149 lines
3.6 KiB
YAML
149 lines
3.6 KiB
YAML
# Copyright 2022 DigitalOcean
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: "validation-webhook.snapshot.storage.k8s.io"
|
|
annotations:
|
|
cert-manager.io/inject-ca-from: default/snapshot-validation
|
|
webhooks:
|
|
- name: "validation-webhook.snapshot.storage.k8s.io"
|
|
rules:
|
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
apiVersions: ["v1", "v1beta1"]
|
|
operations: ["CREATE", "UPDATE"]
|
|
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
|
scope: "*"
|
|
clientConfig:
|
|
service:
|
|
namespace: "kube-system"
|
|
name: "snapshot-validation-service"
|
|
path: "/volumesnapshot"
|
|
admissionReviewVersions: ["v1", "v1beta1"]
|
|
sideEffects: None
|
|
failurePolicy: Fail
|
|
timeoutSeconds: 5
|
|
|
|
---
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: snapshot-validation
|
|
namespace: kube-system
|
|
labels:
|
|
app: snapshot-validation
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: snapshot-validation
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: snapshot-validation
|
|
spec:
|
|
serviceAccountName: snapshot-validation
|
|
containers:
|
|
- name: snapshot-validation
|
|
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
|
|
imagePullPolicy: IfNotPresent
|
|
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
|
|
ports:
|
|
- containerPort: 443
|
|
volumeMounts:
|
|
- name: snapshot-validation-webhook-certs
|
|
mountPath: /etc/snapshot-validation-webhook/certs
|
|
readOnly: true
|
|
volumes:
|
|
- name: snapshot-validation-webhook-certs
|
|
secret:
|
|
secretName: snapshot-validation-secret
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: snapshot-validation
|
|
namespace: kube-system
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: snapshot-validation-service
|
|
namespace: kube-system
|
|
spec:
|
|
selector:
|
|
app: snapshot-validation
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
|
|
---
|
|
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: snapshot-validation
|
|
rules:
|
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
resources: ["volumesnapshotclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
---
|
|
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: snapshot-validation
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: snapshot-validation
|
|
namespace: kube-system
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: snapshot-validation
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
---
|
|
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: selfsigned-issuer
|
|
spec:
|
|
selfSigned: {}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: snapshot-validation
|
|
spec:
|
|
dnsNames:
|
|
- snapshot-validation-service
|
|
- snapshot-validation-service.default.svc
|
|
issuerRef:
|
|
kind: Issuer
|
|
name: selfsigned-issuer
|
|
secretName: snapshot-validation-secret
|