# externalip-webhook ## Chart Details This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It is required on kubernetes versions prior to 1.21 to mitigate CVE-2020-8554. **Note:** This chart is deprecated for kubernetes version 1.21 and unsupported starting with 1.22. To mitigate CVE-2020-8554, enable the [`DenyServiceExternalIPs` admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips) on the cluster. ## Installing the Chart To install the chart with the release name `rancher-external-ip-webhook`: ```bash $ helm repo add rancher-chart https://charts.rancher.io $ helm repo update $ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml ``` ## Configuration The following table lists the configurable parameters of the externalip-webhook chart and their default values. | Parameter | Description | Default | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | | `allowedExternalIPCidrs` | Set allowed external IP CIDRs separated by a comma | `""` | | `certificates.caBundle` | If cert-manager integration is disabled, add here self signed ca.crt in base64 format | `""` | | `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` | | `certificates.certManager.version` | Cert manager version to use | `""` | | `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` | | `global.cattle.systemDefaultRegistry`| Pull docker images from systemDefaultRegistry | `""` | | `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` | | `image.pullSecrets` | Webhook server docker pull secret | `""` | | `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` | | `image.tag` | Webhook server docker image tag Defaults to | `".Chart.appVersion"` | | `metrics.enabled` | Enable metrics endpoint | `false` | | `metrics.port` | Webhook metrics pod port | `8443` | | `metrics.prometheusExport` | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false` | | `metrics.authProxy.enabled` | Enable auth proxy for metrics endpoint | `false` | | `metrics.authProxy.port` | Webhook auth proxy pod port | `8080` | | `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy | `"IfNotPresent"` | | `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets | `""` | | `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag | `"v0.5.0"` | | `metrics.authProxy.resources.limits.cpu` | Webhook auth proxy resource cpu limit | `"100m"` | | `metrics.authProxy.resources.limits.memory` | Webhook auth proxy resource memory limit | `"30Mi"` | | `metrics.authProxy.resources.requests.cpu` | Webhook auth proxy wesource cpu reservation | `"100m"` | | `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation | `"20Mi"` | | `nodeSelector` | Node labels for pod assignment | `{}` | | `rbac.apiVersion` | Rbac API version to use | `"v1"` | | `resources.limits.cpu` | Resource cpu limit | `"100m"` | | `resources.limits.memory` | Resource memory limit | `"30Mi"` | | `resources.requests.cpu` | Resource cpu reservation | `"100m"` | | `resources.requests.memory` | Resource memory reservation | `"20Mi"` | | `service.metricsPort` | Webhook metrics service port | `8443` | | `service.webhookPort` | Webhook server service port | `443` | | `serviceAccountName` | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false | `"default"` | | `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` | | `webhookPort` | Webhook server pod port | `9443` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, ```bash $ helm repo add rancher-chart https://charts.rancher.io $ helm repo update $ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml ``` > **Tip**: You can use the default [values.yaml](https://github.com/rancher/externalip-webhook/blob/master/chart/values.yaml)