PodSecurity: update webhook manifest to use named port

2025-07-24 12:15:52 +00:00 · 2021-11-03 11:36:04 -04:00 · 2021-11-03 11:36:04 -04:00 · 9f92fb0d7e
commit 9f92fb0d7e
parent f6456d098e
2 changed files with 7 additions and 3 deletions
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml
@ -31,7 +31,11 @@ spec:
          image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0
          terminationMessagePolicy: FallbackToLogsOnError
          ports:
-            - containerPort: 8443
+            - name: webhook
+              # A port > 1024 avoids needing low port bind privileges.
+              # Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules.
+              # The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet.
+              containerPort: 10250
          args:
            [
              "--config",
@ -41,7 +45,7 @@ spec:
              "--tls-private-key-file",
              "/etc/pki/tls.key",
              "--secure-port",
-              "8443",
+              "10250",
            ]
          resources:
            requests:
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml
@ -8,7 +8,7 @@ metadata:
 spec:
  ports:
    - port: 443
-      targetPort: 8443
+      targetPort: webhook
      protocol: TCP
      name: https
  selector: