Blame - installers/k8s/metallb/metallb.yaml - osm/devops

blob: fd23be054064bb921f384359a026190b6bf3696c [file] [log] [blame]

David Garcia	6cbfee1	2020-10-23 10:40:20 +0200	[diff] [blame]	1	# Copyright 2020 Canonical Ltd.
				2	#
				3	# Licensed under the Apache License, Version 2.0 (the "License");
				4	# you may not use this file except in compliance with the License.
				5	# You may obtain a copy of the License at
				6	#
				7	# http://www.apache.org/licenses/LICENSE-2.0
				8	#
				9	# Unless required by applicable law or agreed to in writing, software
				10	# distributed under the License is distributed on an "AS IS" BASIS,
				11	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	# See the License for the specific language governing permissions and
				13	# limitations under the License.
				14	apiVersion: v1
				15	kind: Namespace
				16	metadata:
				17	name: metallb-system
				18	labels:
				19	app: metallb
				20	---
				21	apiVersion: v1
				22	kind: ServiceAccount
				23	metadata:
				24	namespace: metallb-system
				25	name: controller
				26	labels:
				27	app: metallb
				28	---
				29	apiVersion: v1
				30	kind: ServiceAccount
				31	metadata:
				32	namespace: metallb-system
				33	name: speaker
				34	labels:
				35	app: metallb
				36	---
				37	apiVersion: rbac.authorization.k8s.io/v1
				38	kind: ClusterRole
				39	metadata:
				40	name: metallb-system:controller
				41	labels:
				42	app: metallb
				43	rules:
				44	- apiGroups: [""]
				45	resources: ["services"]
				46	verbs: ["get", "list", "watch", "update"]
				47	- apiGroups: [""]
				48	resources: ["services/status"]
				49	verbs: ["update"]
				50	- apiGroups: [""]
				51	resources: ["events"]
				52	verbs: ["create", "patch"]
				53	---
				54	apiVersion: rbac.authorization.k8s.io/v1
				55	kind: ClusterRole
				56	metadata:
				57	name: metallb-system:speaker
				58	labels:
				59	app: metallb
				60	rules:
				61	- apiGroups: [""]
				62	resources: ["services", "endpoints", "nodes"]
				63	verbs: ["get", "list", "watch"]
				64	---
				65	apiVersion: rbac.authorization.k8s.io/v1
				66	kind: Role
				67	metadata:
				68	namespace: metallb-system
				69	name: leader-election
				70	labels:
				71	app: metallb
				72	rules:
				73	- apiGroups: [""]
				74	resources: ["endpoints"]
				75	resourceNames: ["metallb-speaker"]
				76	verbs: ["get", "update"]
				77	- apiGroups: [""]
				78	resources: ["endpoints"]
				79	verbs: ["create"]
				80	---
				81	apiVersion: rbac.authorization.k8s.io/v1
				82	kind: Role
				83	metadata:
				84	namespace: metallb-system
				85	name: config-watcher
				86	labels:
				87	app: metallb
				88	rules:
				89	- apiGroups: [""]
				90	resources: ["configmaps"]
				91	verbs: ["get", "list", "watch"]
				92	- apiGroups: [""]
				93	resources: ["events"]
				94	verbs: ["create"]
				95	---
				96	## Role bindings
				97	apiVersion: rbac.authorization.k8s.io/v1
				98	kind: ClusterRoleBinding
				99	metadata:
				100	name: metallb-system:controller
				101	labels:
				102	app: metallb
				103	subjects:
				104	- kind: ServiceAccount
				105	name: controller
				106	namespace: metallb-system
				107	roleRef:
				108	apiGroup: rbac.authorization.k8s.io
				109	kind: ClusterRole
				110	name: metallb-system:controller
				111	---
				112	apiVersion: rbac.authorization.k8s.io/v1
				113	kind: ClusterRoleBinding
				114	metadata:
				115	name: metallb-system:speaker
				116	labels:
				117	app: metallb
				118	subjects:
				119	- kind: ServiceAccount
				120	name: speaker
				121	namespace: metallb-system
				122	roleRef:
				123	apiGroup: rbac.authorization.k8s.io
				124	kind: ClusterRole
				125	name: metallb-system:speaker
				126	---
				127	apiVersion: rbac.authorization.k8s.io/v1
				128	kind: RoleBinding
				129	metadata:
				130	namespace: metallb-system
				131	name: config-watcher
				132	labels:
				133	app: metallb
				134	subjects:
				135	- kind: ServiceAccount
				136	name: controller
				137	- kind: ServiceAccount
				138	name: speaker
				139	roleRef:
				140	apiGroup: rbac.authorization.k8s.io
				141	kind: Role
				142	name: config-watcher
				143	---
				144	apiVersion: rbac.authorization.k8s.io/v1
				145	kind: RoleBinding
				146	metadata:
				147	namespace: metallb-system
				148	name: leader-election
				149	labels:
				150	app: metallb
				151	subjects:
				152	- kind: ServiceAccount
				153	name: speaker
				154	roleRef:
				155	apiGroup: rbac.authorization.k8s.io
				156	kind: Role
				157	name: leader-election
				158	---
garciadeblas	e3ae2ff	2021-08-13 17:13:25 +0200	[diff] [blame]	159	apiVersion: apps/v1
David Garcia	6cbfee1	2020-10-23 10:40:20 +0200	[diff] [blame]	160	kind: DaemonSet
				161	metadata:
				162	namespace: metallb-system
				163	name: speaker
				164	labels:
				165	app: metallb
				166	component: speaker
				167	spec:
				168	selector:
				169	matchLabels:
				170	app: metallb
				171	component: speaker
				172	template:
				173	metadata:
				174	labels:
				175	app: metallb
				176	component: speaker
				177	annotations:
				178	prometheus.io/scrape: "true"
				179	prometheus.io/port: "7472"
				180	spec:
				181	serviceAccountName: speaker
				182	terminationGracePeriodSeconds: 0
				183	hostNetwork: true
				184	containers:
				185	- name: speaker
				186	image: metallb/speaker:v0.6.1
				187	imagePullPolicy: IfNotPresent
				188	args:
				189	- --port=7472
				190	- --config=config
				191	env:
				192	- name: METALLB_NODE_NAME
				193	valueFrom:
				194	fieldRef:
				195	fieldPath: spec.nodeName
				196	ports:
				197	- name: monitoring
				198	containerPort: 7472
				199	resources:
				200	limits:
				201	cpu: 100m
				202	memory: 100Mi
				203	securityContext:
				204	allowPrivilegeEscalation: false
				205	readOnlyRootFilesystem: true
				206	capabilities:
				207	drop:
				208	- all
				209	add:
				210	- net_raw
				211	---
garciadeblas	e3ae2ff	2021-08-13 17:13:25 +0200	[diff] [blame]	212	apiVersion: apps/v1
David Garcia	6cbfee1	2020-10-23 10:40:20 +0200	[diff] [blame]	213	kind: Deployment
				214	metadata:
				215	namespace: metallb-system
				216	name: controller
				217	labels:
				218	app: metallb
				219	component: controller
				220	spec:
				221	revisionHistoryLimit: 3
				222	selector:
				223	matchLabels:
				224	app: metallb
				225	component: controller
				226	template:
				227	metadata:
				228	labels:
				229	app: metallb
				230	component: controller
				231	annotations:
				232	prometheus.io/scrape: "true"
				233	prometheus.io/port: "7472"
				234	spec:
				235	serviceAccountName: controller
				236	terminationGracePeriodSeconds: 0
				237	securityContext:
				238	runAsNonRoot: true
				239	runAsUser: 65534 # nobody
				240	containers:
				241	- name: controller
				242	image: metallb/controller:v0.6.1
				243	imagePullPolicy: IfNotPresent
				244	args:
				245	- --port=7472
				246	- --config=config
				247	ports:
				248	- name: monitoring
				249	containerPort: 7472
				250	resources:
				251	limits:
				252	cpu: 100m
				253	memory: 100Mi
				254
				255	securityContext:
				256	allowPrivilegeEscalation: false
				257	capabilities:
				258	drop:
				259	- all
				260	readOnlyRootFilesystem: true