open-cluster-management/manifests/cluster-manager/management/addon-manager/webhook-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .ClusterManagerName }}-addon-webhook
  namespace: {{ .ClusterManagerNamespace }}
  labels:
    app: {{ .ClusterManagerName }}-addon-webhook
    {{ if gt (len .Labels) 0 }}
    {{ range $key, $value := .Labels }}
    "{{ $key }}": "{{ $value }}"
    {{ end }}
    {{ end }}
spec:
  replicas: {{ .Replica }}
  selector:
    matchLabels:
      app: {{ .ClusterManagerName }}-addon-webhook
  template:
    metadata:
      labels:
        app: {{ .ClusterManagerName }}-addon-webhook
        {{ if gt (len .Labels) 0 }}
        {{ range $key, $value := .Labels }}
        "{{ $key }}": "{{ $value }}"
        {{ end }}
        {{ end }}
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 70
            podAffinityTerm:
              topologyKey: failure-domain.beta.kubernetes.io/zone
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - {{ .ClusterManagerName }}-addon-webhook
          - weight: 30
            podAffinityTerm:
              topologyKey: kubernetes.io/hostname
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - {{ .ClusterManagerName }}-addon-webhook
      {{- if .ImagePullSecret }}
      imagePullSecrets:
      - name: {{ .ImagePullSecret }}
      {{- end }}
      {{ if not .HostedMode }}
      serviceAccountName: addon-webhook-sa
      {{ end }}
      containers:
      - name: {{ .ClusterManagerName }}-addon-webhook
        image: {{ .AddOnManagerImage }}
        args:
        - /addon
        - "webhook-server"
        - "--port=9443"
        {{- if or (eq .ResourceRequirementResourceType "Default") (eq .ResourceRequirementResourceType "") }}
        resources:
          requests:
            cpu: 2m
            memory: 16Mi
        {{- end }}
        {{- if eq .ResourceRequirementResourceType "BestEffort" }}
        resources: {}
        {{- end }}
        {{- if eq .ResourceRequirementResourceType "ResourceRequirement" }}
        resources:
          {{ .ResourceRequirements | indent 10 }}
        {{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          runAsNonRoot: true
          readOnlyRootFilesystem: true
        livenessProbe:
          httpGet:
            path: /healthz
            scheme: HTTP
            port: 8000
          initialDelaySeconds: 2
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /readyz
            scheme: HTTP
            port: 8000
          initialDelaySeconds: 2
        ports:
        - containerPort: 9443
          protocol: TCP
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: webhook-secret
          readOnly: true
      volumes:
      - name: webhook-secret
        secret:
          secretName: addon-webhook-serving-cert