apiVersion: v1 kind: Namespace metadata: labels: control-plane: webhook name: externalip-validation-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: externalip-validation-proxy-role rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: externalip-validation-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: externalip-validation-proxy-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: externalip-validation-proxy-role subjects: - kind: ServiceAccount name: default namespace: externalip-validation-system --- apiVersion: v1 kind: Service metadata: labels: control-plane: webhook name: externalip-validation-webhook-metrics-service namespace: externalip-validation-system spec: ports: - name: https port: 8443 targetPort: https selector: control-plane: webhook --- apiVersion: v1 kind: Service metadata: name: externalip-validation-webhook-service namespace: externalip-validation-system spec: ports: - port: 443 targetPort: 9443 selector: control-plane: webhook --- apiVersion: apps/v1 kind: Deployment metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: control-plane: webhook name: externalip-validation-webhook namespace: externalip-validation-system spec: replicas: 1 selector: matchLabels: control-plane: webhook template: metadata: labels: control-plane: webhook spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https - args: - --metrics-addr=127.0.0.1:8080 command: - /webhook image: dviejo/externalip-webhook:1.0.0 name: webhook ports: - containerPort: 9443 name: webhook-server protocol: TCP - containerPort: 8443 name: webhook-metrics resources: limits: cpu: 100m memory: 30Mi requests: cpu: 100m memory: 20Mi volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: externalip-validation-serving-cert namespace: externalip-validation-system spec: dnsNames: - externalip-validation-webhook-service.externalip-validation-system.svc - externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local issuerRef: kind: Issuer name: externalip-validation-selfsigned-issuer secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: externalip-validation-selfsigned-issuer namespace: externalip-validation-system spec: selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: externalip-validation-system/externalip-validation-serving-cert name: externalip-validation-validating-webhook-configuration webhooks: - clientConfig: caBundle: Cg== service: name: externalip-validation-webhook-service namespace: externalip-validation-system path: /validate-service failurePolicy: Ignore name: validate-externalip.webhook.svc rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - services