API Access Control
Admission Controllers
MutatingAdmissionWebhook
ValidatingAdmissionWebhook
ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: ingress-nginx-internal
meta.helm.sh/release-namespace: ingress-nginx
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx-internal
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.1
helm.sh/chart: ingress-nginx-4.8.1
name: ingress-nginx-internal-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle:
service:
name: ingress-nginx-internal-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
scope: '*'
sideEffects: None
timeoutSeconds: 10
MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: vault-secrets-webhook
meta.helm.sh/release-namespace: vault-secrets-webhook
labels:
app.kubernetes.io/managed-by: Helm
name: vault-secrets-webhook
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle:
service:
name: vault-secrets-webhook
namespace: vault-secrets-webhook
path: /pods
port: 443
failurePolicy: Ignore
matchPolicy: Equivalent
name: pods.vault-secrets-webhook.admission.banzaicloud.com
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- vault-secrets-webhook
objectSelector:
matchExpressions:
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
reinvocationPolicy: Never
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
resources:
- pods
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle:
service:
name: vault-secrets-webhook
namespace: vault-secrets-webhook
path: /secrets
port: 443
failurePolicy: Ignore
matchPolicy: Equivalent
name: secrets.vault-secrets-webhook.admission.banzaicloud.com
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- vault-secrets-webhook
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
reinvocationPolicy: Never
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- secrets
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle:
service:
name: vault-secrets-webhook
namespace: vault-secrets-webhook
path: /configmaps
port: 443
failurePolicy: Ignore
matchPolicy: Equivalent
name: configmaps.vault-secrets-webhook.admission.banzaicloud.com
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- vault-secrets-webhook
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
- key: security.banzaicloud.io/mutate
operator: NotIn
values:
- skip
reinvocationPolicy: Never
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- configmaps
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10