-
Notifications
You must be signed in to change notification settings - Fork 26
/
apiserver-list.yaml.template
159 lines (152 loc) · 4.62 KB
/
apiserver-list.yaml.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
apiVersion: v1
kind: List
items:
# to create the namespace-reservation-server
- apiVersion: apps/v1
kind: DaemonSet
metadata:
namespace: openshift-namespace-reservation
name: server
labels:
server: "true"
spec:
selector:
matchLabels:
server: "true"
template:
metadata:
name: server
labels:
server: "true"
spec:
serviceAccountName: server
containers:
- name: c
image: your-docker-user-name/namespace-reservation-server:latest
imagePullPolicy: IfNotPresent
command:
- "/usr/bin/namespace-reservation-server"
- "--secure-port=8443"
- "--audit-log-path=-"
- "--tls-cert-file=/var/serving-cert/tls.crt"
- "--tls-private-key-file=/var/serving-cert/tls.key"
- "--v=8"
ports:
- containerPort: 8443
volumeMounts:
- mountPath: /var/serving-cert
name: serving-cert
readinessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
volumes:
- name: serving-cert
secret:
defaultMode: 420
secretName: server-serving-cert
# kube lacks the service serving cert signer, so provide a manual secret for it
- apiVersion: v1
kind: Secret
metadata:
namespace: openshift-namespace-reservation
name: server-serving-cert
type: kubernetes.io/tls
data:
tls.crt: TLS_SERVING_CERT
tls.key: TLS_SERVING_KEY
# to be able to assign powers to the process
- apiVersion: v1
kind: ServiceAccount
metadata:
namespace: openshift-namespace-reservation
name: server
# to be able to expose TSB inside the cluster
- apiVersion: v1
kind: Service
metadata:
namespace: openshift-namespace-reservation
name: server
annotations:
service.alpha.openshift.io/serving-cert-secret-name: server-serving-cert
spec:
selector:
server: "true"
ports:
- port: 443
targetPort: 8443
# to create the custom resource
- apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
# name must match the spec fields below, and be in the form: <plural>.<group>
name: namespacereservations.online.openshift.io
spec:
# group name to use for REST API: /apis/<group>/<version>
group: online.openshift.io
# version name to use for REST API: /apis/<group>/<version>
version: v1alpha1
# either Namespaced or Cluster
scope: Cluster
names:
# plural name to be used in the URL: /apis/<group>/<version>/<plural>
plural: namespacereservations
# singular name to be used as an alias on the CLI and for display
singular: namespacereservation
# kind is normally the CamelCased singular type. Your resource manifests use this.
kind: NamespaceReservation
# register as aggregated apiserver; this has a number of benefits:
#
# - allows other kubernetes components to talk to the the admission webhook using the `kubernetes.default.svc` service
# - allows other kubernetes components to use their in-cluster credentials to communicate with the webhook
# - allows you to test the webhook using kubectl
# - allows you to govern access to the webhook using RBAC
# - prevents other extension API servers from leaking their service account tokens to the webhook
#
# for more information, see: https://kubernetes.io/blog/2018/01/extensible-admission-is-beta
- apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1beta1.admission.online.openshift.io
spec:
caBundle: SERVICE_SERVING_CERT_CA
group: admission.online.openshift.io
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: server
namespace: openshift-namespace-reservation
version: v1beta1
# register to intercept namespace creates
- apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: namespacereservations.admission.online.openshift.io
webhooks:
- name: namespacereservations.admission.online.openshift.io
clientConfig:
service:
# reach the webhook via the registered aggregated API
namespace: default
name: kubernetes
path: /apis/admission.online.openshift.io/v1beta1/namespacereservations
caBundle: KUBE_CA
rules:
- operations:
- CREATE
apiGroups:
- project.openshift.io
apiVersions:
- "*"
resources:
- projectrequests
- operations:
- CREATE
apiGroups:
- ""
apiVersions:
- "*"
resources:
- namespaces
failurePolicy: Fail