mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 03:21:04 +00:00
b9d88f74ed
The kata webhook requires a configmap to define what runtime class it should set for the newly created pods. Additionally, the configmap allows others to modify the default runtime class name we wish to set (in case the handler is kata but the name of the runtimeclass is different). Finally, this PR changes the webhook-check to compare the runtime of the newly created pod against the specific runtime class in the configmap, if said confimap doesn't exist, then it will default to "kata". Signed-off-by: Martin <mheberling@microsoft.com>
77 lines
1.8 KiB
YAML
77 lines
1.8 KiB
YAML
# Copyright (c) 2019 Intel Corporation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pod-annotate-webhook
|
|
labels:
|
|
app: pod-annotate-webhook
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: pod-annotate-webhook
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pod-annotate-webhook
|
|
spec:
|
|
containers:
|
|
- name: pod-annotate-webhook
|
|
image: quay.io/kata-containers/kata-webhook-example:latest
|
|
imagePullPolicy: Always
|
|
env:
|
|
- name: RUNTIME_CLASS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: kata-webhook
|
|
key: runtime_class
|
|
optional: true
|
|
args:
|
|
- -tls-cert-file=/etc/webhook/certs/cert.pem
|
|
- -tls-key-file=/etc/webhook/certs/key.pem
|
|
- -exclude-namespaces=rook-ceph-system,rook-ceph
|
|
volumeMounts:
|
|
- name: webhook-certs
|
|
mountPath: /etc/webhook/certs
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "250Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumes:
|
|
- name: webhook-certs
|
|
secret:
|
|
secretName: pod-annotate-webhook-certs
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pod-annotate-webhook
|
|
labels:
|
|
app: pod-annotate-webhook
|
|
spec:
|
|
ports:
|
|
- port: 443
|
|
targetPort: 8080
|
|
selector:
|
|
app: pod-annotate-webhook
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kata-webhook
|
|
data:
|
|
runtime_class: kata
|