Skip to content

Instantly share code, notes, and snippets.

@kiall
Created February 21, 2018 20:38
Show Gist options
  • Save kiall/7e3aae1bcd2de72f7e1e4b89cf16d5a9 to your computer and use it in GitHub Desktop.
Save kiall/7e3aae1bcd2de72f7e1e4b89cf16d5a9 to your computer and use it in GitHub Desktop.
## Namespace
apiVersion: v1
kind: Namespace
metadata:
name: metallb-system
---
## RBAC roles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metallb-system:controller
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metallb-system:speaker
rules:
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: metallb-system
name: leader-election
rules:
- apiGroups: [""]
resources: ["endpoints"]
resourceNames: ["metallb-speaker"]
verbs: ["get", "update"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: metallb-system
name: config-watcher
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- # Allow creating events in the metallb-system namespace
# so that watchers can post config errors.
apiGroups: [""]
resources: ["events"]
verbs: ["create"]
---
## Service accounts
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: metallb-system
name: controller
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: metallb-system
name: speaker
---
## Role bindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metallb-system:controller
subjects:
- kind: ServiceAccount
namespace: metallb-system
name: controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metallb-system:speaker
subjects:
- kind: ServiceAccount
namespace: metallb-system
name: speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: metallb-system
name: config-watcher
subjects:
- kind: ServiceAccount
name: controller
- kind: ServiceAccount
name: speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: config-watcher
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: metallb-system
name: leader-election
subjects:
- kind: ServiceAccount
name: speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election
---
## Controller deployment
apiVersion: apps/v1beta2
kind: Deployment
metadata:
namespace: metallb-system
name: controller
labels:
app: controller
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "7472"
spec:
revisionHistoryLimit: 3
selector:
matchLabels:
app: controller
template:
metadata:
labels:
app: controller
spec:
serviceAccountName: controller
terminationGracePeriodSeconds: 0
securityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
containers:
- name: controller
image: metallb/controller:v0.3.1
args:
- --port=7472
ports:
- name: monitoring
containerPort: 7472
resources:
limits:
cpu: "0.1"
memory: "100Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
---
# Speaker DaemonSet
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
namespace: metallb-system
name: speaker
labels:
app: speaker
spec:
selector:
matchLabels:
app: speaker
template:
metadata:
labels:
app: speaker
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "7472"
spec:
serviceAccountName: speaker
terminationGracePeriodSeconds: 0
hostNetwork: true
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
containers:
- name: speaker
image: metallb/speaker:v0.3.1
args:
- --port=7472
env:
- name: METALLB_NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
ports:
- name: monitoring
containerPort: 7472
resources:
limits:
cpu: "0.1"
memory: "100Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
add:
- net_raw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment