apiVersion: v1
kind: ServiceAccount
metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
rules:
- apiGroups:
  - ''
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: promtail
subjects:
- kind: ServiceAccount
  name: promtail

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: promtail
      app.kubernetes.io/component: promtail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: promtail
        app.kubernetes.io/component: promtail
    spec:
      containers:
      - name: promtail
        image: docker.io/grafana/promtail:2.9.4
        args:
        - -config.file=/etc/promtail/config.yml
        env:
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        ports:
        - containerPort: 9080
          name: http
        readinessProbe: &probe
          httpGet:
            port: http
            path: /ready
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          successThreshold: 1
          failureThreshold: 30
          timeoutSeconds: 1
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/machine-id
          name: machine-id
          readOnly: true
        - mountPath: /etc/promtail
          name: config
          readOnly: true
        - mountPath: /run/log
          name: run-log
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/lib/promtail
          name: promtail
        - mountPath: /var/log
          name: var-log
          readOnly: true
      securityContext:
        seLinuxOptions:
          # confined containers do not have access to /var/log
          type: spc_t
      serviceAccountName: promtail
      tolerations:
      - effect: NoExecute
        operator: Exists
      - effect: NoSchedule
        operator: Exists
      volumes:
      - name: config
        configMap:
          name: promtail
      - name: machine-id
        hostPath:
          path: /etc/machine-id
          type: File
      - name: promtail
        hostPath:
          path: /var/lib/promtail
          type: DirectoryOrCreate
      - name: run-log
        hostPath:
          path: /run/log
          type: Directory
      - name: tmp
        emptyDir: {}
      - name: var-log
        hostPath:
          path: /var/log
          type: Directory