-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathimage-scanning-admission-controller.yaml
More file actions
161 lines (161 loc) · 3.51 KB
/
image-scanning-admission-controller.yaml
File metadata and controls
161 lines (161 loc) · 3.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
apiVersion: v1
kind: Namespace
metadata:
labels:
controller-tools.k8s.io: "1.0"
name: image-scan-k8s-webhook-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: image-scan-k8s-webhook-manager-role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: image-scan-k8s-webhook-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: image-scan-k8s-webhook-manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: image-scan-k8s-webhook-system
---
apiVersion: v1
kind: Secret
metadata:
name: image-scan-k8s-webhook-webhook-server-secret
namespace: image-scan-k8s-webhook-system
---
apiVersion: v1
kind: Secret
metadata:
name: sysdig-secure-token
namespace: image-scan-k8s-webhook-system
type: Opaque
stringData:
config.yaml: |-
ANCHORE_CLI_USER: {{ANCHORE_CLI_USER}}
ANCHORE_CLI_PASS: {{ANCHORE_CLI_PASS}}
ANCHORE_CLI_URL: {{ANCHORE_CLI_URL}}
---
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
name: image-scan-k8s-webhook-controller-manager-service
namespace: image-scan-k8s-webhook-system
spec:
ports:
- port: 443
selector:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
name: image-scan-k8s-webhook-controller-manager
namespace: image-scan-k8s-webhook-system
spec:
selector:
matchLabels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
serviceName: image-scan-k8s-webhook-controller-manager-service
template:
metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
spec:
containers:
- command:
- /root/manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SECRET_NAME
value: image-scan-k8s-webhook-webhook-server-secret
- name: REJECT_IF_TIMEOUT
value: "false"
image: docker.io/sysdig/sysdig-image-scanning-trigger:latest
imagePullPolicy: Always
name: manager
ports:
- containerPort: 9876
name: webhook-server
protocol: TCP
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- mountPath: /tmp/cert
name: cert
readOnly: true
- mountPath: /tmp/sysdig-token
name: sysdig-token
readOnly: true
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: image-scan-k8s-webhook-webhook-server-secret
- name: sysdig-token
secret:
defaultMode: 420
secretName: sysdig-secure-token