apiVersion: apps/v1
kind: Deployment
metadata:
  name: work-webhook
  labels:
    app: work-webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app: work-webhook
  template:
    metadata:
      labels:
        app: work-webhook
    spec:
      serviceAccountName: work-webhook-sa
      containers:
      - name: work-webhook
        image: quay.io/open-cluster-management/work:latest
        imagePullPolicy: IfNotPresent
        args:
          - "/work"
          - "webhook"
          - "--cert-dir=/tmp"
          - "--secure-port=6443"
          # webhook is not hosting any k8s api resource, so it is not subjected to APF feature
          - "--feature-gates=APIPriorityAndFairness=false"
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          privileged: false
          runAsNonRoot: true