Add stackit-pod-identity-webhook image and configuration

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+name: stackit-pod-identity-webhook
+version: 0.1.0

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "stackit-pod-identity-webhook.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "stackit-pod-identity-webhook.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "stackit-pod-identity-webhook.selectorLabels" . | nindent 8 }}
+        workload-identity.stackit.cloud/skip-pod-identity-webhook: "true"
+        gardener.cloud/role: controlplane
+        networking.gardener.cloud/to-dns: allowed
+        networking.gardener.cloud/to-public-networks: allowed
+        networking.gardener.cloud/to-private-networks: allowed
+        networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name | default (include "stackit-pod-identity-webhook.fullname" .) }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: {{ index .Values.images "stackit-pod-identity-webhook" }}
+          args:
+            - --cert-dir=/etc/webhook/certs
+            - --port={{ .Values.webhook.port }}
+          ports:
+            - name: https
+              containerPort: {{ .Values.webhook.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: 8080
+              protocol: TCP
+            - name: health
+              containerPort: 8081
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ .Values.webhook.tlsSecretName }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "stackit-pod-identity-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "stackit-pod-identity-webhook.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "stackit-pod-identity-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "stackit-pod-identity-webhook.labels" -}}
+helm.sh/chart: {{ include "stackit-pod-identity-webhook.chart" . }}
+{{ include "stackit-pod-identity-webhook.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "stackit-pod-identity-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stackit-pod-identity-webhook.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/rbac.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | default (include "stackit-pod-identity-webhook.fullname" .) }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+automountServiceAccountToken: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount.name | default (include "stackit-pod-identity-webhook.fullname" .) }}
+  namespace: {{ .Release.Namespace }}

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.targetPort }}
+      protocol: TCP
+      name: https
+  selector:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml

@@ -0,0 +1,56 @@
+replicaCount: 2
+
+# String to override the name for the chart
+nameOverride: ""
+# String to fully override the fullname of the chart
+fullnameOverride: ""
+
+webhook:
+  port: 9443
+  # The secret name containing tls.crt and tls.key for the webhook server
+  # If certmanager.enabled is true, this secret will be created by cert-manager
+  tlsSecretName: "stackit-pod-identity-webhook-certs"
+
+service:
+  type: ClusterIP
+  port: 443
+  targetPort: 9443
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: "stackit-pod-identity-webhook"
+
+# PodSecurityContext holds pod-level security attributes and common container settings.
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1239
+  runAsGroup: 1239
+  fsGroup: 1239
+
+# SecurityContext holds security configuration that will be applied to a container.
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+
+# NodeSelector is a selector which must be true for the pod to fit on a node.
+nodeSelector: {}
+
+# Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.
+tolerations: []
+
+# Affinity is a group of affinity scheduling rules.
+affinity: {}
+
+priorityClassName: gardener-system-300

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v1
+name: stackit-pod-identity-webhook
+version: 0.1.0

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/helpers.tpl

@@ -0,0 +1,49 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "stackit-pod-identity-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "stackit-pod-identity-webhook.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "stackit-pod-identity-webhook.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "stackit-pod-identity-webhook.labels" -}}
+helm.sh/chart: {{ include "stackit-pod-identity-webhook.chart" . }}
+{{ include "stackit-pod-identity-webhook.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "stackit-pod-identity-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stackit-pod-identity-webhook.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,36 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+webhooks:
+  - name: stackit-pod-identity-webhook.stackit.cloud
+    clientConfig:
+      service:
+        name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+        namespace: {{ .Release.Namespace }}
+        path: "/mutate--v1-pod"
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    failurePolicy: {{ .Values.webhook.failurePolicy | default "Ignore" }}
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values: ["kube-system", "garden"]
+        - key: gardener.cloud/role
+          operator: DoesNotExist
+        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+          operator: DoesNotExist
+    objectSelector:
+      matchExpressions:
+        - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
+          operator: DoesNotExist

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/values.yaml

@@ -0,0 +1,8 @@
+enabled: true
+webhook:
+  caBundle: "" # will be set by valuesprovider
+  # failurePolicy for the webhook (Ignore or Fail).
+  # Defaults to Fail to guarantee that pods are not started without the required workload identity configuration.
+  # Note: If the webhook is down, pod creation in monitored namespaces will be blocked.
+  # Specific pods or namespaces can be excluded using the skip label.
+  failurePolicy: Fail

imagevector/images.yaml

@@ -135,3 +135,6 @@ images:
 - name: stackit-alb-controller-manager
   repository: reg3.infra.ske.eu01.stackit.cloud/temp/alb-controller-manager
   tag: "1245"
+- name: stackit-pod-identity-webhook
+  repository: reg3.infra.ske.eu01.stackit.cloud/stackitcloud/stackit-pod-identity-webhook
+  tag: "726f2f0@sha256:fca1f67cd7e6a515e795a34ae45d0c239379d051e494dc202033f6987b41b154"