Merge pull request #106106 from liggitt/podsecurity-beta-webhook

PodSecurity: update webhook manifest for beta
This commit is contained in:
Kubernetes Prow Robot 2021-11-03 14:20:45 -07:00 committed by GitHub
commit f28881de25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 17 additions and 6 deletions

View File

@ -1,4 +1,8 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: pod-security-webhook name: pod-security-webhook
labels:
# Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
# the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
pod-security.kubernetes.io/enforce: restricted

View File

@ -5,7 +5,7 @@ metadata:
namespace: pod-security-webhook namespace: pod-security-webhook
data: data:
podsecurityconfiguration.yaml: | podsecurityconfiguration.yaml: |
apiVersion: pod-security.admission.config.k8s.io/v1alpha1 apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration kind: PodSecurityConfiguration
# Defaults applied when a mode label is not set. # Defaults applied when a mode label is not set.
# #

View File

@ -16,6 +16,9 @@ spec:
spec: spec:
serviceAccountName: pod-security-webhook serviceAccountName: pod-security-webhook
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
volumes: volumes:
- name: config - name: config
configMap: configMap:
@ -25,10 +28,14 @@ spec:
secretName: pod-security-webhook secretName: pod-security-webhook
containers: containers:
- name: pod-security-webhook - name: pod-security-webhook
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0 image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
ports: ports:
- containerPort: 8443 - name: webhook
# A port > 1024 avoids needing low port bind privileges.
# Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules.
# The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet.
containerPort: 10250
args: args:
[ [
"--config", "--config",
@ -38,7 +45,7 @@ spec:
"--tls-private-key-file", "--tls-private-key-file",
"/etc/pki/tls.key", "/etc/pki/tls.key",
"--secure-port", "--secure-port",
"8443", "10250",
] ]
resources: resources:
requests: requests:

View File

@ -8,7 +8,7 @@ metadata:
spec: spec:
ports: ports:
- port: 443 - port: 443
targetPort: 8443 targetPort: webhook
protocol: TCP protocol: TCP
name: https name: https
selector: selector: