Add stackit-pod-identity-webhook image and configuration

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+name: stackit-pod-identity-webhook
+version: 0.1.0

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stackit-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+    high-availability-config.resources.gardener.cloud/type: server
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: stackit-pod-identity-webhook
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: stackit-pod-identity-webhook
+        workload-identity.stackit.cloud/skip-pod-identity-webhook: "true"
+        gardener.cloud/role: controlplane
+        networking.gardener.cloud/to-dns: allowed
+        networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
+    spec:
+      automountServiceAccountToken: false
+      podSecurityContext:
+        runAsNonRoot: true
+        runAsUser: 1239
+        runAsGroup: 1239
+        fsGroup: 1239
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        readOnlyRootFilesystem: true
+      priorityClassName: gardener-system-200
+      containers:
+        - name: stackit-pod-identity-webhook
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+          image: {{ index .Values.images "stackit-pod-identity-webhook" }}
+          args:
+            - --cert-dir=/etc/webhook/certs
+            - --port={{ .Values.webhook.port }}
+          env:
+          - name: KUBECONFIG
+            value: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
+          ports:
+            - name: https
+              containerPort: {{ .Values.webhook.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+            - name: health
+              containerPort: 8081
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+          resources:
+              limits:
+                memory: 128Mi
+              requests:
+                cpu: 50m
+                memory: 64Mi
+          volumeMounts:
+            - name: certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+            - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig
+              name: kubeconfig
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ .Values.webhook.tlsSecretName }}
+        - name: kubeconfig
+          projected:
+            defaultMode: 420
+            sources:
+            - secret:
+                items:
+                  - key: kubeconfig
+                    path: kubeconfig
+                name: {{ .Values.global.genericTokenKubeconfigSecretName }}
+                optional: false
+            - secret:
+                items:
+                  - key: token
+                    path: token
+                name: shoot-access-stackit-pod-identity-webhook
+                optional: false

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/poddisruptionbudget.yaml

@@ -0,0 +1,13 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: stackit-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: stackit-pod-identity-webhook
+  unhealthyPodEvictionPolicy: AlwaysAllow

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stackit-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+    endpoint-slice-hints.resources.gardener.cloud/consider: "true"
+  annotations:
+    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.webhook.port }}}]'
+    service.kubernetes.io/topology-mode: auto
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: {{ .Values.webhook.port }}
+      protocol: TCP
+      name: https
+  selector:
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+  trafficDistribution: PreferClose

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml

@@ -0,0 +1,21 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: stackit-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: stackit-pod-identity-webhook
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+    - containerName: stackit-pod-identity-webhook
+      minAllowed:
+        memory: 80M
+      maxAllowed:
+        cpu: {{ .Values.vpa.resourcePolicy.maxAllowed.cpu }}
+        memory: {{ .Values.vpa.resourcePolicy.maxAllowed.memory }}
+      controlledValues: RequestsOnly

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml

@@ -0,0 +1,15 @@
+replicaCount: 2
+
+images:
+  stackit-pod-identity-webhook: image-repository:image-tag
+
+webhook:
+  port: 9443
+  # The secret name containing tls.crt and tls.key for the webhook server
+  tlsSecretName: "stackit-pod-identity-webhook-certs"
+
+vpa:
+  resourcePolicy:
+    maxAllowed:
+      cpu: 1
+      memory: 512Mi

charts/internal/seed-controlplane/requirements.yaml

@@ -19,3 +19,7 @@ dependencies:
   repository: http://localhost:10191
   version: 0.1.0
   condition: stackit-alb-controller-manager.enabled
+- name: stackit-pod-identity-webhook
+  repository: http://localhost:10191
+  version: 0.1.0
+  condition: stackit-pod-identity-webhook.enabled

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+name: stackit-pod-identity-webhook
+version: 0.1.0

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: stackit-pod-identity-webhook
+  labels:
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+webhooks:
+  - name: stackit-pod-identity-webhook.stackit.cloud
+    clientConfig:
+      url: {{ .Values.webhook.url | quote }}  
+      caBundle: {{ .Values.webhook.caBundle | quote }}  
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    failurePolicy: Fail
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values: ["kube-system", "garden"]
+        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+          operator: DoesNotExist
+    objectSelector:
+      matchExpressions:
+        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+          operator: DoesNotExist

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/rbac.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: extensions.gardener.cloud:provider-stackit:stackit-pod-identity-webhook
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: extensions.gardener.cloud:provider-stackit:stackit-pod-identity-webhook
+subjects:
+- kind: ServiceAccount # from shoot access secret
+  name: stackit-pod-identity-webhook
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: extensions.gardener.cloud:provider-stackit:stackit-pod-identity-webhook
+  apiGroup: rbac.authorization.k8s.io

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/values.yaml

@@ -0,0 +1,3 @@
+webhook:
+  caBundle: "" # will be set by valuesprovider
+  controlPlaneNamespace: "" # will be set by valuesprovider

charts/internal/shoot-system-components/requirements.yaml

@@ -15,3 +15,7 @@ dependencies:
   repository: http://localhost:10191
   version: 0.1.0
   condition: stackit-blockstorage-csi-driver.enabled
+- name: stackit-pod-identity-webhook
+  repository: http://localhost:10191
+  version: 0.1.0
+  condition: stackit-pod-identity-webhook.enabled

imagevector/images.yaml

@@ -135,3 +135,6 @@ images:
 - name: stackit-alb-controller-manager
   repository: reg3.infra.ske.eu01.stackit.cloud/temp/alb-controller-manager
   tag: "1245"
+- name: stackit-pod-identity-webhook
+  repository: ghcr.io/stackitcloud/stackit-pod-identity-webhook
+  tag: "v0.1.0@sha256:5c124efb00b5b5e0fd64b635e1643cebbd407b4abafdb966e02639627f41631c"