diff --git a/config/webhook/0-namespace.yaml b/config/webhook/0-namespace.yaml deleted file mode 100644 index c837108d96..0000000000 --- a/config/webhook/0-namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: gateway-system - labels: - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/warn: restricted diff --git a/config/webhook/admission_webhook.yaml b/config/webhook/admission_webhook.yaml deleted file mode 100644 index 410b1d00eb..0000000000 --- a/config/webhook/admission_webhook.yaml +++ /dev/null @@ -1,95 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: gateway-api-admission -webhooks: -- name: validate.gateway.networking.k8s.io - matchPolicy: Equivalent - rules: - - operations: [ "CREATE" , "UPDATE" ] - apiGroups: [ "gateway.networking.k8s.io" ] - apiVersions: [ "v1alpha2", "v1beta1" ] - resources: [ "gateways", "gatewayclasses", "httproutes" ] - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - clientConfig: - service: - name: gateway-api-admission-server - namespace: gateway-system - path: "/validate" ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: gateway-api-webhook-server - name: gateway-api-admission-server - namespace: gateway-system -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - name: gateway-api-admission-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gateway-api-admission-server - namespace: gateway-system - labels: - name: gateway-api-admission-server -spec: - replicas: 1 - selector: - matchLabels: - name: gateway-api-admission-server - template: - metadata: - name: gateway-api-admission-server - labels: - name: gateway-api-admission-server - spec: - containers: - - name: webhook - image: registry.k8s.io/gateway-api/admission-server:v0.8.0 - imagePullPolicy: IfNotPresent - args: - - -logtostderr - - --tlsCertFile=/etc/certs/cert - - --tlsKeyFile=/etc/certs/key - - -v=10 - - 2>&1 - ports: - - containerPort: 8443 - name: webhook - resources: - limits: - memory: 50Mi - cpu: 100m - requests: - memory: 50Mi - cpu: 100m - volumeMounts: - - name: webhook-certs - mountPath: /etc/certs - readOnly: true - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - volumes: - - name: webhook-certs - secret: - secretName: gateway-api-admission diff --git a/config/webhook/certificate_config.yaml b/config/webhook/certificate_config.yaml deleted file mode 100644 index 2317a8d8c4..0000000000 --- a/config/webhook/certificate_config.yaml +++ /dev/null @@ -1,168 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gateway-api-admission - labels: - name: gateway-api-webhook - namespace: gateway-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gateway-api-admission - labels: - name: gateway-api -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gateway-api-admission -subjects: -- kind: ServiceAccount - name: gateway-api-admission - namespace: gateway-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gateway-api-admission -subjects: -- kind: ServiceAccount - name: gateway-api-admission - namespace: gateway-system ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: gateway-api-admission - annotations: - labels: - name: gateway-api-webhook - namespace: gateway-system -spec: - template: - metadata: - name: gateway-api-admission-create - labels: - name: gateway-api-webhook - spec: - containers: - - name: create - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - imagePullPolicy: IfNotPresent - args: - - create - - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=gateway-api-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure - serviceAccountName: gateway-api-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: gateway-api-admission-patch - labels: - name: gateway-api-webhook - namespace: gateway-system -spec: - template: - metadata: - name: gateway-api-admission-patch - labels: - name: gateway-api-webhook - spec: - containers: - - name: patch - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=gateway-api-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --patch-validating=true - - --secret-name=gateway-api-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - capabilities: - drop: - - "ALL" - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure - serviceAccountName: gateway-api-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 diff --git a/hack/build-install-yaml.sh b/hack/build-install-yaml.sh index ed45fc6dec..300ac7e496 100755 --- a/hack/build-install-yaml.sh +++ b/hack/build-install-yaml.sh @@ -39,7 +39,7 @@ cat << EOF >> release/standard-install.yaml # EOF -for file in `ls config/webhook/*.yaml config/crd/experimental/gateway*.yaml` +for file in `ls config/crd/experimental/gateway*.yaml` do echo "---" >> release/experimental-install.yaml echo "#" >> release/experimental-install.yaml @@ -48,7 +48,7 @@ do cat $file >> release/experimental-install.yaml done -for file in `ls config/webhook/*.yaml config/crd/standard/*.yaml` +for file in `ls config/crd/standard/*.yaml` do echo "---" >> release/standard-install.yaml echo "#" >> release/standard-install.yaml