apiVersion: v1 kind: Namespace metadata: name: kilo --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "peers.kilo.squat.ai" webhooks: - name: "peers.kilo.squat.ai" rules: - apiGroups: ["kilo.squat.ai"] apiVersions: ["v1alpha1"] operations: ["CREATE","UPDATE"] resources: ["peers"] scope: "Cluster" clientConfig: service: namespace: "kilo" name: "peer-validation" path: "/validate" admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 --- apiVersion: apps/v1 kind: Deployment metadata: name: peer-validation-server namespace: kilo labels: app.kubernetes.io/name: peer-validation-server spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: peer-validation-server template: metadata: labels: app.kubernetes.io/name: peer-validation-server spec: securityContext: runAsNonRoot: true runAsUser: 1000 containers: - name: server image: squat/kilo:0.5.0 args: - webhook - --cert-file=/run/secrets/tls/tls.crt - --key-file=/run/secrets/tls/tls.key - --listen-metrics=:1107 - --listen=:8443 ports: - containerPort: 8443 name: webhook - containerPort: 1107 name: metrics volumeMounts: - name: tls mountPath: /run/secrets/tls readOnly: true volumes: - name: tls secret: secretName: peer-validation-webhook-tls --- apiVersion: v1 kind: Service metadata: name: peer-validation namespace: kilo spec: selector: app.kubernetes.io/name: peer-validation-server ports: - port: 443 targetPort: webhook --- apiVersion: v1 kind: ServiceAccount metadata: name: kilo-peer-validation namespace: kilo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kilo-peer-validation rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations resourceNames: - peers.kilo.squat.ai verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kilo-peer-validation roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kilo-peer-validation subjects: - kind: ServiceAccount namespace: kilo name: kilo-peer-validation --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: kilo-peer-validation namespace: kilo rules: - apiGroups: - "" resources: - secrets verbs: - get - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kilo-peer-validation namespace: kilo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kilo-peer-validation subjects: - kind: ServiceAccount namespace: kilo name: kilo-peer-validation --- apiVersion: batch/v1 kind: Job metadata: name: cert-gen namespace: kilo spec: template: spec: serviceAccountName: kilo-peer-validation initContainers: - name: create image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0 args: - create - --namespace=kilo - --secret-name=peer-validation-webhook-tls - --host=peer-validation,peer-validation.kilo.svc - --key-name=tls.key - --cert-name=tls.crt containers: - name: patch image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0 args: - patch - --webhook-name=peers.kilo.squat.ai - --secret-name=peer-validation-webhook-tls - --namespace=kilo - --patch-mutating=false restartPolicy: OnFailure backoffLimit: 4