---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-addon: custom-kube-scheduler-sa.addons.k8s.io
    k8s-app: custom-kube-scheduler-sa
  name: custom-kube-scheduler-sa
  namespace: custom-kube-scheduler-webhook
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: custom-kube-scheduler-sa
  labels:
    k8s-addon: custom-kube-scheduler-sa.addons.k8s.io
    k8s-app: custom-kube-scheduler-sa
rules:
  - apiGroups: [""]
    resources: ["events", "endpoints"]
    verbs: ["create", "patch"]
  - apiGroups: [""]
    resources: ["pods/eviction"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["endpoints"]
    resourceNames: ["custom-kube-scheduler-sa"]
    verbs: ["get", "update"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["watch", "list", "get", "update"]
  - apiGroups: [""]
    resources:
      - "pods"
      - "services"
      - "replicationcontrollers"
      - "persistentvolumeclaims"
      - "persistentvolumes"
      - "namespaces"
      - "deployments"
    verbs: ["watch", "list", "get"]
  - apiGroups: ["extensions"]
    resources: ["replicasets", "daemonsets"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["watch", "list"]
  - apiGroups: ["apps"]
    resources: ["statefulsets", "replicasets", "daemonsets"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses", "csinodes"]
    verbs: ["watch", "list", "get"]
  - apiGroups: ["batch", "extensions"]
    resources: ["jobs"]
    verbs: ["get", "list", "watch", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create"]
  - apiGroups: ["coordination.k8s.io"]
    resourceNames: ["custom-kube-scheduler-sa"]
    resources: ["leases"]
    verbs: ["get", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: custom-kube-scheduler-sa
  namespace: custom-kube-scheduler-webhook
  labels:
    k8s-addon: custom-kube-scheduler-sa.addons.k8s.io
    k8s-app: custom-kube-scheduler-sa
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create","list","watch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["custom-kube-scheduler-sa-status", "custom-kube-scheduler-sa-priority-expander"]
    verbs: ["delete", "get", "update", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: custom-kube-scheduler-sa
  labels:
    k8s-addon: custom-kube-scheduler-sa.addons.k8s.io
    k8s-app: custom-kube-scheduler-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: custom-kube-scheduler-sa
    namespace: custom-kube-scheduler-webhook

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: custom-kube-scheduler-sa
  namespace: custom-kube-scheduler-webhook
  labels:
    k8s-addon: custom-kube-scheduler-sa.addons.k8s.io
    k8s-app: custom-kube-scheduler-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: custom-kube-scheduler-sa
subjects:
  - kind: ServiceAccount
    name: custom-kube-scheduler-sa
    namespace: custom-kube-scheduler-webhook
---
apiVersion: v1
kind: Service
metadata:
  name: custom-kube-scheduler-webhook
  namespace: custom-kube-scheduler-webhook
  labels:
    app: custom-kube-scheduler-webhook
spec:
  ports:
  - port: 443
    targetPort: 8443
  selector:
    app: custom-kube-scheduler-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: custom-kube-scheduler-webhook
  namespace: custom-kube-scheduler-webhook
  labels:
    app: custom-kube-scheduler-webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app: custom-kube-scheduler-webhook
  template:
    metadata:
      labels:
        app: custom-kube-scheduler-webhook
    spec:
      serviceAccountName: custom-kube-scheduler-sa
      containers:
        - name: custom-kube-scheduler-webhook
          image: $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/custom-kube-scheduler-webhook
          env:
          - name: LOG_LEVEL
            value: "INFO"  # allowed values are "INFO", "TRACE"
          - name: RECONCILER_PERIOD
            value: "5"
          - name: BLOCKLISTED_NAMESPACE_LIST
            value: "kube-system,kube-public,default"          
          imagePullPolicy: Always
          args:
          - -tlsCertFile=/etc/webhook/certs/tls.crt
          - -tlsKeyFile=/etc/webhook/certs/tls.key
          - -alsologtostderr
          - -v=6
          - 2>&1
          volumeMounts:
          - name: webhook-certs
            mountPath: /etc/webhook/certs
            readOnly: true
      volumes:
      - name: webhook-certs
        secret:
          secretName: $SECRET