azure-workload-identity/deploy/aad-pi-webhook.yaml

apiVersion: v1
kind: Namespace
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-manager-role
rules:
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aad-pi-webhook-manager-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: aad-pi-webhook-system
---
apiVersion: v1
data:
  AZURE_TENANT_ID: <replace with Azure Tenant ID>
kind: ConfigMap
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-config
  namespace: aad-pi-webhook-system
---
apiVersion: v1
kind: Service
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-webhook-service
  namespace: aad-pi-webhook-system
spec:
  ports:
  - port: 443
    targetPort: 9443
  selector:
    mpod.aad-pod-identity.io/system: "true"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-controller-manager
  namespace: aad-pi-webhook-system
spec:
  replicas: 1
  selector:
    matchLabels:
      mpod.aad-pod-identity.io/system: "true"
  template:
    metadata:
      labels:
        mpod.aad-pod-identity.io/system: "true"
    spec:
      containers:
      - args:
        - -arc-cluster=false
        command:
        - /manager
        envFrom:
        - configMapRef:
            name: aad-pi-webhook-config
        image: mcr.microsoft.com/oss/azure/aad-pod-managed-identity/webhook:v0.2.0
        imagePullPolicy: IfNotPresent
        name: manager
        ports:
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        resources:
          limits:
            cpu: 100m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
      nodeSelector:
        kubernetes.io/os: linux
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-serving-cert
  namespace: aad-pi-webhook-system
spec:
  dnsNames:
  - aad-pi-webhook-webhook-service.aad-pi-webhook-system.svc
  - aad-pi-webhook-webhook-service.aad-pi-webhook-system.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: aad-pi-webhook-selfsigned-issuer
  secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-selfsigned-issuer
  namespace: aad-pi-webhook-system
spec:
  selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: aad-pi-webhook-system/aad-pi-webhook-serving-cert
  labels:
    mpod.aad-pod-identity.io/system: "true"
  name: aad-pi-webhook-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: aad-pi-webhook-webhook-service
      namespace: aad-pi-webhook-system
      path: /mutate-v1-pod
  failurePolicy: Ignore
  matchPolicy: Equivalent
  name: mpod.aad-pod-identity.io
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - pods
  sideEffects: None