apiVersion: v1 kind: Namespace metadata: name: mitigation-webhook-log4j --- apiVersion: v1 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFSkRDQ0F3eWdBd0lCQWdJVUUxajV6Sk52WWlTbUg1QTAxYnVoU2RyWDRXUXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3UGpFOE1Eb0dBMVVFQXd3emJXbDBhV2RoZEdsdmJpMTNaV0pvYjI5ckxYTjJZeTV0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpNQjRYRFRJeE1USXlNVEU1TWpjeU1sb1hEVEl5TVRJeU1URTVNamN5DQpNbG93UGpFOE1Eb0dBMVVFQXd3emJXbDBhV2RoZEdsdmJpMTNaV0pvYjI5ckxYTjJZeTV0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDDQpBUUVBeW1UZzJOUEZhUXdFSyt2T2FjbzgyTGNETUJYU1NQV3VxcW5XT085eEVwRjlIekRYOUw2T0UrME5LcHcrDQp4K0hlRXFjSkk3MTNLZTNuNVdYaHlyY1VNUXd0aFpMMER2UTBuMUkya0lJTko1M04rcW53QnQzU0dTRXBhR25jDQpheGo4cTQrMGp4OE9pMUVnM1ZJZDc0S2I3VDZaM1pYTGlZNDRpdFFwd2NQZzZHbFVKbjd6ZTlBSGNPbTZpL1IwDQpabk04VmdlVTRiaVROb2J1aUw3K1RBSXh2aExsYlk2Z05JZWo2ZlRwc2p6ZjJUY1UrblFmVzUxL3gwUnJIa05CDQpJUG1zTHZmZXBhKzRXSzRSYXZZMUdUMjZpc1RyS1VnamhWK1habU12bjEyZVdKY1BUN3RGYkxMUHgrUVJ6ZWk1DQo0L1UwYmFYdmxsdGVOdkZKM2x3VXVNTUpxd0lEQVFBQm80SUJHRENDQVJRd0hRWURWUjBPQkJZRUZOODRncEJ2DQp2bncrWGpkcDlaMjlscTc2ZEV3TE1COEdBMVVkSXdRWU1CYUFGTjg0Z3BCdnZudytYamRwOVoyOWxxNzZkRXdMDQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdnY0FHQTFVZEVRU0J1RENCdFlJemJXbDBhV2RoZEdsdmJpMTNaV0pvDQpiMjlyTFhOMll5NXRhWFJwWjJGMGFXOXVMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpnanR0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RjM1pqTG0xcGRHbG5ZWFJwYjI0dGQyVmlhRzl2YXkxc2IyYzBhaTV6ZG1NdVkyeDFjM1JsDQpjb0pCYldsMGFXZGhkR2x2YmkxM1pXSm9iMjlyTFhOMll5NXRhWFJwWjJGMGFXOXVMWGRsWW1odmIyc3RiRzluDQpOR291YzNaakxtTnNkWE4wWlhJdWJHOWpZV3d3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVIbmxGVDArNDZhDQp0R2h6Y1BsUEhjU094TUxHS05nTU9mZmNQS0JIYkVzdm1DbVNNN3RJaXJUa280RHlwRStuanlCVkoxakl4VHpWDQpHVHk5bFhvT2pZOHVyVjAvSVowMmppYnoxUVp4UG85UG5vQm1YTlVZM3B3cDV6MElJMUw3TlFLOWwyUHV0Y2VmDQp5R3hPRC91QXVHdUVVcHZFMUNDdzUzRG85YXkwZ2xCWm9VdDBna0t1eUxvenk1Tk1BVGh6MjcyT2dReHlSbWVYDQpLTEFSQTZjMnJkTGM3cS9UcTg3d0p2UXhXY0dIbjV4M2dJZk5PNGhzamg2NUpKY3I5aFI0cnlsM0dTTWVUZWtkDQpuNk9oelE5eTVQaXNRc0dnT3QwbXpNdlhmNDJCOTBVUW5DcnRKdmhZT1NCVlFaQ1RuR1FueDJZWWp0UTRtUkFDDQpEejBjRTZPcjFJND0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg== tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tDQpNSUlFdkFJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLWXdnZ1NpQWdFQUFvSUJBUURLWk9EWTA4VnBEQVFyDQo2ODVweWp6WXR3TXdGZEpJOWE2cXFkWTQ3M0VTa1gwZk1OZjB2bzRUN1EwcW5EN0g0ZDRTcHdranZYY3A3ZWZsDQpaZUhLdHhReERDMkZrdlFPOURTZlVqYVFnZzBubmMzNnFmQUczZElaSVNsb2FkeHJHUHlyajdTUEh3NkxVU0RkDQpVaDN2Z3B2dFBwbmRsY3VKamppSzFDbkJ3K0RvYVZRbWZ2TjcwQWR3NmJxTDlIUm1jenhXQjVUaHVKTTJodTZJDQp2djVNQWpHK0V1VnRqcUEwaDZQcDlPbXlQTi9aTnhUNmRCOWJuWC9IUkdzZVEwRWcrYXd1OTk2bHI3aFlyaEZxDQo5alVaUGJxS3hPc3BTQ09GWDVkbVl5K2ZYWjVZbHc5UHUwVnNzcy9INUJITjZMbmo5VFJ0cGUrV1cxNDI4VW5lDQpYQlM0d3dtckFnTUJBQUVDZ2dFQUx0eG9pd3VOVzZNaW5DQys3Qk9kUHZnd3pzTmVxdkhuZlRCUm4yRWhKeEYwDQpqUEk4TGppb29NaDBFZmVYT2FSOFRJbE1QbkF4MVExMmNkRERGTEtMQkVnemlnZmFabFA0a3lMdjYwbVJUaWpsDQpkakkrbHZocEd0Um94L29xeE1sR1IxckFqWnE5UFZpTmFYRUg2VnF1UzZJQThpTXF1ekNvdXN3ZzF2Skpjc1gyDQozd0NaOG51Z3Y3a3hESHc1OEV2MHQrWGRWT2xVTXNVMmJicDVJYnpZcE1ja05NK2pKT1lCTmowejh4OWdnNXNDDQpvOHo5QXQzZkcxN0NVOGYyVlpIK29KQmFRZmZ3MXF2eHNHVzY5Ylo3N0RjdnBjcE11SkJWOFpSTkJoTzFVV000DQpzWklleWtwVnQvV0YxMUcwdUVuTFkrMjFIQjJJbTNyWVNTMDhTdWQvVVFLQmdRRHYwWVZWcGYxV1BmOStlbUdtDQpZSXZaRkF6N2U4R1pYd3orU1NleWxEYjhGRnVrRnJrWGlaTUhPbnJyWU5uRVg2ektVZXZhTGFVRGd2ZWhqSzAzDQppcWFQMzE4dG85WUx6bEROSGt4K2F3L1pDYmZHWFBQaktRRE1lV1dJTXFlUVJMdEFIQm95SVpLNnNsS0QzeW92DQoyNVBvdzRZZ1dYL2JkbWFxVEJUVHJrcmZMd0tCZ1FEWURPbEUrWFl2VGF4Zlp1S2hpdGxNMndXL1BsL1R2dEluDQpRLzc0WHpBWGI4QTJ4MTIzajE1MVo5NkI1K3ZWOHlkMUY0eXRQZnV3L0FicHR6UVZLeWVkS1hPWVhzV3ZaZkdPDQpkVjJScENJdHR4NzJOOE9vbTlyUnh0dTdzbm9qdUszSXRibHVVbjd1UnEwR0Vzbk83eENmd1F6YzMxa0V2aDhPDQoyaGJYNWhDK1JRS0JnRUEyamNrZEpQUk9yWGFrTmpsaWFJKzdlcTVydUs3a2NJbzE5RmN3c0hoV3l5TG9vcTdXDQp1M09ZQ1FtMWFSblh0R0NJQnVyb2hlS20wcitDOTI2RHhZMklkZWUya3IyZWhLd25qTHZjMXVWNllLYlFoTTB5DQpVWEJ1b08wVEF5THlCR0ZxSk9sL2E5WnBvUWFHWHJscHhmVHhSWnlyMmp4ZE82Z2xydjN2RVVVcEFvR0FLQUxVDQpISUw2Z1M0b1V3Nnh2K3IvN1R6T3BxazlnL0JkNlFtdHFYK3ZYMWZCeUNOSjF0bkZTNGJ0N1M3dlBSTW41b1p5DQo5ZzU1azBCSlkzVWJQeVJiMUw0OWV5VnFCTjZqU3BldnVXNGxLa1EwaHJLekdJR3NsNWIxVUtCd0FEZU9iNUpBDQpBZzlqRkd1Z1ZYU2JUU2gyOHE4RTI4NjlKS1MxQ2NJWDR1bm5oZVVDZ1lCeXZGYkw0blhnWVRVRitVRVhFVGJIDQo4d1ZraGd0N2U2czArMXBJWFFpN3Q5MExYQytndFdiK1M4MjhFTUt1ZHBqYmRwb2hjMG9haWRQZ1JPUXBYdjJHDQpDVkprQVdaTHRnYjk1U2t2b1BoNXoyOGZFclpMSFV5WlVuVFhVYVV6a1hEUWhxR0duU3JIWHRGMkxFKzFsTDJnDQoya3djVld5TnRqaEpGN3liNS83bmlRPT0NCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0NCg== kind: Secret metadata: name: webhook-secret namespace: mitigation-webhook-log4j type: kubernetes.io/tls --- apiVersion: apps/v1 kind: Deployment metadata: name: mitigation-webhook namespace: mitigation-webhook-log4j labels: app: mitigation-webhook spec: replicas: 1 selector: matchLabels: app: mitigation-webhook template: metadata: labels: app: mitigation-webhook spec: volumes: - name: webhook-secret-vol secret: secretName: webhook-secret containers: - name: mitigation-webhook image: public.ecr.aws/v2k0k1b1/k8s/mitigation-webhook-log4j:v1.1.0 ports: - containerPort: 8443 args: - "--key=/certs/tls.key" - "--cert=/certs/tls.crt" volumeMounts: - name: webhook-secret-vol mountPath: "/certs" resources: requests: memory: "250Mi" cpu: "250m" limits: memory: "512Mi" cpu: "512m" --- apiVersion: v1 kind: Service metadata: name: mitigation-webhook-svc namespace: mitigation-webhook-log4j