apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-router namespace: kube-system labels: app.kubernetes.io/name: kube-router spec: selector: matchLabels: app.kubernetes.io/name: kube-router template: metadata: labels: app.kubernetes.io/name: kube-router spec: serviceAccountName: kube-router priorityClassName: system-node-critical containers: - name: kube-router image: cloudnativelabs/kube-router args: - --run-router=false - --run-firewall=true - --run-service-proxy=false securityContext: privileged: true env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName livenessProbe: httpGet: path: /healthz port: 20244 initialDelaySeconds: 10 periodSeconds: 3 volumeMounts: - name: lib-modules mountPath: /lib/modules readOnly: true - name: xtables-lock mountPath: /run/xtables.lock readOnly: false hostNetwork: true tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node.kubernetes.io/not-ready operator: Exists volumes: - name: lib-modules hostPath: path: /lib/modules - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate --- apiVersion: v1 kind: ServiceAccount metadata: name: kube-router namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kube-router rules: - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - endpoints - namespaces - nodes - pods - services verbs: - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kube-router roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-router subjects: - kind: ServiceAccount name: kube-router namespace: kube-system