blueprints/iotgateway/playbooks/roles/eg_mep/files/deploy/conf/edge/metallb/metallb.yaml

   1 #
   2 #   Copyright 2020 Huawei Technologies Co., Ltd.
   3 #
   4 #   Licensed under the Apache License, Version 2.0 (the "License");
   5 #   you may not use this file except in compliance with the License.
   6 #   You may obtain a copy of the License at
   7 #
   8 #       http://www.apache.org/licenses/LICENSE-2.0
   9 #
  10 #   Unless required by applicable law or agreed to in writing, software
  11 #   distributed under the License is distributed on an "AS IS" BASIS,
  12 #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 #   See the License for the specific language governing permissions and
  14 #   limitations under the License.
  15 #
  16 apiVersion: policy/v1beta1
  17 kind: PodSecurityPolicy
  18 metadata:
  19   labels:
  20     app: metallb
  21   name: controller
  22   namespace: metallb-system
  23 spec:
  24   allowPrivilegeEscalation: false
  25   allowedCapabilities: []
  26   allowedHostPaths: []
  27   defaultAddCapabilities: []
  28   defaultAllowPrivilegeEscalation: false
  29   fsGroup:
  30     ranges:
  31       - max: 65535
  32         min: 1
  33     rule: MustRunAs
  34   hostIPC: false
  35   hostNetwork: false
  36   hostPID: false
  37   privileged: false
  38   readOnlyRootFilesystem: true
  39   requiredDropCapabilities:
  40     - ALL
  41   runAsUser:
  42     ranges:
  43       - max: 65535
  44         min: 1
  45     rule: MustRunAs
  46   seLinux:
  47     rule: RunAsAny
  48   supplementalGroups:
  49     ranges:
  50       - max: 65535
  51         min: 1
  52     rule: MustRunAs
  53   volumes:
  54     - configMap
  55     - secret
  56     - emptyDir
  57 ---
  58 apiVersion: policy/v1beta1
  59 kind: PodSecurityPolicy
  60 metadata:
  61   labels:
  62     app: metallb
  63   name: speaker
  64   namespace: metallb-system
  65 spec:
  66   allowPrivilegeEscalation: false
  67   allowedCapabilities:
  68     - NET_ADMIN
  69     - NET_RAW
  70     - SYS_ADMIN
  71   allowedHostPaths: []
  72   defaultAddCapabilities: []
  73   defaultAllowPrivilegeEscalation: false
  74   fsGroup:
  75     rule: RunAsAny
  76   hostIPC: false
  77   hostNetwork: true
  78   hostPID: false
  79   hostPorts:
  80     - max: 7472
  81       min: 7472
  82   privileged: true
  83   readOnlyRootFilesystem: true
  84   requiredDropCapabilities:
  85     - ALL
  86   runAsUser:
  87     rule: RunAsAny
  88   seLinux:
  89     rule: RunAsAny
  90   supplementalGroups:
  91     rule: RunAsAny
  92   volumes:
  93     - configMap
  94     - secret
  95     - emptyDir
  96 ---
  97 apiVersion: v1
  98 kind: ServiceAccount
  99 metadata:
 100   labels:
 101     app: metallb
 102   name: controller
 103   namespace: metallb-system
 104 ---
 105 apiVersion: v1
 106 kind: ServiceAccount
 107 metadata:
 108   labels:
 109     app: metallb
 110   name: speaker
 111   namespace: metallb-system
 112 ---
 113 apiVersion: rbac.authorization.k8s.io/v1
 114 kind: ClusterRole
 115 metadata:
 116   labels:
 117     app: metallb
 118   name: metallb-system:controller
 119 rules:
 120   - apiGroups:
 121       - ''
 122     resources:
 123       - services
 124     verbs:
 125       - get
 126       - list
 127       - watch
 128       - update
 129   - apiGroups:
 130       - ''
 131     resources:
 132       - services/status
 133     verbs:
 134       - update
 135   - apiGroups:
 136       - ''
 137     resources:
 138       - events
 139     verbs:
 140       - create
 141       - patch
 142   - apiGroups:
 143       - policy
 144     resourceNames:
 145       - controller
 146     resources:
 147       - podsecuritypolicies
 148     verbs:
 149       - use
 150 ---
 151 apiVersion: rbac.authorization.k8s.io/v1
 152 kind: ClusterRole
 153 metadata:
 154   labels:
 155     app: metallb
 156   name: metallb-system:speaker
 157 rules:
 158   - apiGroups:
 159       - ''
 160     resources:
 161       - services
 162       - endpoints
 163       - nodes
 164     verbs:
 165       - get
 166       - list
 167       - watch
 168   - apiGroups:
 169       - ''
 170     resources:
 171       - events
 172     verbs:
 173       - create
 174       - patch
 175   - apiGroups:
 176       - policy
 177     resourceNames:
 178       - speaker
 179     resources:
 180       - podsecuritypolicies
 181     verbs:
 182       - use
 183 ---
 184 apiVersion: rbac.authorization.k8s.io/v1
 185 kind: Role
 186 metadata:
 187   labels:
 188     app: metallb
 189   name: config-watcher
 190   namespace: metallb-system
 191 rules:
 192   - apiGroups:
 193       - ''
 194     resources:
 195       - configmaps
 196     verbs:
 197       - get
 198       - list
 199       - watch
 200 ---
 201 apiVersion: rbac.authorization.k8s.io/v1
 202 kind: Role
 203 metadata:
 204   labels:
 205     app: metallb
 206   name: pod-lister
 207   namespace: metallb-system
 208 rules:
 209   - apiGroups:
 210       - ''
 211     resources:
 212       - pods
 213     verbs:
 214       - list
 215 ---
 216 apiVersion: rbac.authorization.k8s.io/v1
 217 kind: ClusterRoleBinding
 218 metadata:
 219   labels:
 220     app: metallb
 221   name: metallb-system:controller
 222 roleRef:
 223   apiGroup: rbac.authorization.k8s.io
 224   kind: ClusterRole
