Last active
June 12, 2020 14:12
-
-
Save iler/80f7c04496947b2be1f0aa739a64badf to your computer and use it in GitHub Desktop.
Metallb + pihole
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: metallb-system | |
| --- | |
| apiVersion: policy/v1beta1 | |
| kind: PodSecurityPolicy | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: speaker | |
| namespace: metallb-system | |
| spec: | |
| allowPrivilegeEscalation: false | |
| allowedCapabilities: | |
| - NET_ADMIN | |
| - NET_RAW | |
| - SYS_ADMIN | |
| fsGroup: | |
| rule: RunAsAny | |
| hostNetwork: true | |
| hostPorts: | |
| - max: 7472 | |
| min: 7472 | |
| privileged: true | |
| runAsUser: | |
| rule: RunAsAny | |
| seLinux: | |
| rule: RunAsAny | |
| supplementalGroups: | |
| rule: RunAsAny | |
| volumes: | |
| - '*' | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: controller | |
| namespace: metallb-system | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: speaker | |
| namespace: metallb-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: metallb-system:controller | |
| rules: | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - services | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - services/status | |
| verbs: | |
| - update | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: metallb-system:speaker | |
| rules: | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - services | |
| - endpoints | |
| - nodes | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| - apiGroups: | |
| - extensions | |
| resourceNames: | |
| - speaker | |
| resources: | |
| - podsecuritypolicies | |
| verbs: | |
| - use | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: config-watcher | |
| namespace: metallb-system | |
| rules: | |
| - apiGroups: | |
| - '' | |
| resources: | |
| - configmaps | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: metallb-system:controller | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: metallb-system:controller | |
| subjects: | |
| - kind: ServiceAccount | |
| name: controller | |
| namespace: metallb-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: metallb-system:speaker | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: metallb-system:speaker | |
| subjects: | |
| - kind: ServiceAccount | |
| name: speaker | |
| namespace: metallb-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| labels: | |
| app: metallb | |
| name: config-watcher | |
| namespace: metallb-system | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: config-watcher | |
| subjects: | |
| - kind: ServiceAccount | |
| name: controller | |
| - kind: ServiceAccount | |
| name: speaker | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| labels: | |
| app: metallb | |
| component: speaker | |
| name: speaker | |
| namespace: metallb-system | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: metallb | |
| component: speaker | |
| template: | |
| metadata: | |
| annotations: | |
| prometheus.io/port: '7472' | |
| prometheus.io/scrape: 'true' | |
| labels: | |
| app: metallb | |
| component: speaker | |
| spec: | |
| containers: | |
| - args: | |
| - --port=7472 | |
| - --config=config | |
| env: | |
| - name: METALLB_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: METALLB_HOST | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.hostIP | |
| image: metallb/speaker:v0.8.3 | |
| imagePullPolicy: IfNotPresent | |
| name: speaker | |
| ports: | |
| - containerPort: 7472 | |
| name: monitoring | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 100Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| add: | |
| - NET_ADMIN | |
| - NET_RAW | |
| - SYS_ADMIN | |
| drop: | |
| - ALL | |
| readOnlyRootFilesystem: true | |
| hostNetwork: true | |
| nodeSelector: | |
| beta.kubernetes.io/os: linux | |
| serviceAccountName: speaker | |
| terminationGracePeriodSeconds: 0 | |
| tolerations: | |
| - effect: NoSchedule | |
| key: node-role.kubernetes.io/master | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| app: metallb | |
| component: controller | |
| name: controller | |
| namespace: metallb-system | |
| spec: | |
| revisionHistoryLimit: 3 | |
| selector: | |
| matchLabels: | |
| app: metallb | |
| component: controller | |
| template: | |
| metadata: | |
| annotations: | |
| prometheus.io/port: '7472' | |
| prometheus.io/scrape: 'true' | |
| labels: | |
| app: metallb | |
| component: controller | |
| spec: | |
| containers: | |
| - args: | |
| - --port=7472 | |
| - --config=config | |
| image: metallb/controller:v0.8.3 | |
| imagePullPolicy: IfNotPresent | |
| name: controller | |
| ports: | |
| - containerPort: 7472 | |
| name: monitoring | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 100Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: | |
| - all | |
| readOnlyRootFilesystem: true | |
| nodeSelector: | |
| beta.kubernetes.io/os: linux | |
| securityContext: | |
| runAsNonRoot: true | |
| runAsUser: 65534 | |
| serviceAccountName: controller | |
| terminationGracePeriodSeconds: 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| namespace: metallb-system | |
