CREATE" ]
    36          apiGroups: ["apps", ""]
    37          apiVersions: ["v1"]
    38          resources: ["pods"]