113 lines
2.3 KiB
YAML
113 lines
2.3 KiB
YAML
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: kube-router
|
|
namespace: kube-system
|
|
labels:
|
|
app.kubernetes.io/name: kube-router
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: kube-router
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: kube-router
|
|
spec:
|
|
serviceAccountName: kube-router
|
|
priorityClassName: system-node-critical
|
|
containers:
|
|
- name: kube-router
|
|
image: cloudnativelabs/kube-router
|
|
args:
|
|
- --run-router=false
|
|
- --run-firewall=true
|
|
- --run-service-proxy=false
|
|
securityContext:
|
|
privileged: true
|
|
env:
|
|
- name: NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 20244
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 3
|
|
volumeMounts:
|
|
- name: lib-modules
|
|
mountPath: /lib/modules
|
|
readOnly: true
|
|
- name: xtables-lock
|
|
mountPath: /run/xtables.lock
|
|
readOnly: false
|
|
hostNetwork: true
|
|
tolerations:
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
- effect: NoSchedule
|
|
key: node.kubernetes.io/not-ready
|
|
operator: Exists
|
|
volumes:
|
|
- name: lib-modules
|
|
hostPath:
|
|
path: /lib/modules
|
|
- name: xtables-lock
|
|
hostPath:
|
|
path: /run/xtables.lock
|
|
type: FileOrCreate
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kube-router
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kube-router
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
- namespaces
|
|
- nodes
|
|
- pods
|
|
- services
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- networkpolicies
|
|
verbs:
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: kube-router
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kube-router
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kube-router
|
|
namespace: kube-system
|