apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: kruise-mutating-webhook-configuration annotations: template: "" {{- if .Values.externalCerts.annotations }} {{ toYaml .Values.externalCerts.annotations | indent 4 }} {{- end }} webhooks: {{- if not (contains "PodWebhook=false" .Values.featureGates) }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-pod timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} failurePolicy: Fail name: mpod.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: NotIn values: - openkruise - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods sideEffects: None {{- end }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-advancedcronjob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: madvancedcronjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - advancedcronjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-broadcastjob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mbroadcastjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - broadcastjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-cloneset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mcloneset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - clonesets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-containerrecreaterequest failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mcontainerrecreaterequest.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - containerrecreaterequests sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-daemonset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mdaemonset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - daemonsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-imagelistpulljob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mimagelistpulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagelistpulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-imagepulljob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mimagepulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagepulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-nodeimage failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mnodeimage.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - nodeimages sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-sidecarset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: msidecarset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - sidecarsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-statefulset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: mstatefulset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 - v1beta1 operations: - CREATE - UPDATE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /mutate-apps-kruise-io-v1alpha1-uniteddeployment failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: muniteddeployment.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - uniteddeployments sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: kruise-validating-webhook-configuration annotations: template: "" {{- if .Values.externalCerts.annotations }} {{ toYaml .Values.externalCerts.annotations | indent 4 }} {{- end }} webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-deployment failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vbuiltindeployment.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - deployments sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-replicaset failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vbuiltinreplicaset.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - replicasets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-statefulset failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vbuiltinstatefulset.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - apps apiVersions: - v1 operations: - DELETE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-customresourcedefinition failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vcustomresourcedefinition.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - apiextensions.k8s.io apiVersions: - v1 - v1beta1 operations: - DELETE resources: - customresourcedefinitions sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-namespace failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vnamespace.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - "" apiVersions: - v1 operations: - DELETE resources: - namespaces sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-ingress failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vingress.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - networking.k8s.io apiVersions: - v1 - v1beta1 operations: - DELETE resources: - ingresses sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-service failurePolicy: Ignore timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vservice.kb.io objectSelector: matchExpressions: - key: policy.kruise.io/delete-protection operator: Exists namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - "" apiVersions: - v1 operations: - DELETE resources: - services sideEffects: None {{- if not (contains "PodWebhook=false" .Values.featureGates) }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-pod failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vpod.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: NotIn values: - openkruise - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - "" apiVersions: - v1 operations: - UPDATE - DELETE resources: - pods sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-pod failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vpodeviction.kb.io namespaceSelector: matchExpressions: - key: control-plane operator: NotIn values: - openkruise - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods/eviction sideEffects: None {{- end }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-resourcedistribution failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vresourcedistribution.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - resourcedistributions sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-workloadspread failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vworkloadspread.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - workloadspreads sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-advancedcronjob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vadvancedcronjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - advancedcronjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-broadcastjob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vbroadcastjob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - broadcastjobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-cloneset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vcloneset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - clonesets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-daemonset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vdaemonset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - daemonsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-imagelistpulljob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vimagelistpulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagelistpulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-imagepulljob failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vimagepulljob.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - imagepulljobs sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-nodeimage failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vnodeimage.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - nodeimages sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-persistentpodstate failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vpersistentpodstate.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - persistentpodstates sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-podprobemarker failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vpodprobemarker.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - podprobemarkers sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-policy-kruise-io-podunavailablebudget failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vpodunavailablebudget.kb.io rules: - apiGroups: - policy.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - podunavailablebudgets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-sidecarset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vsidecarset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - sidecarsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-statefulset failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vstatefulset.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 - v1beta1 operations: - CREATE - UPDATE - DELETE resources: - statefulsets sideEffects: None - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: kruise-webhook-service namespace: {{ .Values.installation.namespace }} path: /validate-apps-kruise-io-v1alpha1-uniteddeployment failurePolicy: Fail timeoutSeconds: {{ .Values.webhookConfiguration.timeoutSeconds }} name: vuniteddeployment.kb.io rules: - apiGroups: - apps.kruise.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE - DELETE resources: - uniteddeployments sideEffects: None