mirror of https://git.rancher.io/charts
72 lines
9.3 KiB
Markdown
72 lines
9.3 KiB
Markdown
|
# externalip-webhook
|
||
|
|
||
|
## Chart Details
|
||
|
|
||
|
This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It is required on kubernetes versions prior to 1.21 to mitigate CVE-2020-8554.
|
||
|
|
||
|
**Note:** This chart is deprecated for kubernetes version 1.21 and unsupported starting with 1.22. To mitigate CVE-2020-8554, enable the [`DenyServiceExternalIPs` admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips) on the cluster.
|
||
|
|
||
|
## Installing the Chart
|
||
|
|
||
|
To install the chart with the release name `rancher-external-ip-webhook`:
|
||
|
|
||
|
```bash
|
||
|
$ helm repo add rancher-chart https://charts.rancher.io
|
||
|
$ helm repo update
|
||
|
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
|
||
|
```
|
||
|
|
||
|
## Configuration
|
||
|
|
||
|
The following table lists the configurable parameters of the externalip-webhook chart and their default values.
|
||
|
|
||
|
|
||
|
| Parameter | Description | Default |
|
||
|
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
|
||
|
| `allowedExternalIPCidrs` | Set allowed external IP CIDRs separated by a comma | `""` |
|
||
|
| `certificates.caBundle` | If cert-manager integration is disabled, add here self signed ca.crt in base64 format | `""` |
|
||
|
| `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` |
|
||
|
| `certificates.certManager.version` | Cert manager version to use | `""` |
|
||
|
| `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` |
|
||
|
| `global.cattle.systemDefaultRegistry`| Pull docker images from systemDefaultRegistry | `""` |
|
||
|
| `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` |
|
||
|
| `image.pullSecrets` | Webhook server docker pull secret | `""` |
|
||
|
| `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` |
|
||
|
| `image.tag` | Webhook server docker image tag Defaults to | `".Chart.appVersion"` |
|
||
|
| `metrics.enabled` | Enable metrics endpoint | `false` |
|
||
|
| `metrics.port` | Webhook metrics pod port | `8443` |
|
||
|
| `metrics.prometheusExport` | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false` |
|
||
|
| `metrics.authProxy.enabled` | Enable auth proxy for metrics endpoint | `false` |
|
||
|
| `metrics.authProxy.port` | Webhook auth proxy pod port | `8080` |
|
||
|
| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy | `"IfNotPresent"` |
|
||
|
| `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets | `""` |
|
||
|
| `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` |
|
||
|
| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag | `"v0.5.0"` |
|
||
|
| `metrics.authProxy.resources.limits.cpu` | Webhook auth proxy resource cpu limit | `"100m"` |
|
||
|
| `metrics.authProxy.resources.limits.memory` | Webhook auth proxy resource memory limit | `"30Mi"` |
|
||
|
| `metrics.authProxy.resources.requests.cpu` | Webhook auth proxy wesource cpu reservation | `"100m"` |
|
||
|
| `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation | `"20Mi"` |
|
||
|
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||
|
| `rbac.apiVersion` | Rbac API version to use | `"v1"` |
|
||
|
| `resources.limits.cpu` | Resource cpu limit | `"100m"` |
|
||
|
| `resources.limits.memory` | Resource memory limit | `"30Mi"` |
|
||
|
| `resources.requests.cpu` | Resource cpu reservation | `"100m"` |
|
||
|
| `resources.requests.memory` | Resource memory reservation | `"20Mi"` |
|
||
|
| `service.metricsPort` | Webhook metrics service port | `8443` |
|
||
|
| `service.webhookPort` | Webhook server service port | `443` |
|
||
|
| `serviceAccountName` | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false | `"default"` |
|
||
|
| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` |
|
||
|
| `webhookPort` | Webhook server pod port | `9443` |
|
||
|
|
||
|
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
|
||
|
|
||
|
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
|
||
|
|
||
|
```bash
|
||
|
$ helm repo add rancher-chart https://charts.rancher.io
|
||
|
$ helm repo update
|
||
|
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
|
||
|
```
|
||
|
|
||
|
> **Tip**: You can use the default [values.yaml](https://github.com/rancher/externalip-webhook/blob/master/chart/values.yaml)
|