Add PodDisruptionBudget and topologySpreadConstraints for eks-pod-identity-webhook

tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content

@@ -53,7 +53,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: 781012ab6de0bc9188332dd94f232d3d771332f062005c769d5ddf452f77dc11
+    manifestHash: 9d92eb7408dee4f5d9be3cba887e8dc8f8c4a9480f6dbdccda32c920384f8505
     name: eks-pod-identity-webhook.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content

@@ -136,6 +136,19 @@ spec:
           name: cert
           readOnly: true
       serviceAccountName: pod-identity-webhook
+      topologySpreadConstraints:
+      - labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+        maxSkew: 1
+        topologyKey: topology.kubernetes.io/zone
+        whenUnsatisfiable: ScheduleAnyway
+      - labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+        maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
       volumes:
       - name: cert
         secret:
@@ -253,3 +266,21 @@ metadata:
     k8s-addon: eks-pod-identity-webhook.addons.k8s.io
   name: pod-identity-webhook
   namespace: kube-system
+
+---
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  creationTimestamp: null
+  labels:
+    addon.kops.k8s.io/name: eks-pod-identity-webhook.addons.k8s.io
+    app.kubernetes.io/managed-by: kops
+    k8s-addon: eks-pod-identity-webhook.addons.k8s.io
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: pod-identity-webhook

upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template

@@ -96,6 +96,19 @@ spec:
         - name: cert
           mountPath: "/etc/webhook/certs"
           readOnly: true
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: "topology.kubernetes.io/zone"
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
+      - maxSkew: 1
+        topologyKey: "kubernetes.io/hostname"
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app: pod-identity-webhook
       volumes:
       - name: cert
         secret:
@@ -180,4 +193,15 @@ metadata:
     prometheus.io/scheme: "https"
     prometheus.io/scrape: "true"
 data:
-  config: {{ PodIdentityWebhookConfigMapData }}
+  config: {{ PodIdentityWebhookConfigMapData }}
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: pod-identity-webhook
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app: pod-identity-webhook
+  maxUnavailable: 50%