+++ /dev/null
-#
-# Copyright 2020 Huawei Technologies Co., Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- labels:
- app: metallb
- name: controller
- namespace: metallb-system
-spec:
- allowPrivilegeEscalation: false
- allowedCapabilities: []
- allowedHostPaths: []
- defaultAddCapabilities: []
- defaultAllowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- hostIPC: false
- hostNetwork: false
- hostPID: false
- privileged: false
- readOnlyRootFilesystem: true
- requiredDropCapabilities:
- - ALL
- runAsUser:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - secret
- - emptyDir
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- labels:
- app: metallb
- name: speaker
- namespace: metallb-system
-spec:
- allowPrivilegeEscalation: false
- allowedCapabilities:
- - NET_ADMIN
- - NET_RAW
- - SYS_ADMIN
- allowedHostPaths: []
- defaultAddCapabilities: []
- defaultAllowPrivilegeEscalation: false
- fsGroup:
- rule: RunAsAny
- hostIPC: false
- hostNetwork: true
- hostPID: false
- hostPorts:
- - max: 7472
- min: 7472
- privileged: true
- readOnlyRootFilesystem: true
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: RunAsAny
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- volumes:
- - configMap
- - secret
- - emptyDir
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: metallb
- name: controller
- namespace: metallb-system
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app: metallb
- name: speaker
- namespace: metallb-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: metallb
- name: metallb-system:controller
-rules:
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - update
- - apiGroups:
- - ''
- resources:
- - services/status
- verbs:
- - update
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - policy
- resourceNames:
- - controller
- resources:
- - podsecuritypolicies
- verbs:
- - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: metallb
- name: metallb-system:speaker
-rules:
- - apiGroups:
- - ''
- resources:
- - services
- - endpoints
- - nodes
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - policy
- resourceNames:
- - speaker
- resources:
- - podsecuritypolicies
- verbs:
- - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app: metallb
- name: config-watcher
- namespace: metallb-system
-rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app: metallb
- name: pod-lister
- namespace: metallb-system
-rules:
- - apiGroups:
- - ''
- resources:
- - pods
- verbs:
- - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: metallb
- name: metallb-system:controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb-system:controller
-subjects:
- - kind: ServiceAccount
- name: controller
- namespace: metallb-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: metallb
- name: metallb-system:speaker
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb-system:speaker
-subjects:
- - kind: ServiceAccount
- name: speaker
- namespace: metallb-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app: metallb
- name: config-watcher
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: config-watcher
-subjects:
- - kind: ServiceAccount
- name: controller
- - kind: ServiceAccount
- name: speaker
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app: metallb
- name: pod-lister
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: pod-lister
-subjects:
- - kind: ServiceAccount
- name: speaker
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- labels:
- app: metallb
- component: speaker
- name: speaker
- namespace: metallb-system
-spec:
- selector:
- matchLabels:
- app: metallb
- component: speaker
- template:
- metadata:
- annotations:
- prometheus.io/port: '7472'
- prometheus.io/scrape: 'true'
- labels:
- app: metallb
- component: speaker
- spec:
- containers:
- - args:
- - --port=7472
- - --config=config
- env:
- - name: METALLB_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: METALLB_HOST
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: METALLB_ML_BIND_ADDR
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: METALLB_ML_LABELS
- value: "app=metallb,component=speaker"
- - name: METALLB_ML_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: METALLB_ML_SECRET_KEY
- valueFrom:
- secretKeyRef:
- name: memberlist
- key: secretkey
- image: metallb/speaker:v0.9.3
- imagePullPolicy: IfNotPresent
- name: speaker
- ports:
- - containerPort: 7472
- name: monitoring
- resources:
- limits:
- cpu: 100m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- add:
- - NET_ADMIN
- - NET_RAW
- - SYS_ADMIN
- drop:
- - ALL
- readOnlyRootFilesystem: true
- hostNetwork: true
- nodeSelector:
- beta.kubernetes.io/os: linux
- serviceAccountName: speaker
- terminationGracePeriodSeconds: 2
- tolerations:
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: metallb
- component: controller
- name: controller
- namespace: metallb-system
-spec:
- revisionHistoryLimit: 3
- selector:
- matchLabels:
- app: metallb
- component: controller
- template:
- metadata:
- annotations:
- prometheus.io/port: '7472'
- prometheus.io/scrape: 'true'
- labels:
- app: metallb
- component: controller
- spec:
- containers:
- - args:
- - --port=7472
- - --config=config
- image: metallb/controller:v0.9.3
- imagePullPolicy: IfNotPresent
- name: controller
- ports:
- - containerPort: 7472
- name: monitoring
- resources:
- limits:
- cpu: 100m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- readOnlyRootFilesystem: true
- nodeSelector:
- beta.kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 65534
- serviceAccountName: controller
- terminationGracePeriodSeconds: 0
Code Review / eliot.git / blobdiff