installers/k8s/metallb/metallb.yaml

   1 #   Copyright 2020 Canonical Ltd.
   2 #
   3 #   Licensed under the Apache License, Version 2.0 (the "License");
   4 #   you may not use this file except in compliance with the License.
   5 #   You may obtain a copy of the License at
   6 #
   7 #       http://www.apache.org/licenses/LICENSE-2.0
   8 #
   9 #   Unless required by applicable law or agreed to in writing, software
  10 #   distributed under the License is distributed on an "AS IS" BASIS,
  11 #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12 #   See the License for the specific language governing permissions and
  13 #   limitations under the License.
  14 apiVersion: v1
  15 kind: Namespace
  16 metadata:
  17   name: metallb-system
  18   labels:
  19     app: metallb
  20 ---
  21 apiVersion: v1
  22 kind: ServiceAccount
  23 metadata:
  24   namespace: metallb-system
  25   name: controller
  26   labels:
  27     app: metallb
  28 ---
  29 apiVersion: v1
  30 kind: ServiceAccount
  31 metadata:
  32   namespace: metallb-system
  33   name: speaker
  34   labels:
  35     app: metallb
  36 ---
  37 apiVersion: rbac.authorization.k8s.io/v1
  38 kind: ClusterRole
  39 metadata:
  40   name: metallb-system:controller
  41   labels:
  42     app: metallb
  43 rules:
  44   - apiGroups: [""]
  45     resources: ["services"]
  46     verbs: ["get", "list", "watch", "update"]
  47   - apiGroups: [""]
  48     resources: ["services/status"]
  49     verbs: ["update"]
  50   - apiGroups: [""]
  51     resources: ["events"]
  52     verbs: ["create", "patch"]
  53 ---
  54 apiVersion: rbac.authorization.k8s.io/v1
  55 kind: ClusterRole
  56 metadata:
  57   name: metallb-system:speaker
  58   labels:
  59     app: metallb
  60 rules:
  61   - apiGroups: [""]
  62     resources: ["services", "endpoints", "nodes"]
  63     verbs: ["get", "list", "watch"]
  64 ---
  65 apiVersion: rbac.authorization.k8s.io/v1
  66 kind: Role
  67 metadata:
  68   namespace: metallb-system
  69   name: leader-election
  70   labels:
  71     app: metallb
  72 rules:
  73   - apiGroups: [""]
  74     resources: ["endpoints"]
  75     resourceNames: ["metallb-speaker"]
  76     verbs: ["get", "update"]
  77   - apiGroups: [""]
  78     resources: ["endpoints"]
  79     verbs: ["create"]
  80 ---
  81 apiVersion: rbac.authorization.k8s.io/v1
  82 kind: Role
  83 metadata:
  84   namespace: metallb-system
  85   name: config-watcher
  86   labels:
  87     app: metallb
  88 rules:
  89   - apiGroups: [""]
  90     resources: ["configmaps"]
  91     verbs: ["get", "list", "watch"]
  92   - apiGroups: [""]
  93     resources: ["events"]
  94     verbs: ["create"]
  95 ---
  96 ## Role bindings
  97 apiVersion: rbac.authorization.k8s.io/v1
  98 kind: ClusterRoleBinding
  99 metadata:
 100   name: metallb-system:controller
 101   labels:
 102     app: metallb
 103 subjects:
 104   - kind: ServiceAccount
 105     name: controller
 106     namespace: metallb-system
 107 roleRef:
 108   apiGroup: rbac.authorization.k8s.io
 109   kind: ClusterRole
 110   name: metallb-system:controller
 111 ---
 112 apiVersion: rbac.authorization.k8s.io/v1
 113 kind: ClusterRoleBinding
 114 metadata:
 115   name: metallb-system:speaker
 116   labels:
 117     app: metallb
 118 subjects:
 119   - kind: ServiceAccount
 120     name: speaker
 121     namespace: metallb-system
 122 roleRef:
 123   apiGroup: rbac.authorization.k8s.io
 124   kind: ClusterRole
 125   name: metallb-system:speaker
 126 ---
 127 apiVersion: rbac.authorization.k8s.io/v1
 128 kind: RoleBinding
 129 metadata:
