--- apiVersion: v1 kind: Service metadata: name: vpc-admission-webhook-svc labels: app: vpc-admission-webhook spec: ports: - port: 443 targetPort: 443 selector: app: vpc-admission-webhook --- apiVersion: apps/v1 kind: Deployment metadata: name: vpc-admission-webhook-deployment labels: app: vpc-admission-webhook spec: replicas: 1 selector: matchLabels: app: vpc-admission-webhook template: metadata: labels: app: vpc-admission-webhook spec: containers: - name: vpc-admission-webhook args: - -tlsCertFile=/etc/webhook/certs/cert.pem - -tlsKeyFile=/etc/webhook/certs/key.pem - -alsologtostderr - -v=4 - 2>&1 image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/vpc-admission-webhook:beta imagePullPolicy: Always volumeMounts: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true hostNetwork: true nodeSelector: beta.kubernetes.io/os: linux beta.kubernetes.io/arch: amd64 volumes: - name: webhook-certs secret: secretName: vpc-admission-webhook-certs --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: vpc-admission-webhook-cfg labels: app: vpc-admission-webhook webhooks: - name: vpc-admission-webhook.amazonaws.com clientConfig: service: name: vpc-admission-webhook-svc namespace: default path: "/mutate" caBundle: ${CA_BUNDLE} rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] failurePolicy: Ignore ---