Last active
October 30, 2023 19:05
-
-
Save ismailbay/13ead7f4a3147ef82b455d839a632b91 to your computer and use it in GitHub Desktop.
csr-approver-standalone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Source: kubelet-csr-approver/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: kubelet-csr-approver | |
namespace: kube-system | |
labels: | |
helm.sh/chart: kubelet-csr-approver-1.0.5 | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/version: "v1.0.5" | |
app.kubernetes.io/managed-by: Helm | |
--- | |
# Source: kubelet-csr-approver/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: kubelet-csr-approver | |
rules: | |
- apiGroups: | |
- coordination.k8s.io | |
resources: | |
- leases | |
verbs: | |
- create | |
- get | |
- update | |
- apiGroups: | |
- "" | |
resources: | |
- events | |
verbs: | |
- create | |
- apiGroups: | |
- certificates.k8s.io | |
resources: | |
- certificatesigningrequests | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- certificates.k8s.io | |
resources: | |
- certificatesigningrequests/approval | |
verbs: | |
- update | |
- apiGroups: | |
- certificates.k8s.io | |
resourceNames: | |
- kubernetes.io/kubelet-serving | |
resources: | |
- signers | |
verbs: | |
- approve | |
--- | |
# Source: kubelet-csr-approver/templates/rolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: kubelet-csr-approver | |
namespace: kube-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: kubelet-csr-approver | |
subjects: | |
- kind: ServiceAccount | |
name: kubelet-csr-approver | |
namespace: kube-system | |
--- | |
# Source: kubelet-csr-approver/templates/service.yaml | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kubelet-csr-approver | |
namespace: kube-system | |
labels: | |
helm.sh/chart: kubelet-csr-approver-1.0.5 | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/version: "v1.0.5" | |
app.kubernetes.io/managed-by: Helm | |
annotations: | |
prometheus.io/port: '8080' | |
prometheus.io/scrape: 'true' | |
spec: | |
type: ClusterIP | |
ports: | |
- port: 8080 | |
targetPort: metrics | |
protocol: TCP | |
name: metrics | |
selector: | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
--- | |
# Source: kubelet-csr-approver/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: kubelet-csr-approver | |
namespace: kube-system | |
labels: | |
helm.sh/chart: kubelet-csr-approver-1.0.5 | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/version: "v1.0.5" | |
app.kubernetes.io/managed-by: Helm | |
spec: | |
replicas: 2 | |
selector: | |
matchLabels: | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
template: | |
metadata: | |
labels: | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
spec: | |
serviceAccountName: kubelet-csr-approver | |
securityContext: | |
{} | |
containers: | |
- name: kubelet-csr-approver | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
privileged: false | |
readOnlyRootFilesystem: true | |
runAsGroup: 65532 | |
runAsNonRoot: true | |
runAsUser: 65532 | |
seccompProfile: | |
type: RuntimeDefault | |
image: "ghcr.io/postfinance/kubelet-csr-approver:v1.0.5" | |
imagePullPolicy: IfNotPresent | |
args: | |
- -metrics-bind-address | |
- ":8080" | |
- -health-probe-bind-address | |
- ":8081" | |
- -leader-election | |
env: | |
- name: PROVIDER_REGEX | |
value: ^k8s-dd?$ | |
- name: BYPASS_DNS_RESOLUTION | |
value: "true" | |
- name: ALLOWED_DNS_NAMES | |
value: "1" | |
ports: | |
- name: metrics | |
containerPort: 8080 | |
protocol: TCP | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 8081 | |
resources: | |
limits: | |
cpu: 500m | |
memory: 128Mi | |
requests: | |
cpu: 100m | |
memory: 64Mi | |
tolerations: | |
- effect: NoSchedule | |
key: node-role.kubernetes.io/control-plane | |
operator: Equal | |
--- | |
# Source: kubelet-csr-approver/templates/tests/test-connection.yaml | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: "kubelet-csr-approver-test-connection" | |
namespace: kube-system | |
labels: | |
helm.sh/chart: kubelet-csr-approver-1.0.5 | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/version: "v1.0.5" | |
app.kubernetes.io/managed-by: Helm | |
annotations: | |
"helm.sh/hook": test | |
spec: | |
containers: | |
- name: wget | |
image: busybox | |
command: | |
- /bin/sh | |
- -c | |
- | | |
sleep 10 ; wget -O- -S kubelet-csr-approver:8080/metrics | |
restartPolicy: Never |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment