123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399 |
- # from https://github.com/metallb/metallb/tree/v0.9.3/manifests namespace.yaml and metallb.yaml
- apiVersion: v1
- kind: Namespace
- metadata:
- name: metallb-system
- labels:
- app: metallb
- ---
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- labels:
- app: metallb
- name: controller
- namespace: metallb-system
- spec:
- allowPrivilegeEscalation: false
- allowedCapabilities: []
- allowedHostPaths: []
- defaultAddCapabilities: []
- defaultAllowPrivilegeEscalation: false
- fsGroup:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- hostIPC: false
- hostNetwork: false
- hostPID: false
- privileged: false
- readOnlyRootFilesystem: true
- requiredDropCapabilities:
- - ALL
- runAsUser:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- ranges:
- - max: 65535
- min: 1
- rule: MustRunAs
- volumes:
- - configMap
- - secret
- - emptyDir
- ---
- apiVersion: policy/v1beta1
- kind: PodSecurityPolicy
- metadata:
- labels:
- app: metallb
- name: speaker
- namespace: metallb-system
- spec:
- allowPrivilegeEscalation: false
- allowedCapabilities:
- - NET_ADMIN
- - NET_RAW
- - SYS_ADMIN
- allowedHostPaths: []
- defaultAddCapabilities: []
- defaultAllowPrivilegeEscalation: false
- fsGroup:
- rule: RunAsAny
- hostIPC: false
- hostNetwork: true
- hostPID: false
- hostPorts:
- - max: 7472
- min: 7472
- privileged: true
- readOnlyRootFilesystem: true
- requiredDropCapabilities:
- - ALL
- runAsUser:
- rule: RunAsAny
- seLinux:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- volumes:
- - configMap
- - secret
- - emptyDir
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- app: metallb
- name: controller
- namespace: metallb-system
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- app: metallb
- name: speaker
- namespace: metallb-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- app: metallb
- name: metallb-system:controller
- rules:
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - update
- - apiGroups:
- - ''
- resources:
- - services/status
- verbs:
- - update
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - policy
- resourceNames:
- - controller
- resources:
- - podsecuritypolicies
- verbs:
- - use
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- app: metallb
- name: metallb-system:speaker
- rules:
- - apiGroups:
- - ''
- resources:
- - services
- - endpoints
- - nodes
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - policy
- resourceNames:
- - speaker
- resources:
- - podsecuritypolicies
- verbs:
- - use
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- app: metallb
- name: config-watcher
- namespace: metallb-system
- rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- app: metallb
- name: pod-lister
- namespace: metallb-system
- rules:
- - apiGroups:
- - ''
- resources:
- - pods
- verbs:
- - list
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- app: metallb
- name: metallb-system:controller
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb-system:controller
- subjects:
- - kind: ServiceAccount
- name: controller
- namespace: metallb-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- app: metallb
- name: metallb-system:speaker
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb-system:speaker
- subjects:
- - kind: ServiceAccount
- name: speaker
- namespace: metallb-system
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- app: metallb
- name: config-watcher
- namespace: metallb-system
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: config-watcher
- subjects:
- - kind: ServiceAccount
- name: controller
- - kind: ServiceAccount
- name: speaker
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- app: metallb
- name: pod-lister
- namespace: metallb-system
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: pod-lister
- subjects:
- - kind: ServiceAccount
- name: speaker
- ---
- apiVersion: apps/v1
- kind: DaemonSet
- metadata:
- labels:
- app: metallb
- component: speaker
- name: speaker
- namespace: metallb-system
- spec:
- selector:
- matchLabels:
- app: metallb
- component: speaker
- template:
- metadata:
- annotations:
- prometheus.io/port: '7472'
- prometheus.io/scrape: 'true'
- labels:
- app: metallb
- component: speaker
- spec:
- containers:
- - args:
- - --port=7472
- - --config=config
- env:
- - name: METALLB_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: METALLB_HOST
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: METALLB_ML_BIND_ADDR
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: METALLB_ML_LABELS
- value: "app=metallb,component=speaker"
- - name: METALLB_ML_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: METALLB_ML_SECRET_KEY
- valueFrom:
- secretKeyRef:
- name: memberlist
- key: secretkey
- image: metallb/speaker:v0.9.3
- imagePullPolicy: Always
- name: speaker
- ports:
- - containerPort: 7472
- name: monitoring
- resources:
- limits:
- cpu: 100m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- add:
- - NET_ADMIN
- - NET_RAW
- - SYS_ADMIN
- drop:
- - ALL
- readOnlyRootFilesystem: true
- hostNetwork: true
- nodeSelector:
- beta.kubernetes.io/os: linux
- serviceAccountName: speaker
- terminationGracePeriodSeconds: 2
- tolerations:
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- app: metallb
- component: controller
- name: controller
- namespace: metallb-system
- spec:
- revisionHistoryLimit: 3
- selector:
- matchLabels:
- app: metallb
- component: controller
- template:
- metadata:
- annotations:
- prometheus.io/port: '7472'
- prometheus.io/scrape: 'true'
- labels:
- app: metallb
- component: controller
- spec:
- containers:
- - args:
- - --port=7472
- - --config=config
- image: metallb/controller:v0.9.3
- imagePullPolicy: Always
- name: controller
- ports:
- - containerPort: 7472
- name: monitoring
- resources:
- limits:
- cpu: 100m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - all
- readOnlyRootFilesystem: true
- nodeSelector:
- beta.kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 65534
- serviceAccountName: controller
- terminationGracePeriodSeconds: 0
|