From 9f92fb0d7e8bf519839b172f255b2e091fa17081 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 3 Nov 2021 11:36:04 -0400 Subject: [PATCH] PodSecurity: update webhook manifest to use named port --- .../webhook/manifests/50-deployment.yaml | 8 ++++++-- .../webhook/manifests/60-service.yaml | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml index d4e74dd3b77..14561adabcc 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml @@ -31,7 +31,11 @@ spec: image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0 terminationMessagePolicy: FallbackToLogsOnError ports: - - containerPort: 8443 + - name: webhook + # A port > 1024 avoids needing low port bind privileges. + # Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules. + # The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet. + containerPort: 10250 args: [ "--config", @@ -41,7 +45,7 @@ spec: "--tls-private-key-file", "/etc/pki/tls.key", "--secure-port", - "8443", + "10250", ] resources: requests: diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml index 0b5f66f4035..66f44dbb704 100644 --- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml +++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml @@ -8,7 +8,7 @@ metadata: spec: ports: - port: 443 - targetPort: 8443 + targetPort: webhook protocol: TCP name: https selector: