mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
Merge pull request #106106 from liggitt/podsecurity-beta-webhook
PodSecurity: update webhook manifest for beta
This commit is contained in:
commit
f28881de25
@ -1,4 +1,8 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Namespace
|
kind: Namespace
|
||||||
metadata:
|
metadata:
|
||||||
name: pod-security-webhook
|
name: pod-security-webhook
|
||||||
|
labels:
|
||||||
|
# Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
|
||||||
|
# the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
|
||||||
|
pod-security.kubernetes.io/enforce: restricted
|
||||||
|
@ -5,7 +5,7 @@ metadata:
|
|||||||
namespace: pod-security-webhook
|
namespace: pod-security-webhook
|
||||||
data:
|
data:
|
||||||
podsecurityconfiguration.yaml: |
|
podsecurityconfiguration.yaml: |
|
||||||
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
|
apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
||||||
kind: PodSecurityConfiguration
|
kind: PodSecurityConfiguration
|
||||||
# Defaults applied when a mode label is not set.
|
# Defaults applied when a mode label is not set.
|
||||||
#
|
#
|
||||||
|
@ -16,6 +16,9 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
serviceAccountName: pod-security-webhook
|
serviceAccountName: pod-security-webhook
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
|
nodeSelector:
|
||||||
|
kubernetes.io/os: linux
|
||||||
|
kubernetes.io/arch: amd64
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
configMap:
|
configMap:
|
||||||
@ -25,10 +28,14 @@ spec:
|
|||||||
secretName: pod-security-webhook
|
secretName: pod-security-webhook
|
||||||
containers:
|
containers:
|
||||||
- name: pod-security-webhook
|
- name: pod-security-webhook
|
||||||
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.22-alpha.0
|
image: k8s.gcr.io/sig-auth/pod-security-webhook:v1.23-beta.0
|
||||||
terminationMessagePolicy: FallbackToLogsOnError
|
terminationMessagePolicy: FallbackToLogsOnError
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8443
|
- name: webhook
|
||||||
|
# A port > 1024 avoids needing low port bind privileges.
|
||||||
|
# Using the same port as the kubelet is likely to already be permitted in apiserver -> node firewall rules.
|
||||||
|
# The pod has its own IP and doesn't run with hostNetwork, so there's no port conflict with the kubelet.
|
||||||
|
containerPort: 10250
|
||||||
args:
|
args:
|
||||||
[
|
[
|
||||||
"--config",
|
"--config",
|
||||||
@ -38,7 +45,7 @@ spec:
|
|||||||
"--tls-private-key-file",
|
"--tls-private-key-file",
|
||||||
"/etc/pki/tls.key",
|
"/etc/pki/tls.key",
|
||||||
"--secure-port",
|
"--secure-port",
|
||||||
"8443",
|
"10250",
|
||||||
]
|
]
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
|
@ -8,7 +8,7 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- port: 443
|
- port: 443
|
||||||
targetPort: 8443
|
targetPort: webhook
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
name: https
|
name: https
|
||||||
selector:
|
selector:
|
||||||
|
Loading…
Reference in New Issue
Block a user