--- # Source: polaris/templates/0-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: polaris --- # Source: polaris/templates/rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: polaris namespace: polaris labels: app: polaris --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: polaris-certificates namespace: polaris labels: app: polaris --- # Source: polaris/templates/webhook.secret.yaml # The name of this secret is static as it is populated by the webhook pod. apiVersion: v1 kind: Secret metadata: name: polaris-webhook namespace: polaris labels: app: polaris type: kubernetes.io/tls data: tls.crt: '' tls.key: '' --- # Source: polaris/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: polaris labels: app: polaris rules: # required by controller-runtime code doing a cluster wide lookup # when it seems namespace would suffice - apiGroups: - '' resources: - 'nodes' verbs: - 'get' - 'list' --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: polaris-webhook labels: app: polaris rules: - apiGroups: - '' resources: - 'secrets' - 'services' verbs: - 'get' - 'list' - 'watch' - apiGroups: - 'certificates.k8s.io' resources: - 'certificatesigningrequests' - 'certificatesigningrequests/approval' verbs: - 'get' - 'update' - 'create' - 'delete' - apiGroups: - 'certificates.k8s.io' resources: - 'signers' resourceNames: - 'kubernetes.io/legacy-unknown' verbs: - 'approve' - apiGroups: - 'admissionregistration.k8s.io' resources: - 'validatingwebhookconfigurations' verbs: - '*' --- # Source: polaris/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: polaris-view labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: polaris namespace: polaris --- # Source: polaris/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: polaris labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: polaris subjects: - kind: ServiceAccount name: polaris namespace: polaris --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: polaris-webhook labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: polaris-webhook subjects: - kind: ServiceAccount name: polaris-certificates namespace: polaris --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: polaris-webhook namespace: polaris labels: app: polaris rules: # required for current controller-runtime bootstrap method - apiGroups: - '' resources: - 'secrets' - 'services' verbs: - '*' --- # Source: polaris/templates/webhook.rbac.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: polaris-webhook namespace: polaris labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: polaris-webhook subjects: - kind: ServiceAccount name: polaris-certificates namespace: polaris --- # Source: polaris/templates/webhook.service.yaml apiVersion: v1 kind: Service metadata: name: polaris-webhook namespace: polaris labels: app: polaris spec: ports: - name: webhook port: 443 protocol: TCP targetPort: 9876 selector: app: polaris component: webhook type: ClusterIP --- # Source: polaris/templates/webhook.deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: polaris-webhook namespace: polaris labels: app: polaris component: webhook spec: replicas: 1 selector: matchLabels: app: polaris component: webhook template: metadata: labels: app: polaris component: webhook spec: containers: - name: webhook command: - polaris - webhook image: 'quay.io/fairwinds/polaris:1.2' imagePullPolicy: 'Always' ports: - containerPort: 9876 # These are fairly useless readiness/liveness probes for now # Follow this issue for potential improvements: # https://github.com/kubernetes-sigs/controller-runtime/issues/356 livenessProbe: exec: command: - sh - -c - ps -ef | grep polaris initialDelaySeconds: 5 periodSeconds: 5 readinessProbe: exec: command: - sh - -c - ps -ef | grep polaris initialDelaySeconds: 5 periodSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL volumeMounts: - name: secret mountPath: /opt/cert/ readOnly: true - name: cr-logs mountPath: /tmp/ readOnly: false serviceAccountName: polaris nodeSelector: tolerations: volumes: - name: secret secret: secretName: polaris-webhook - name: cr-logs emptyDir: {} --- # Source: polaris/templates/webhook.job.yaml apiVersion: batch/v1 kind: Job metadata: name: polaris-certificate-updater namespace: polaris labels: app: polaris component: certificate-updater spec: template: metadata: labels: app: polaris component: certificate-updater spec: containers: - name: webhook-certificate-generator image: 'newrelic/k8s-webhook-cert-manager:1.3.0' imagePullPolicy: Always command: - ./generate_certificate.sh - --service - polaris-webhook - --namespace - polaris - --secret - polaris-webhook - --webhook - polaris-webhook - --webhook-kind - ValidatingWebhookConfiguration resources: limits: cpu: 150m memory: 512Mi requests: cpu: 100m memory: 128Mi volumeMounts: - name: tmp mountPath: /tmp/ readOnly: false securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 capabilities: drop: - ALL serviceAccountName: polaris-certificates restartPolicy: Never volumes: - name: tmp emptyDir: {} --- # Source: polaris/templates/webhook.configuration.yaml apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: polaris-webhook webhooks: - admissionReviewVersions: - v1beta1 clientConfig: caBundle: "" service: name: polaris-webhook namespace: polaris path: /validate port: 443 failurePolicy: Ignore matchPolicy: Exact name: polaris.fairwinds.com namespaceSelector: matchExpressions: - key: control-plane operator: DoesNotExist objectSelector: {} rules: - apiGroups: - apps apiVersions: - v1 - v1beta1 - v1beta2 operations: - CREATE - UPDATE resources: - daemonsets - deployments - statefulsets scope: Namespaced - apiGroups: - batch apiVersions: - v1 - v1beta1 operations: - CREATE - UPDATE resources: - jobs - cronjobs scope: Namespaced - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - pods - replicationcontrollers scope: Namespaced sideEffects: None timeoutSeconds: 30