rancher-charts/charts/rancher-external-ip-webhook/100.0.2+up1.0.1/README.md

9.3 KiB

externalip-webhook

Chart Details

This chart will create a deployment of externalip-webhook within your Kubernetes Cluster. It is required on kubernetes versions prior to 1.21 to mitigate CVE-2020-8554.

Note: This chart is deprecated for kubernetes version 1.21 and unsupported starting with 1.22. To mitigate CVE-2020-8554, enable the DenyServiceExternalIPs admission controller on the cluster.

Installing the Chart

To install the chart with the release name rancher-external-ip-webhook:

$ helm repo add rancher-chart https://charts.rancher.io
$ helm repo update
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml

Configuration

The following table lists the configurable parameters of the externalip-webhook chart and their default values.

Parameter Description Default
allowedExternalIPCidrs Set allowed external IP CIDRs separated by a comma ""
certificates.caBundle If cert-manager integration is disabled, add here self signed ca.crt in base64 format ""
certificates.certManager.enabled Enable cert manager integration. Cert manager should be already installed at the k8s cluster true
certificates.certManager.version Cert manager version to use ""
certificates.secretName If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace "webhook-server-cert"
global.cattle.systemDefaultRegistry Pull docker images from systemDefaultRegistry ""
image.pullPolicy Webhook server docker pull policy "IfNotPresent"
image.pullSecrets Webhook server docker pull secret ""
image.repository Webhook server docker image repository "rancher/externalip-webhook"
image.tag Webhook server docker image tag Defaults to ".Chart.appVersion"
metrics.enabled Enable metrics endpoint false
metrics.port Webhook metrics pod port 8443
metrics.prometheusExport Enable Prometheus export. Follow exporting-metrics-for-prometheus to export the webhook metrics false
metrics.authProxy.enabled Enable auth proxy for metrics endpoint false
metrics.authProxy.port Webhook auth proxy pod port 8080
metrics.authProxy.image.pullPolicy Webhook auth proxy docker pull policy "IfNotPresent"
metrics.authProxy.image.pullSecrets Webhook auth proxy docker pull secrets ""
metrics.authProxy.image.repository Webhook auth proxy docker image repository "gcr.io/kubebuilder/kube-rbac-proxy"
metrics.authProxy.image.pullPolicy Webhook auth proxy docker image tag "v0.5.0"
metrics.authProxy.resources.limits.cpu Webhook auth proxy resource cpu limit "100m"
metrics.authProxy.resources.limits.memory Webhook auth proxy resource memory limit "30Mi"
metrics.authProxy.resources.requests.cpu Webhook auth proxy wesource cpu reservation "100m"
metrics.authProxy.resources.requests.memory Webhook auth proxy resource memory reservation "20Mi"
nodeSelector Node labels for pod assignment {}
rbac.apiVersion Rbac API version to use "v1"
resources.limits.cpu Resource cpu limit "100m"
resources.limits.memory Resource memory limit "30Mi"
resources.requests.cpu Resource cpu reservation "100m"
resources.requests.memory Resource memory reservation "20Mi"
service.metricsPort Webhook metrics service port 8443
service.webhookPort Webhook server service port 443
serviceAccountName Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false "default"
tolerations List of node taints to tolerate (requires Kubernetes >= 1.6) []
webhookPort Webhook server pod port 9443

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm repo add rancher-chart https://charts.rancher.io
$ helm repo update
$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml

Tip: You can use the default values.yaml