apiVersion: apps/v1 kind: Deployment metadata: labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: controller-manager gatekeeper.sh/operation: webhook gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-controller-manager namespace: '{{ .Release.Namespace }}' spec: replicas: {{ .Values.replicas }} selector: matchLabels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: controller-manager gatekeeper.sh/operation: webhook gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' template: metadata: annotations: {{- toYaml .Values.podAnnotations | trim | nindent 8 }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: controller-manager gatekeeper.sh/operation: webhook gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: gatekeeper.sh/operation operator: In values: - webhook topologyKey: kubernetes.io/hostname weight: 100 automountServiceAccountToken: true containers: - args: - --port=8443 - --logtostderr - --emit-admission-events={{ .Values.emitAdmissionEvents }} - --log-level={{ .Values.logLevel }} - --exempt-namespace=gatekeeper-system - --operation=webhook command: - /manager env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: path: /healthz port: 9090 name: manager ports: - containerPort: 8443 name: webhook-server protocol: TCP - containerPort: 8888 name: metrics protocol: TCP - containerPort: 9090 name: healthz protocol: TCP readinessProbe: httpGet: path: /readyz port: 9090 resources: {{ toYaml .Values.controllerManager.resources | indent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /certs name: cert readOnly: true nodeSelector: {{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} affinity: {{ toYaml .Values.controllerManager.affinity | indent 8 }} tolerations: {{ toYaml .Values.controllerManager.tolerations | indent 8 }} imagePullSecrets: {{ toYaml .Values.image.pullSecrets | indent 8 }} {{- if .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }} {{- end }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 volumes: - name: cert secret: defaultMode: 420 secretName: gatekeeper-webhook-server-cert