diff --git a/kubelet-csr-approver/clusterrole.yaml b/kubelet-csr-approver/clusterrole.yaml new file mode 100644 index 0000000..24f4407 --- /dev/null +++ b/kubelet-csr-approver/clusterrole.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubelet-csr-approver +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kubelet-serving + resources: + - signers + verbs: + - approve +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/kubelet-csr-approver/deployment.yaml b/kubelet-csr-approver/deployment.yaml new file mode 100644 index 0000000..b3add75 --- /dev/null +++ b/kubelet-csr-approver/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubelet-csr-approver + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + app: kubelet-csr-approver + + template: + metadata: + annotations: + prometheus.io/port: '8080' + prometheus.io/scrape: 'true' + labels: + app: kubelet-csr-approver + + spec: + serviceAccountName: kubelet-csr-approver + containers: + - name: kubelet-csr-approver + image: postfinance/kubelet-csr-approver:latest + resources: + limits: + memory: "128Mi" + cpu: "500m" + + args: + - -metrics-bind-address + - ":8080" + - -health-probe-bind-address + - ":8081" + - -leader-election + + livenessProbe: + httpGet: + path: /healthz + port: 8081 + + env: + - name: PROVIDER_REGEX + value: ^[abcdef]\.test\.ch$ + - name: PROVIDER_IP_PREFIXES + value: "0.0.0.0/0,::/0" + - name: MAX_EXPIRATION_SEC + value: "31622400" # 366 days + + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Equal diff --git a/kubelet-csr-approver/kustomization.yaml b/kubelet-csr-approver/kustomization.yaml new file mode 100644 index 0000000..e56ed83 --- /dev/null +++ b/kubelet-csr-approver/kustomization.yaml @@ -0,0 +1,42 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +labels: +- pairs: + app.kubernetes.io/instance: kubelet-csr-approver + +resources: +- clusterrole.yaml +- deployment.yaml +- rolebinding.yaml +- serviceaccount.yaml + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: kubelet-csr-approver + namespace: kube-system + spec: + template: + spec: + containers: + - name: kubelet-csr-approver + imagePullPolicy: IfNotPresent + env: + - name: PROVIDER_REGEX + value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$ + - name: PROVIDER_IP_PREFIXES + value: 172.30.0.0/16 + - name: BYPASS_DNS_RESOLUTION + value: 'true' + +replicas: +- name: kubelet-csr-approver + count: 1 + +images: +- name: postfinance/kubelet-csr-approver + newName: ghcr.io/postfinance/kubelet-csr-approver + newTag: v1.2.10 diff --git a/kubelet-csr-approver/rolebinding.yaml b/kubelet-csr-approver/rolebinding.yaml new file mode 100644 index 0000000..12f1166 --- /dev/null +++ b/kubelet-csr-approver/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubelet-csr-approver + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubelet-csr-approver +subjects: +- kind: ServiceAccount + name: kubelet-csr-approver + namespace: kube-system \ No newline at end of file diff --git a/kubelet-csr-approver/serviceaccount.yaml b/kubelet-csr-approver/serviceaccount.yaml new file mode 100644 index 0000000..cb1e2ce --- /dev/null +++ b/kubelet-csr-approver/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubelet-csr-approver + namespace: kube-system