 130   namespace: metallb-system
 131   name: config-watcher
 132   labels:
 133     app: metallb
 134 subjects:
 135   - kind: ServiceAccount
 136     name: controller
 137   - kind: ServiceAccount
 138     name: speaker
 139 roleRef:
 140   apiGroup: rbac.authorization.k8s.io
 141   kind: Role
 142   name: config-watcher
 143 ---
 144 apiVersion: rbac.authorization.k8s.io/v1
 145 kind: RoleBinding
 146 metadata:
 147   namespace: metallb-system
 148   name: leader-election
 149   labels:
 150     app: metallb
 151 subjects:
 152   - kind: ServiceAccount
 153     name: speaker
 154 roleRef:
 155   apiGroup: rbac.authorization.k8s.io
 156   kind: Role
 157   name: leader-election
 158 ---
 159 apiVersion: apps/v1beta2
 160 kind: DaemonSet
 161 metadata:
 162   namespace: metallb-system
 163   name: speaker
 164   labels:
 165     app: metallb
 166     component: speaker
 167 spec:
 168   selector:
 169     matchLabels:
 170       app: metallb
 171       component: speaker
 172   template:
 173     metadata:
 174       labels:
 175         app: metallb
 176         component: speaker
 177       annotations:
 178         prometheus.io/scrape: "true"
 179         prometheus.io/port: "7472"
 180     spec:
 181       serviceAccountName: speaker
 182       terminationGracePeriodSeconds: 0
 183       hostNetwork: true
 184       containers:
 185         - name: speaker
 186           image: metallb/speaker:v0.6.1
 187           imagePullPolicy: IfNotPresent
 188           args:
 189             - --port=7472
 190             - --config=config
 191           env:
 192             - name: METALLB_NODE_NAME
 193               valueFrom:
 194                 fieldRef:
 195                   fieldPath: spec.nodeName
 196           ports:
 197             - name: monitoring
 198               containerPort: 7472
 199           resources:
 200             limits:
 201               cpu: 100m
 202               memory: 100Mi
 203           securityContext:
 204             allowPrivilegeEscalation: false
 205             readOnlyRootFilesystem: true
 206             capabilities:
 207               drop:
 208                 - all
 209               add:
 210                 - net_raw
 211 ---
 212 apiVersion: apps/v1beta2
 213 kind: Deployment
 214 metadata:
 215   namespace: metallb-system
 216   name: controller
 217   labels:
 218     app: metallb
 219     component: controller
 220 spec:
 221   revisionHistoryLimit: 3
 222   selector:
 223     matchLabels:
 224       app: metallb
 225       component: controller
 226   template:
 227     metadata:
 228       labels:
 229         app: metallb
 230         component: controller
 231       annotations:
 232         prometheus.io/scrape: "true"
 233         prometheus.io/port: "7472"
 234     spec:
 235       serviceAccountName: controller
 236       terminationGracePeriodSeconds: 0
 237       securityContext:
 238         runAsNonRoot: true
 239         runAsUser: 65534 # nobody
 240       containers:
 241         - name: controller
 242           image: metallb/controller:v0.6.1
 243           imagePullPolicy: IfNotPresent
 244           args:
 245             - --port=7472
 246             - --config=config
 247           ports:
 248             - name: monitoring
 249               containerPort: 7472
 250           resources:
 251             limits:
 252               cpu: 100m
 253               memory: 100Mi
 254
 255           securityContext:
 256             allowPrivilegeEscalation: false
 257             capabilities:
 258               drop:
 259                 - all
 260             readOnlyRootFilesystem: true