 225   name: metallb-system:controller
 226 subjects:
 227   - kind: ServiceAccount
 228     name: controller
 229     namespace: metallb-system
 230 ---
 231 apiVersion: rbac.authorization.k8s.io/v1
 232 kind: ClusterRoleBinding
 233 metadata:
 234   labels:
 235     app: metallb
 236   name: metallb-system:speaker
 237 roleRef:
 238   apiGroup: rbac.authorization.k8s.io
 239   kind: ClusterRole
 240   name: metallb-system:speaker
 241 subjects:
 242   - kind: ServiceAccount
 243     name: speaker
 244     namespace: metallb-system
 245 ---
 246 apiVersion: rbac.authorization.k8s.io/v1
 247 kind: RoleBinding
 248 metadata:
 249   labels:
 250     app: metallb
 251   name: config-watcher
 252   namespace: metallb-system
 253 roleRef:
 254   apiGroup: rbac.authorization.k8s.io
 255   kind: Role
 256   name: config-watcher
 257 subjects:
 258   - kind: ServiceAccount
 259     name: controller
 260   - kind: ServiceAccount
 261     name: speaker
 262 ---
 263 apiVersion: rbac.authorization.k8s.io/v1
 264 kind: RoleBinding
 265 metadata:
 266   labels:
 267     app: metallb
 268   name: pod-lister
 269   namespace: metallb-system
 270 roleRef:
 271   apiGroup: rbac.authorization.k8s.io
 272   kind: Role
 273   name: pod-lister
 274 subjects:
 275   - kind: ServiceAccount
 276     name: speaker
 277 ---
 278 apiVersion: apps/v1
 279 kind: DaemonSet
 280 metadata:
 281   labels:
 282     app: metallb
 283     component: speaker
 284   name: speaker
 285   namespace: metallb-system
 286 spec:
 287   selector:
 288     matchLabels:
 289       app: metallb
 290       component: speaker
 291   template:
 292     metadata:
 293       annotations:
 294         prometheus.io/port: '7472'
 295         prometheus.io/scrape: 'true'
 296       labels:
 297         app: metallb
 298         component: speaker
 299     spec:
 300       containers:
 301         - args:
 302             - --port=7472
 303             - --config=config
 304           env:
 305             - name: METALLB_NODE_NAME
 306               valueFrom:
 307                 fieldRef:
 308                   fieldPath: spec.nodeName
 309             - name: METALLB_HOST
 310               valueFrom:
 311                 fieldRef:
 312                   fieldPath: status.hostIP
 313             - name: METALLB_ML_BIND_ADDR
 314               valueFrom:
 315                 fieldRef:
 316                   fieldPath: status.podIP
 317             - name: METALLB_ML_LABELS
 318               value: "app=metallb,component=speaker"
 319             - name: METALLB_ML_NAMESPACE
 320               valueFrom:
 321                 fieldRef:
 322                   fieldPath: metadata.namespace
 323             - name: METALLB_ML_SECRET_KEY
 324               valueFrom:
 325                 secretKeyRef:
 326                   name: memberlist
 327                   key: secretkey
 328           image: metallb/speaker:v0.9.3
 329           imagePullPolicy: IfNotPresent
 330           name: speaker
 331           ports:
 332             - containerPort: 7472
 333               name: monitoring
 334           resources:
 335             limits:
 336               cpu: 100m
 337               memory: 100Mi
 338           securityContext:
 339             allowPrivilegeEscalation: false
 340             capabilities:
 341               add:
 342                 - NET_ADMIN
 343                 - NET_RAW
 344                 - SYS_ADMIN
 345               drop:
 346                 - ALL
 347             readOnlyRootFilesystem: true
 348       hostNetwork: true
 349       nodeSelector:
 350         beta.kubernetes.io/os: linux
 351       serviceAccountName: speaker
 352       terminationGracePeriodSeconds: 2
 353       tolerations:
 354         - effect: NoSchedule
 355           key: node-role.kubernetes.io/master
 356 ---
 357 apiVersion: apps/v1
 358 kind: Deployment
 359 metadata:
 360   labels:
 361     app: metallb
 362     component: controller
 363   name: controller
 364   namespace: metallb-system
 365 spec:
 366   revisionHistoryLimit: 3
 367   selector:
 368     matchLabels:
 369       app: metallb
 370       component: controller
 371   template:
 372     metadata:
 373       annotations:
 374         prometheus.io/port: '7472'
 375         prometheus.io/scrape: 'true'
 376       labels:
 377         app: metallb
 378         component: controller
 379     spec:
 380       containers:
 381         - args:
 382             - --port=7472
 383             - --config=config
 384           image: metallb/controller:v0.9.3
 385           imagePullPolicy: IfNotPresent
 386           name: controller
 387           ports:
 388             - containerPort: 7472
 389               name: monitoring
 390           resources:
 391             limits:
 392               cpu: 100m
 393               memory: 100Mi
 394           securityContext:
 395             allowPrivilegeEscalation: false
 396             capabilities:
 397               drop:
 398                 - all
 399             readOnlyRootFilesystem: true
 400       nodeSelector:
 401         beta.kubernetes.io/os: linux
 402       securityContext:
 403         runAsNonRoot: true
 404         runAsUser: 65534
 405       serviceAccountName: controller
 406       terminationGracePeriodSeconds: 0