Create a `tappr cluster install psa-webhook` command to install PodSecurityAdmission Webhook that enables `restricted` mode on the cluster.

[atmandhol]

Thank you @mamachanko for this snippets.

• configure-pod-security-admission-webhook.yaml

#@ load("@ytt:overlay", "overlay")
#@ load("@ytt:yaml", "yaml")

#! See https://github.com/kubernetes/pod-security-admission/tree/master/webhook

#@ def pod_security_config():
---
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
  enforce: restricted #! This is the important setting.
  enforce-version: latest
  audit: restricted
  audit-version: latest
  warn: restricted
  warn-version: latest
exemptions:
  usernames: []
  runtimeClasses: []
  namespaces: []
#@ end

#@ def pod_security_webhook_configmap():
kind: ConfigMap
metadata:
  name: pod-security-webhook
#@ end

#@overlay/match by=overlay.subset(pod_security_webhook_configmap()), expects=1
---
#@overlay/match-child-defaults missing_ok=True
metadata:
  annotations:
    #! Let kapp restart the deployment of the pod-security-webhook, when its configuration changes.
    kapp.k14s.io/versioned: ""
    kapp.k14s.io/versioned-keep-original: ""
data:
  podsecurityconfiguration.yaml: #@ yaml.encode(pod_security_config())

• pod-security-admission-webhook.sh

#!/usr/bin/env bash

# pod-security-admission-webhook.sh

set -euo pipefail

cd "$(dirname "$0")"

if [ ! -d ./pod-security-admission ]; then
  git clone https://github.com/kubernetes/pod-security-admission
  pushd pod-security-admission/webhook
  make certs
  popd
fi

kustomize build ./pod-security-admission/webhook/ |
  ytt \
    --file - \
    --file configure-pod-security-admission-webhook.yaml |
  kapp deploy \
    --app pod-security-admission-webhook \
    --diff-changes \
    --yes \
    --file -