sigs.k8s.io/gateway-api@v1.0.0/config/webhook/certificate_config.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: gateway-api-admission 5 labels: 6 name: gateway-api-webhook 7 namespace: gateway-system 8 --- 9 apiVersion: rbac.authorization.k8s.io/v1 10 kind: ClusterRole 11 metadata: 12 name: gateway-api-admission 13 labels: 14 name: gateway-api 15 rules: 16 - apiGroups: 17 - admissionregistration.k8s.io 18 resources: 19 - validatingwebhookconfigurations 20 verbs: 21 - get 22 - update 23 --- 24 apiVersion: rbac.authorization.k8s.io/v1 25 kind: ClusterRoleBinding 26 metadata: 27 name: gateway-api-admission 28 annotations: 29 labels: 30 name: gateway-api-webhook 31 roleRef: 32 apiGroup: rbac.authorization.k8s.io 33 kind: ClusterRole 34 name: gateway-api-admission 35 subjects: 36 - kind: ServiceAccount 37 name: gateway-api-admission 38 namespace: gateway-system 39 --- 40 apiVersion: rbac.authorization.k8s.io/v1 41 kind: Role 42 metadata: 43 name: gateway-api-admission 44 annotations: 45 labels: 46 name: gateway-api-webhook 47 namespace: gateway-system 48 rules: 49 - apiGroups: 50 - '' 51 resources: 52 - secrets 53 verbs: 54 - get 55 - create 56 --- 57 apiVersion: rbac.authorization.k8s.io/v1 58 kind: RoleBinding 59 metadata: 60 name: gateway-api-admission 61 annotations: 62 labels: 63 name: gateway-api-webhook 64 namespace: gateway-system 65 roleRef: 66 apiGroup: rbac.authorization.k8s.io 67 kind: Role 68 name: gateway-api-admission 69 subjects: 70 - kind: ServiceAccount 71 name: gateway-api-admission 72 namespace: gateway-system 73 --- 74 apiVersion: batch/v1 75 kind: Job 76 metadata: 77 name: gateway-api-admission 78 annotations: 79 labels: 80 name: gateway-api-webhook 81 namespace: gateway-system 82 spec: 83 template: 84 metadata: 85 name: gateway-api-admission-create 86 labels: 87 name: gateway-api-webhook 88 spec: 89 containers: 90 - name: create 91 image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 92 imagePullPolicy: IfNotPresent 93 args: 94 - create 95 - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc 96 - --namespace=$(POD_NAMESPACE) 97 - --secret-name=gateway-api-admission 98 env: 99 - name: POD_NAMESPACE 100 valueFrom: 101 fieldRef: 102 fieldPath: metadata.namespace 103 securityContext: 104 allowPrivilegeEscalation: false 105 readOnlyRootFilesystem: true 106 runAsNonRoot: true 107 runAsUser: 2000 108 runAsGroup: 2000 109 capabilities: 110 drop: 111 - "ALL" 112 seccompProfile: 113 type: RuntimeDefault 114 restartPolicy: OnFailure 115 serviceAccountName: gateway-api-admission 116 securityContext: 117 runAsNonRoot: true 118 runAsUser: 2000 119 runAsGroup: 2000 120 --- 121 apiVersion: batch/v1 122 kind: Job 123 metadata: 124 name: gateway-api-admission-patch 125 labels: 126 name: gateway-api-webhook 127 namespace: gateway-system 128 spec: 129 template: 130 metadata: 131 name: gateway-api-admission-patch 132 labels: 133 name: gateway-api-webhook 134 spec: 135 containers: 136 - name: patch 137 image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 138 imagePullPolicy: IfNotPresent 139 args: 140 - patch 141 - --webhook-name=gateway-api-admission 142 - --namespace=$(POD_NAMESPACE) 143 - --patch-mutating=false 144 - --patch-validating=true 145 - --secret-name=gateway-api-admission 146 - --patch-failure-policy=Fail 147 env: 148 - name: POD_NAMESPACE 149 valueFrom: 150 fieldRef: 151 fieldPath: metadata.namespace 152 securityContext: 153 allowPrivilegeEscalation: false 154 readOnlyRootFilesystem: true 155 runAsNonRoot: true 156 runAsUser: 2000 157 runAsGroup: 2000 158 capabilities: 159 drop: 160 - "ALL" 161 seccompProfile: 162 type: RuntimeDefault 163 restartPolicy: OnFailure 164 serviceAccountName: gateway-api-admission 165 securityContext: 166 runAsNonRoot: true 167 runAsUser: 2000 168 runAsGroup: 2000