spec: selector: app: mitigation-webhook ports: - protocol: TCP port: 443 targetPort: 443 --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: "mitigation-webhook-config" webhooks: - name: "mitigation-webhook-svc.mitigation-webhook-log4j.svc" namespaceSelector: matchExpressions: - key: "kubernetes.io/metadata.name" operator: NotIn values: ["kube-system", "kube-public"] rules: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] resources: ["pods"] scope: "Namespaced" clientConfig: service: namespace: "mitigation-webhook-log4j" name: "mitigation-webhook-svc" path: "/webhook" port: 443 caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFSkRDQ0F3eWdBd0lCQWdJVUUxajV6Sk52WWlTbUg1QTAxYnVoU2RyWDRXUXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3UGpFOE1Eb0dBMVVFQXd3emJXbDBhV2RoZEdsdmJpMTNaV0pvYjI5ckxYTjJZeTV0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpNQjRYRFRJeE1USXlNVEU1TWpjeU1sb1hEVEl5TVRJeU1URTVNamN5DQpNbG93UGpFOE1Eb0dBMVVFQXd3emJXbDBhV2RoZEdsdmJpMTNaV0pvYjI5ckxYTjJZeTV0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDDQpBUUVBeW1UZzJOUEZhUXdFSyt2T2FjbzgyTGNETUJYU1NQV3VxcW5XT085eEVwRjlIekRYOUw2T0UrME5LcHcrDQp4K0hlRXFjSkk3MTNLZTNuNVdYaHlyY1VNUXd0aFpMMER2UTBuMUkya0lJTko1M04rcW53QnQzU0dTRXBhR25jDQpheGo4cTQrMGp4OE9pMUVnM1ZJZDc0S2I3VDZaM1pYTGlZNDRpdFFwd2NQZzZHbFVKbjd6ZTlBSGNPbTZpL1IwDQpabk04VmdlVTRiaVROb2J1aUw3K1RBSXh2aExsYlk2Z05JZWo2ZlRwc2p6ZjJUY1UrblFmVzUxL3gwUnJIa05CDQpJUG1zTHZmZXBhKzRXSzRSYXZZMUdUMjZpc1RyS1VnamhWK1habU12bjEyZVdKY1BUN3RGYkxMUHgrUVJ6ZWk1DQo0L1UwYmFYdmxsdGVOdkZKM2x3VXVNTUpxd0lEQVFBQm80SUJHRENDQVJRd0hRWURWUjBPQkJZRUZOODRncEJ2DQp2bncrWGpkcDlaMjlscTc2ZEV3TE1COEdBMVVkSXdRWU1CYUFGTjg0Z3BCdnZudytYamRwOVoyOWxxNzZkRXdMDQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdnY0FHQTFVZEVRU0J1RENCdFlJemJXbDBhV2RoZEdsdmJpMTNaV0pvDQpiMjlyTFhOMll5NXRhWFJwWjJGMGFXOXVMWGRsWW1odmIyc3RiRzluTkdvdWMzWmpnanR0YVhScFoyRjBhVzl1DQpMWGRsWW1odmIyc3RjM1pqTG0xcGRHbG5ZWFJwYjI0dGQyVmlhRzl2YXkxc2IyYzBhaTV6ZG1NdVkyeDFjM1JsDQpjb0pCYldsMGFXZGhkR2x2YmkxM1pXSm9iMjlyTFhOMll5NXRhWFJwWjJGMGFXOXVMWGRsWW1odmIyc3RiRzluDQpOR291YzNaakxtTnNkWE4wWlhJdWJHOWpZV3d3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVIbmxGVDArNDZhDQp0R2h6Y1BsUEhjU094TUxHS05nTU9mZmNQS0JIYkVzdm1DbVNNN3RJaXJUa280RHlwRStuanlCVkoxakl4VHpWDQpHVHk5bFhvT2pZOHVyVjAvSVowMmppYnoxUVp4UG85UG5vQm1YTlVZM3B3cDV6MElJMUw3TlFLOWwyUHV0Y2VmDQp5R3hPRC91QXVHdUVVcHZFMUNDdzUzRG85YXkwZ2xCWm9VdDBna0t1eUxvenk1Tk1BVGh6MjcyT2dReHlSbWVYDQpLTEFSQTZjMnJkTGM3cS9UcTg3d0p2UXhXY0dIbjV4M2dJZk5PNGhzamg2NUpKY3I5aFI0cnlsM0dTTWVUZWtkDQpuNk9oelE5eTVQaXNRc0dnT3QwbXpNdlhmNDJCOTBVUW5DcnRKdmhZT1NCVlFaQ1RuR1FueDJZWWp0UTRtUkFDDQpEejBjRTZPcjFJND0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg== admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5