apiVersion: apps/v1
kind: Deployment
metadata:
  name: managedcluster-admission
  labels:
    app: managedcluster-admission
spec:
  replicas: 1
  selector:
    matchLabels:
      app: managedcluster-admission
  template:
    metadata:
      labels:
        app: managedcluster-admission
    spec:
      serviceAccountName: managedcluster-admission-sa
      containers:
      - name: managedcluster-admission
        image: quay.io/open-cluster-management/registration:latest
        imagePullPolicy: IfNotPresent
        args:
          - "/registration"
          - "webhook"
          - "--cert-dir=/tmp"
          - "--secure-port=6443"
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          privileged: false
          runAsNonRoot: true