stackitcloud · ske-prow · Apr 17, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/.../internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml b/.../internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml
@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/name: stackit-pod-identity-webhook
     high-availability-config.resources.gardener.cloud/type: server
 spec:
+  revisionHistoryLimit: 2
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
@@ -67,11 +68,9 @@ spec:
               path: /readyz
               port: health
           resources:
-              limits:
-                memory: 128Mi
               requests:
-                cpu: 50m
-                memory: 64Mi
+                cpu: {{ .Values.vpa.resourcePolicy.minAllowed.cpu }}
+                memory: {{ .Values.vpa.resourcePolicy.minAllowed.memory }}
           volumeMounts:
             - name: certs
               mountPath: /etc/webhook/certs

diff --git a/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml b/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml
@@ -16,6 +16,10 @@ spec:
       targetPort: {{ .Values.webhook.port }}
       protocol: TCP
       name: https
+    - port: 8080
+      targetPort: 8080
+      protocol: TCP
+      name: metrics
   selector:
     app.kubernetes.io/name: stackit-pod-identity-webhook
   trafficDistribution: PreferClose
diff --git a/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml b/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml
@@ -14,8 +14,12 @@ spec:
     containerPolicies:
     - containerName: stackit-pod-identity-webhook
       minAllowed:
-        memory: 80M
+        cpu: {{ .Values.vpa.resourcePolicy.minAllowed.cpu }}
+        memory: {{ .Values.vpa.resourcePolicy.minAllowed.memory }}
       maxAllowed:
         cpu: {{ .Values.vpa.resourcePolicy.maxAllowed.cpu }}
         memory: {{ .Values.vpa.resourcePolicy.maxAllowed.memory }}
-      controlledValues: RequestsOnly
+      controlledValues: RequestsAndLimits
+      controlledResources:
+      - cpu
+      - memory
diff --git a/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml b/charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml
@@ -13,3 +13,6 @@ vpa:
     maxAllowed:
       cpu: 1
       memory: 512Mi
+    minAllowed:
+      cpu: 50m
+      memory: 64Mi
diff --git a/...omponents/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml b/...omponents/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml
@@ -7,24 +7,26 @@ metadata:
 webhooks:
   - name: stackit-pod-identity-webhook.stackit.cloud
     clientConfig:
-      url: {{ .Values.webhook.url | quote }}  
-      caBundle: {{ .Values.webhook.caBundle | quote }}  
+      url: {{ .Values.webhook.url | quote }}
+      caBundle: {{ .Values.webhook.caBundle | quote }}
     rules:
       - operations: ["CREATE"]
         apiGroups: [""]
         apiVersions: ["v1"]
         resources: ["pods"]
     admissionReviewVersions: ["v1"]
     sideEffects: None
+    timeoutSeconds: 3 # Do not block control-plane API calls too long.
     failurePolicy: Fail
     namespaceSelector:
       matchExpressions:
-        - key: kubernetes.io/metadata.name
-          operator: NotIn
-          values: ["kube-system", "garden"]
-        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
-          operator: DoesNotExist
+      - key: gardener.cloud/purpose # see https://github.com/gardener/gardener/blob/master/docs/usage/shoot/shoot_status.md#constraints
+        operator: NotIn
+        values:
+          - kube-system
+      - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+        operator: DoesNotExist
     objectSelector:
       matchExpressions:
-        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
-          operator: DoesNotExist
+      - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+        operator: DoesNotExist
diff --git a/charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/values.yaml b/charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/values.yaml
@@ -1,3 +1,2 @@
 webhook:
   caBundle: "" # will be set by valuesprovider
-  controlPlaneNamespace: "" # will be set by valuesprovider
diff --git a/imagevector/images.yaml b/imagevector/images.yaml
@@ -136,5 +136,6 @@ images:
   repository: reg3.infra.ske.eu01.stackit.cloud/temp/alb-controller-manager
   tag: "1245"
 - name: stackit-pod-identity-webhook
+  sourceRepository: github.com/stackitcloud/stackit-pod-identity-webhook
   repository: ghcr.io/stackitcloud/stackit-pod-identity-webhook
-  tag: "v0.1.0@sha256:5c124efb00b5b5e0fd64b635e1643cebbd407b4abafdb966e02639627f41631c"
+  tag: "v0.1.0"
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -323,6 +323,8 @@ var (
 				Name: stackit.PodIdentityWebhookName,
 				Objects: []*chart.Object{
 					{Type: &admissionregistrationv1.MutatingWebhookConfiguration{}, Name: stackit.PodIdentityWebhookName},
+					{Type: &rbacv1.ClusterRole{}, Name: "extensions.gardener.cloud:provider-stackit:stackit-pod-identity-webhook"},
+					{Type: &rbacv1.ClusterRoleBinding{}, Name: "extensions.gardener.cloud:provider-stackit:stackit-pod-identity-webhook"},
 				},
 			},
 		},