apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: "{{ namespace }}/kubevirt-virt-api-certs" labels: app.kubernetes.io/component: kubevirt app.kubernetes.io/managed-by: virt-operator kubevirt.io: virt-api-validator name: virt-api-validator webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /launcher-eviction-validate port: 443 failurePolicy: Ignore matchPolicy: Equivalent name: virt-launcher-eviction-interceptor.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - "" apiVersions: - v1 operations: - '*' resources: - pods/eviction scope: '*' sideEffects: NoneOnDryRun timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineinstances-validate-create port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineinstances-create-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE resources: - virtualmachineinstances scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineinstances-validate-update port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineinstances-update-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - UPDATE resources: - virtualmachineinstances scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachines-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachine-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE - UPDATE resources: - virtualmachines scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachinereplicaset-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinereplicaset-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE - UPDATE resources: - virtualmachineinstancereplicasets scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachinepool-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinepool-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - pool.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - virtualmachinepools scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /vmipreset-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinepreset-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE - UPDATE resources: - virtualmachineinstancepresets scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /migration-validate-create port: 443 failurePolicy: Fail matchPolicy: Equivalent name: migration-create-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE resources: - virtualmachineinstancemigrations scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /migration-validate-update port: 443 failurePolicy: Fail matchPolicy: Equivalent name: migration-update-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - UPDATE resources: - virtualmachineinstancemigrations scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachinesnapshots-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinesnapshot-validator.snapshot.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - snapshot.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - virtualmachinesnapshots scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachinerestores-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinerestore-validator.snapshot.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - snapshot.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - virtualmachinerestores scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineexports-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineexport-validator.export.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - export.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - virtualmachineexports scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineinstancetypes-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineinstancetype-validator.instancetype.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - instancetype.kubevirt.io apiVersions: - v1alpha1 - v1alpha2 - v1beta1 operations: - CREATE - UPDATE resources: - virtualmachineinstancetypes scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineclusterinstancetypes-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineclusterinstancetype-validator.instancetype.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - instancetype.kubevirt.io apiVersions: - v1alpha1 - v1alpha2 - v1beta1 operations: - CREATE - UPDATE resources: - virtualmachineclusterinstancetypes scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachinepreferences-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachinepreference-validator.instancetype.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - instancetype.kubevirt.io apiVersions: - v1alpha1 - v1alpha2 - v1beta1 operations: - CREATE - UPDATE resources: - virtualmachinepreferences scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /virtualmachineclusterpreferences-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: virtualmachineclusterpreference-validator.instancetype.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - instancetype.kubevirt.io apiVersions: - v1alpha1 - v1alpha2 - v1beta1 operations: - CREATE - UPDATE resources: - virtualmachineclusterpreferences scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /status-validate port: 443 failurePolicy: Fail matchPolicy: Equivalent name: kubevirt-crd-status-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - kubevirt.io apiVersions: - v1alpha3 - v1 operations: - CREATE - UPDATE resources: - virtualmachines/status - virtualmachineinstancereplicasets/status - virtualmachineinstancemigrations/status scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /migration-policy-validate-create port: 443 failurePolicy: Fail matchPolicy: Equivalent name: migration-policy-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - migrations.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - migrationpolicies scope: '*' sideEffects: None timeoutSeconds: 10 - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: virt-api namespace: "{{ namespace }}" path: /vm-clone-validate-create port: 443 failurePolicy: Fail matchPolicy: Equivalent name: vm-clone-validator.kubevirt.io namespaceSelector: {} objectSelector: {} rules: - apiGroups: - clone.kubevirt.io apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - virtualmachineclones scope: '*' sideEffects: None timeoutSeconds: 10