Delete gateway api admission server

No longer required, Gateway API has transitioned to CEL based validation https://kubernetes.io/blog/2023/08/29/gateway-api-v0-8/#cel-validation Signed-off-by: Arko Dasgupta <arko@tetrate.io>
arkodg · Sep 14, 2023 · e8f182d · e8f182d
1 parent 75831e6
commit e8f182d
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 288 deletions.
diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/crds/gatewayapi-crds.yaml
@@ -10774,285 +10774,3 @@ status:
   conditions: null
   storedVersions: null
 ---
-#
-# config/webhook/0-namespace.yaml
-#
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gateway-system
-  labels:
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/warn: restricted
----
-#
-# config/webhook/admission_webhook.yaml
-#
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: gateway-api-admission
-webhooks:
-- name: validate.gateway.networking.k8s.io
-  matchPolicy: Equivalent
-  rules:
-  - operations: [ "CREATE" , "UPDATE" ]
-    apiGroups: [ "gateway.networking.k8s.io" ]
-    apiVersions: [ "v1alpha2", "v1beta1" ]
-    resources: [ "gateways", "gatewayclasses", "httproutes" ]
-  failurePolicy: Fail
-  sideEffects: None
-  admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: gateway-api-admission-server
-      namespace: gateway-system
-      path: "/validate"
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    name: gateway-api-webhook-server
-  name: gateway-api-admission-server
-  namespace: gateway-system
-spec:
-  type: ClusterIP
-  ports:
-  - name: https-webhook
-    port: 443
-    targetPort: 8443
-  selector:
-    name: gateway-api-admission-server
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gateway-api-admission-server
-  namespace: gateway-system
-  labels:
-    name: gateway-api-admission-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: gateway-api-admission-server
-  template:
-    metadata:
-      name: gateway-api-admission-server
-      labels:
-        name: gateway-api-admission-server
-    spec:
-      containers:
-      - name: webhook
-        image: registry.k8s.io/gateway-api/admission-server:v0.8.0
-        imagePullPolicy: IfNotPresent
-        args:
-        - -logtostderr
-        - --tlsCertFile=/etc/certs/cert
-        - --tlsKeyFile=/etc/certs/key
-        - -v=10
-        - 2>&1
-        ports:
-        - containerPort: 8443
-          name: webhook
-        resources:
-          limits:
-            memory: 50Mi
-            cpu: 100m
-          requests:
-            memory: 50Mi
-            cpu: 100m
-        volumeMounts:
-        - name: webhook-certs
-          mountPath: /etc/certs
-          readOnly: true
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 65532
-          runAsGroup: 65532
-          capabilities:
-            drop:
-            - "ALL"
-          seccompProfile:
-            type: RuntimeDefault
-      volumes:
-      - name: webhook-certs
-        secret:
-          secretName: gateway-api-admission
----
-#
-# config/webhook/certificate_config.yaml
-#
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: gateway-api-admission
-  labels:
-    name: gateway-api-webhook
-  namespace: gateway-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: gateway-api-admission
-  labels:
-    name: gateway-api
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: gateway-api-admission
-  annotations:
-  labels:
-    name: gateway-api-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: gateway-api-admission
-subjects:
-- kind: ServiceAccount
-  name: gateway-api-admission
-  namespace: gateway-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gateway-api-admission
-  annotations:
-  labels:
-    name: gateway-api-webhook
-  namespace: gateway-system
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: gateway-api-admission
-  annotations:
-  labels:
-    name: gateway-api-webhook
-  namespace: gateway-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gateway-api-admission
-subjects:
-- kind: ServiceAccount
-  name: gateway-api-admission
-  namespace: gateway-system
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: gateway-api-admission
-  annotations:
-  labels:
-    name: gateway-api-webhook
-  namespace: gateway-system
-spec:
-  template:
-    metadata:
-      name: gateway-api-admission-create
-      labels:
-        name: gateway-api-webhook
-    spec:
-      containers:
-      - name: create
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
-        imagePullPolicy: IfNotPresent
-        args:
-        - create
-        - --host=gateway-api-admission-server,gateway-api-admission-server.$(POD_NAMESPACE).svc
-        - --namespace=$(POD_NAMESPACE)
-        - --secret-name=gateway-api-admission
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 2000
-          runAsGroup: 2000
-          capabilities:
-            drop:
-            - "ALL"
-          seccompProfile:
-            type: RuntimeDefault
-      restartPolicy: OnFailure
-      serviceAccountName: gateway-api-admission
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 2000
-        runAsGroup: 2000
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: gateway-api-admission-patch
-  labels:
-    name: gateway-api-webhook
-  namespace: gateway-system
-spec:
-  template:
-    metadata:
-      name: gateway-api-admission-patch
-      labels:
-        name: gateway-api-webhook
-    spec:
-      containers:
-      - name: patch
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
-        imagePullPolicy: IfNotPresent
-        args:
-        - patch
-        - --webhook-name=gateway-api-admission
-        - --namespace=$(POD_NAMESPACE)
-        - --patch-mutating=false
-        - --patch-validating=true
-        - --secret-name=gateway-api-admission
-        - --patch-failure-policy=Fail
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 2000
-          runAsGroup: 2000
-          capabilities:
-            drop:
-            - "ALL"
-          seccompProfile:
-            type: RuntimeDefault
-      restartPolicy: OnFailure
-      serviceAccountName: gateway-api-admission
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 2000
-        runAsGroup: 2000
diff --git a/tools/make/kube.mk b/tools/make/kube.mk
@@ -114,10 +114,8 @@ install-ratelimit:
 .PHONY: run-e2e
 run-e2e: prepare-e2e
 	@$(LOG_TARGET)
-	kubectl wait --timeout=5m -n gateway-system deployment/gateway-api-admission-server --for=condition=Available
 	kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-ratelimit --for=condition=Available
 	kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-	kubectl wait --timeout=5m -n gateway-system job/gateway-api-admission --for=condition=Complete
 	kubectl apply -f test/config/gatewayclass.yaml
 	go test -v -tags e2e ./test/e2e --gateway-class=envoy-gateway --debug=true
 
@@ -170,9 +168,7 @@ kube-install-image: image.build $(tools/kind) ## Install the EG image to a kind
 .PHONY: run-conformance
 run-conformance: ## Run Gateway API conformance.
 	@$(LOG_TARGET)
-	kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system deployment/gateway-api-admission-server --for=condition=Available
 	kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-	kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system job/gateway-api-admission --for=condition=Complete
 	kubectl apply -f test/config/gatewayclass.yaml
 	go test -v -tags conformance ./test/conformance --gateway-class=envoy-gateway --debug=true
 
@@ -181,9 +177,7 @@ CONFORMANCE_REPORT_PATH ?=
 .PHONY: run-experimental-conformance
 run-experimental-conformance: ## Run Experimental Gateway API conformance.
 	@$(LOG_TARGET)
-	kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system deployment/gateway-api-admission-server --for=condition=Available
 	kubectl wait --timeout=$(WAIT_TIMEOUT) -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-	kubectl wait --timeout=$(WAIT_TIMEOUT) -n gateway-system job/gateway-api-admission --for=condition=Complete
 	kubectl apply -f test/config/gatewayclass.yaml
 	go test -v -tags experimental ./test/conformance -run TestExperimentalConformance --gateway-class=envoy-gateway --debug=true --organization=envoyproxy --project=envoy-gateway --url=https://github.com/envoyproxy/gateway --version=latest --report-output="$(CONFORMANCE_REPORT_PATH)" --contact=https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md