Merge pull request #106106 from liggitt/podsecurity-beta-webhook

PodSecurity: update webhook manifest for beta

staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml

@@ -1,4 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: pod-security-webhook
+  name: pod-security-webhook
+  labels:
+    # Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
+    # the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
+    pod-security.kubernetes.io/enforce: restricted

staging/src/k8s.io/pod-security-admission/webhook/manifests/20-configmap.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: pod-security-webhook
 data:
   podsecurityconfiguration.yaml: |
-    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+    apiVersion: pod-security.admission.config.k8s.io/v1beta1
     kind: PodSecurityConfiguration
     # Defaults applied when a mode label is not set.
     #

staging/src/k8s.io/pod-security-admission/webhook/manifests/50-deployment.yaml

@@ -16,6 +16,9 @@ spec:
     spec:
       serviceAccountName: pod-security-webhook
       priorityClassName: system-cluster-critical
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
       volumes:
         - name: config
           configMap:
@@ -25,10 +28,14 @@ spec:
             secretName: pod-security-webhook
       containers:
         - name: pod-security-webhook
-          image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0
+          image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0
           terminationMessagePolicy: FallbackToLogsOnError
           ports:
-            - containerPort: 8443
+            - name: webhook
+              # A port > 1024 avoids needing low port bind privileges.
+              # Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules.
+              # The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet.
+              containerPort: 10250
           args:
             [
               "--config",
@@ -38,7 +45,7 @@ spec:
               "--tls-private-key-file",
               "/etc/pki/tls.key",
               "--secure-port",
-              "8443",
+              "10250",
             ]
           resources:
             requests:

staging/src/k8s.io/pod-security-admission/webhook/manifests/60-service.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 8443
+      targetPort: webhook
       protocol: TCP
       name: https
   selector: