From c8fd4c70a9aa8e20f29a96a59fac996f3a4d0ab4 Mon Sep 17 00:00:00 2001 From: jprdonnelly Date: Mon, 23 Sep 2019 14:29:58 -0400 Subject: [PATCH] Updated to newer release --- metallb/metallb.yaml | 263 +++++++++++++++++++++++++++---------------- 1 file changed, 167 insertions(+), 96 deletions(-) diff --git a/metallb/metallb.yaml b/metallb/metallb.yaml index c06d6c8..246c002 100644 --- a/metallb/metallb.yaml +++ b/metallb/metallb.yaml @@ -1,128 +1,190 @@ apiVersion: v1 kind: Namespace metadata: + labels: + app: metallb name: metallb-system +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: labels: app: metallb ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: metallb-system - name: controller - labels: - app: metallb ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: metallb-system name: speaker + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + fsGroup: + rule: RunAsAny + hostNetwork: true + hostPorts: + - max: 7472 + min: 7472 + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' +--- +apiVersion: v1 +kind: ServiceAccount +metadata: labels: app: metallb - + name: controller + namespace: metallb-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + labels: + app: metallb name: metallb-system:controller - labels: - app: metallb rules: -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["services/status"] - verbs: ["update"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] +- apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - update +- apiGroups: + - '' + resources: + - services/status + verbs: + - update +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: metallb-system:speaker labels: app: metallb + name: metallb-system:speaker rules: -- apiGroups: [""] - resources: ["services", "endpoints", "nodes"] - verbs: ["get", "list", "watch"] +- apiGroups: + - '' + resources: + - services + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - extensions + resourceNames: + - speaker + resources: + - podsecuritypolicies + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: metallb-system - name: config-watcher labels: app: metallb + name: config-watcher + namespace: metallb-system rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create"] +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch --- - -## Role bindings apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: metallb-system:controller labels: app: metallb + name: metallb-system:controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metallb-system:controller subjects: - kind: ServiceAccount name: controller namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb-system:controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: metallb-system:speaker labels: app: metallb -subjects: -- kind: ServiceAccount - name: speaker - namespace: metallb-system + name: metallb-system:speaker roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metallb-system:speaker +subjects: +- kind: ServiceAccount + name: speaker + namespace: metallb-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - namespace: metallb-system - name: config-watcher labels: app: metallb + name: config-watcher + namespace: metallb-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: config-watcher subjects: - kind: ServiceAccount name: controller - kind: ServiceAccount name: speaker -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: config-watcher --- -apiVersion: apps/v1beta2 +apiVersion: apps/v1 kind: DaemonSet metadata: - namespace: metallb-system - name: speaker labels: app: metallb component: speaker + name: speaker + namespace: metallb-system spec: selector: matchLabels: @@ -130,21 +192,15 @@ spec: component: speaker template: metadata: + annotations: + prometheus.io/port: '7472' + prometheus.io/scrape: 'true' labels: app: metallb component: speaker - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "7472" spec: - serviceAccountName: speaker - terminationGracePeriodSeconds: 0 - hostNetwork: true containers: - - name: speaker - image: metallb/speaker:v0.7.3 - imagePullPolicy: IfNotPresent - args: + - args: - --port=7472 - --config=config env: @@ -152,32 +208,47 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + image: metallb/speaker:v0.8.1 + imagePullPolicy: IfNotPresent + name: speaker ports: - - name: monitoring - containerPort: 7472 + - containerPort: 7472 + name: monitoring resources: limits: cpu: 100m memory: 100Mi - securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true capabilities: - drop: - - all add: - - net_raw - + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + drop: + - ALL + readOnlyRootFilesystem: true + hostNetwork: true + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: speaker + terminationGracePeriodSeconds: 0 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master --- -apiVersion: apps/v1beta2 +apiVersion: apps/v1 kind: Deployment metadata: - namespace: metallb-system - name: controller labels: app: metallb component: controller + name: controller + namespace: metallb-system spec: revisionHistoryLimit: 3 selector: @@ -186,37 +257,37 @@ spec: component: controller template: metadata: + annotations: + prometheus.io/port: '7472' + prometheus.io/scrape: 'true' labels: app: metallb component: controller - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "7472" spec: - serviceAccountName: controller - terminationGracePeriodSeconds: 0 - securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody containers: - - name: controller - image: metallb/controller:v0.7.3 - imagePullPolicy: IfNotPresent - args: + - args: - --port=7472 - --config=config + image: metallb/controller:v0.8.1 + imagePullPolicy: IfNotPresent + name: controller ports: - - name: monitoring - containerPort: 7472 + - containerPort: 7472 + name: monitoring resources: limits: cpu: 100m memory: 100Mi - securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true - + nodeSelector: + beta.kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: controller + terminationGracePeriodSeconds: 0