| name: metallb-config | |
| data: | |
| config: | | |
| peers: | |
| - peer-address: "10.10.70.1" | |
| peer-asn: 64512 | |
| my-asn: 64512 | |
| address-pools: | |
| - name: default | |
| protocol: bgp | |
| addresses: | |
| - "10.10.71.0/24" | |
| avoid-buggy-ips: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: pihole-system | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: pihole-ftl.conf | |
| namespace: pihole-system | |
| data: | |
| pihole-FTL.conf: | | |
| MAXDBDAYS=7 | |
| LOGFILE=/var/log/pihole/pihole-FTL.log | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: whitelist.txt | |
| namespace: pihole-system | |
| data: | |
| whitelist.txt: | | |
| ichnaea.netflix.com | |
| nrdp.nccp.netflix.com | |
| collector-medium.lightstep.com | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: adlists.list | |
| namespace: pihole-system | |
| data: | |
| adlists.list: | | |
| https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |
| https://mirror1.malwaredomains.com/files/justdomains | |
| http://sysctl.org/cameleon/hosts | |
| https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt | |
| https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt | |
| https://hosts-file.net/ad_servers.txt | |
| https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt | |
| https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt | |
| https://blocklist.site/app/dl/malware | |
| https://blocklist.site/app/dl/spam | |
| https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |
| https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: pihole-env | |
| namespace: pihole-system | |
| data: | |
| TZ: Europe/Helsinki | |
| DNS1: 127.0.0.1#5054 | |
| DNS2: 127.0.0.1#5054 | |
| WEBPASSWORD: anther-visceral-defecate-valet-hindu | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: pihole | |
| namespace: pihole-system | |
| labels: | |
| app: pihole | |
| spec: | |
| replicas: 3 | |
| selector: | |
| matchLabels: | |
| app: pihole | |
| template: | |
| metadata: | |
| labels: | |
| app: pihole | |
| spec: | |
| containers: | |
| - name: pihole-cloudflared | |
| image: visibilityspots/cloudflared:amd64 | |
| resources: | |
| requests: | |
| memory: "64Mi" | |
| cpu: "250m" | |
| limits: | |
| memory: "128Mi" | |
| cpu: "500m" | |
| - name: pihole-core | |
| image: pihole/pihole:4.3.2-1 | |
| resources: | |
| requests: | |
| memory: "64Mi" | |
| cpu: "250m" | |
| limits: | |
| memory: "128Mi" | |
| cpu: "500m" | |
| readinessProbe: | |
| exec: | |
| command: ['dig', '@127.0.0.1', 'hs.fi'] | |
| timeoutSeconds: 20 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 60 | |
| env: | |
| - name: TZ | |
| valueFrom: | |
| configMapKeyRef: | |
| name: pihole-env | |
| key: TZ | |
| - name: WEBPASSWORD | |
| valueFrom: | |
| configMapKeyRef: | |
| name: pihole-env | |
| key: WEBPASSWORD | |
| - name: DNS1 | |
| valueFrom: | |
| configMapKeyRef: | |
| name: pihole-env | |
| key: DNS1 | |
| - name: DNS2 | |
| valueFrom: | |
| configMapKeyRef: | |
| name: pihole-env | |
| key: DNS2 | |
| ports: | |
| - name: web | |
| containerPort: 80 | |
| - name : dns | |
| protocol : UDP | |
| containerPort: 53 | |
| volumeMounts: | |
| - name: etc-pihole | |
| mountPath: /etc/pihole | |
| - name: etc-dnsmasq | |
| mountPath: /etc/dnsmasq.d | |
| - name: var-log | |
| mountPath: /var/log | |
| - name: var-log-lighttpd | |
| mountPath: /var/log/lighttpd | |
| - name: ftlconf | |
| mountPath: /etc/pihole/pihole-FTL.conf | |
| subPath: pihole-FTL.conf | |
| - name: whitelist | |
| mountPath: /etc/pihole/whitelist.txt | |
| subPath: whitelist.txt | |
| - name: adlists | |
| mountPath: /etc/pihole/adlists.list | |
| subPath: adlists.list | |
| volumes: | |
| - name: etc-pihole | |
| emptyDir: | |
| medium: Memory | |
| - name: etc-dnsmasq | |
| emptyDir: | |
| medium: Memory | |
| - name: var-log | |
| emptyDir: | |
| medium: Memory | |
| - name: var-log-lighttpd | |
| emptyDir: | |
| medium: Memory | |
| - name: ftlconf | |
| configMap: | |
| name: pihole-ftl.conf | |
| items: | |
| - key: pihole-FTL.conf | |
| path: pihole-FTL.conf | |
| - name: whitelist | |
| configMap: | |
| name: whitelist.txt | |
| items: | |
| - key: whitelist.txt | |
| path: whitelist.txt | |
| - name: adlists | |
| configMap: | |
| name: adlists.list | |
| items: | |
| - key: adlists.list | |
| path: adlists.list | |
| --- | |
| kind: Service | |
| apiVersion: v1 | |
| metadata: | |
| name: pihole-web-service | |
| namespace : pihole-system | |
| spec: | |
| selector: | |
| app: pihole | |
| ports: | |
| - protocol: TCP | |
| port: 80 | |
| targetPort: 80 | |
| name : web | |
| type: LoadBalancer | |
| loadBalancerIP: 10.10.71.10 | |
| --- | |
| kind: Service | |
| apiVersion: v1 | |
| metadata: | |
| name: pihole-dns-service | |
| namespace: pihole-system | |
| spec: | |
| selector: | |
| app: pihole | |
| ports: | |
| - protocol: UDP | |
| port: 53 | |
| targetPort: 53 | |
| name : dns | |
| type: LoadBalancer | |
| loadBalancerIP: 10.10.71.10 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment