# Copyright 2022 DigitalOcean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: "validation-webhook.snapshot.storage.k8s.io"
annotations:
cert-manager.io/inject-ca-from: default/snapshot-validation
webhooks:
- name: "validation-webhook.snapshot.storage.k8s.io"
rules:
- apiGroups: ["snapshot.storage.k8s.io"]
apiVersions: ["v1", "v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["volumesnapshots", "volumesnapshotcontents"]
scope: "*"
clientConfig:
service:
namespace: "kube-system"
name: "snapshot-validation-service"
path: "/volumesnapshot"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Fail
timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: snapshot-validation
namespace: kube-system
labels:
app: snapshot-validation
spec:
replicas: 1
selector:
matchLabels:
app: snapshot-validation
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
app: snapshot-validation
spec:
serviceAccountName: snapshot-validation
containers:
- name: snapshot-validation
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
imagePullPolicy: IfNotPresent
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
ports:
- containerPort: 443
volumeMounts:
- name: snapshot-validation-webhook-certs
mountPath: /etc/snapshot-validation-webhook/certs
readOnly: true
volumes:
- name: snapshot-validation-webhook-certs
secret:
secretName: snapshot-validation-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: snapshot-validation
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
name: snapshot-validation-service
namespace: kube-system
spec:
selector:
app: snapshot-validation
ports:
- protocol: TCP
port: 443
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-validation
rules:
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-validation
subjects:
- kind: ServiceAccount
name: snapshot-validation
namespace: kube-system
roleRef:
kind: ClusterRole
name: snapshot-validation
apiGroup: rbac.authorization.k8s.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: snapshot-validation
spec:
dnsNames:
- snapshot-validation-service
- snapshot-validation-service.default.svc
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: snapshot-validation-secret