getpod

getpod.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    name: getpods
  name: getpods
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: getpods
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    name: getpods
  name: getpods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: getpods
subjects:
  - kind: ServiceAccount
    name: getpods
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: getpods
  name: getpods
spec:
  containers:
  - name: getpods
    image: mtr.devops.telekom.de/caas/k8s-tools:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsUser: 1000
      runAsGroup: 1000
    volumeMounts:
      - name: tmp
        mountPath: /tmp
  securityContext:
    fsGroup: 1000
    supplementalGroups:
    - 1000
  serviceAccountName: getpods
  tolerations:
  - effect: NoSchedule
    operator: Exists
  - effect: NoExecute
    operator: Exists
  volumes:
    - name: tmp
      emptyDir: {}