apiVersion: v1 kind: ServiceAccount metadata: name: kilo namespace: kilo --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kilo rules: - apiGroups: - "" resources: - nodes verbs: - list - patch - watch - apiGroups: - kilo.squat.ai resources: - peers verbs: - list - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kilo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kilo subjects: - kind: ServiceAccount name: kilo namespace: kilo --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kilo namespace: kilo labels: app.kubernetes.io/name: kilo spec: selector: matchLabels: app.kubernetes.io/name: kilo template: metadata: labels: app.kubernetes.io/name: kilo spec: nodeSelector: # !!! Decide where you want to run your Kilo ingress. kubernetes.io/hostname: TODO-ADD-YOUR-HOST-HERE serviceAccountName: kilo # we need to be part of the host network; otherwise, we cannot configure wireguard. hostNetwork: true containers: - name: kilo image: squat/kilo args: - --hostname=$(NODE_NAME) # we only want to use Kilo as VPN; and not as CNI interface. - --cni=false - --encapsulate=never # we want to work together with Flannel. - --compatibility=flannel - --local=false env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # we need to be root to configure wireguard securityContext: privileged: true volumeMounts: - name: kilo-dir mountPath: /var/lib/kilo tolerations: - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists volumes: - name: kilo-dir hostPath: path: /var/lib/kilo