---
apiVersion: v1
kind: Service
metadata:
  name: vpc-admission-webhook-svc
  labels:
    app: vpc-admission-webhook
spec:
  ports:
  - port: 443
    targetPort: 443
  selector:
    app: vpc-admission-webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vpc-admission-webhook-deployment
  labels:
    app: vpc-admission-webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vpc-admission-webhook
  template:
    metadata:
      labels:
        app: vpc-admission-webhook
    spec:
      containers:
        - name: vpc-admission-webhook
          args:
            - -tlsCertFile=/etc/webhook/certs/cert.pem
            - -tlsKeyFile=/etc/webhook/certs/key.pem
            - -alsologtostderr
            - -v=4
            - 2>&1
          image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/vpc-admission-webhook:beta
          imagePullPolicy: Always
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      hostNetwork: true
      nodeSelector:
        beta.kubernetes.io/os: linux
        beta.kubernetes.io/arch: amd64
      volumes:
        - name: webhook-certs
          secret:
            secretName: vpc-admission-webhook-certs
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: vpc-admission-webhook-cfg
  labels:
    app: vpc-admission-webhook
webhooks:
  - name: vpc-admission-webhook.amazonaws.com
    clientConfig:
      service:
        name: vpc-admission-webhook-svc
        namespace: default
        path: "/mutate"
      caBundle: ${CA_BUNDLE}
    rules:
      - operations: [ "CREATE" ]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Ignore
---