Updated to newer release

metallb/metallb.yaml

@@ -1,128 +1,190 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    app: metallb
   name: metallb-system
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
   labels:
     app: metallb
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
-  name: controller
-  labels:
-    app: metallb
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
   name: speaker
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+  - NET_ADMIN
+  - NET_RAW
+  - SYS_ADMIN
+  fsGroup:
+    rule: RunAsAny
+  hostNetwork: true
+  hostPorts:
+  - max: 7472
+    min: 7472
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
   labels:
     app: metallb
-
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: metallb
   name: metallb-system:controller
-  labels:
-    app: metallb
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["services"]
+  - ''
-  verbs: ["get", "list", "watch", "update"]
+  resources:
-- apiGroups: [""]
+  - services
-  resources: ["services/status"]
+  verbs:
-  verbs: ["update"]
+  - get
-- apiGroups: [""]
+  - list
-  resources: ["events"]
+  - watch
-  verbs: ["create", "patch"]
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: metallb-system:speaker
   labels:
     app: metallb
+  name: metallb-system:speaker
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["services", "endpoints", "nodes"]
+  - ''
-  verbs: ["get", "list", "watch"]
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - extensions
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: metallb-system
-  name: config-watcher
   labels:
     app: metallb
+  name: config-watcher
+  namespace: metallb-system
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["configmaps"]
+  - ''
-  verbs: ["get", "list", "watch"]
+  resources:
-- apiGroups: [""]
+  - configmaps
-  resources: ["events"]
+  verbs:
-  verbs: ["create"]
+  - get
+  - list
+  - watch
 ---
-
-## Role bindings
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: metallb-system:controller
   labels:
     app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
 subjects:
 - kind: ServiceAccount
   name: controller
   namespace: metallb-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: metallb-system:controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: metallb-system:speaker
   labels:
     app: metallb
-subjects:
+  name: metallb-system:speaker
-- kind: ServiceAccount
-  name: speaker
-  namespace: metallb-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  namespace: metallb-system
-  name: config-watcher
   labels:
     app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
 subjects:
 - kind: ServiceAccount
   name: controller
 - kind: ServiceAccount
   name: speaker
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: config-watcher
 ---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  namespace: metallb-system
-  name: speaker
   labels:
     app: metallb
     component: speaker
+  name: speaker
+  namespace: metallb-system
 spec:
   selector:
     matchLabels:
@@ -130,21 +192,15 @@ spec:
       component: speaker
   template:
     metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
       labels:
         app: metallb
         component: speaker
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "7472"
     spec:
-      serviceAccountName: speaker
-      terminationGracePeriodSeconds: 0
-      hostNetwork: true
       containers:
-      - name: speaker
+      - args:
-        image: metallb/speaker:v0.7.3
-        imagePullPolicy: IfNotPresent
-        args:
         - --port=7472
         - --config=config
         env:
@@ -152,32 +208,47 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        image: metallb/speaker:v0.8.1
+        imagePullPolicy: IfNotPresent
+        name: speaker
         ports:
-        - name: monitoring
+        - containerPort: 7472
-          containerPort: 7472
+          name: monitoring
         resources:
           limits:
             cpu: 100m
             memory: 100Mi
-
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
           capabilities:
-            drop:
-            - all
             add:
-            - net_raw
+            - NET_ADMIN
-
+            - NET_RAW
+            - SYS_ADMIN
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
 ---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: metallb-system
-  name: controller
   labels:
     app: metallb
     component: controller
+  name: controller
+  namespace: metallb-system
 spec:
   revisionHistoryLimit: 3
   selector:
@@ -186,37 +257,37 @@ spec:
       component: controller
   template:
     metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
       labels:
         app: metallb
         component: controller
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "7472"
     spec:
-      serviceAccountName: controller
-      terminationGracePeriodSeconds: 0
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534 # nobody
       containers:
-      - name: controller
+      - args:
-        image: metallb/controller:v0.7.3
-        imagePullPolicy: IfNotPresent
-        args:
         - --port=7472
         - --config=config
+        image: metallb/controller:v0.8.1
+        imagePullPolicy: IfNotPresent
+        name: controller
         ports:
-        - name: monitoring
+        - containerPort: 7472
-          containerPort: 7472
+          name: monitoring
         resources:
           limits:
             cpu: 100m
             memory: 100Mi
-
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - all
           readOnlyRootFilesystem: true
-
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0