kiall/metallb.yaml

## metallb.yaml
## Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: metallb-system
---
## RBAC roles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metallb-system:controller
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["services/status"]
  verbs: ["update"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metallb-system:speaker
rules:
- apiGroups: [""]
  resources: ["services", "endpoints"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: metallb-system
  name: leader-election
rules:
- apiGroups: [""]
  resources: ["endpoints"]
  resourceNames: ["metallb-speaker"]
  verbs: ["get", "update"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: metallb-system
  name: config-watcher
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
- # Allow creating events in the metallb-system namespace
  # so that watchers can post config errors.
  apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]
---

## Service accounts
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: metallb-system
  name: controller
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: metallb-system
  name: speaker
---

## Role bindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metallb-system:controller
subjects:
- kind: ServiceAccount
  namespace: metallb-system
  name: controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metallb-system:speaker
subjects:
- kind: ServiceAccount
  namespace: metallb-system
  name: speaker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: metallb-system
  name: config-watcher
subjects:
- kind: ServiceAccount
  name: controller
- kind: ServiceAccount
  name: speaker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: config-watcher
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: metallb-system
  name: leader-election
subjects:
- kind: ServiceAccount
  name: speaker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: leader-election
---

## Controller deployment
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  namespace: metallb-system
  name: controller
  labels:
    app: controller
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "7472"
spec:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: controller
  template:
    metadata:
      labels:
        app: controller
    spec:
      serviceAccountName: controller
      terminationGracePeriodSeconds: 0
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534 # nobody
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      containers:
      - name: controller
        image: metallb/controller:v0.3.1
        args:
        - --port=7472
        ports:
        - name: monitoring
          containerPort: 7472
        resources:
          limits:
            cpu: "0.1"
            memory: "100Mi"
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          readOnlyRootFilesystem: true
---

# Speaker DaemonSet
apiVersion: apps/v1beta2
kind: DaemonSet
metadata:
  namespace: metallb-system
  name: speaker
  labels:
    app: speaker
spec:
  selector:
    matchLabels:
      app: speaker
  template:
    metadata:
      labels:
        app: speaker
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "7472"
    spec:
      serviceAccountName: speaker
      terminationGracePeriodSeconds: 0
      hostNetwork: true
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      containers:
      - name: speaker
        image: metallb/speaker:v0.3.1
        args:
        - --port=7472
        env:
        - name: METALLB_NODE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: METALLB_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        ports:
        - name: monitoring
          containerPort: 7472
        resources:
          limits:
            cpu: "0.1"
            memory: "100Mi"
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - all
            add:
            - net_raw
	## Namespace
	apiVersion: v1
	kind: Namespace
	metadata:
	name: metallb-system
	---
	## RBAC roles
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: metallb-system:controller
	rules:
	- apiGroups: [""]
	resources: ["services"]
	verbs: ["get", "list", "watch", "update"]
	- apiGroups: [""]
	resources: ["services/status"]
	verbs: ["update"]
	- apiGroups: [""]
	resources: ["events"]
	verbs: ["create"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: metallb-system:speaker
	rules:
	- apiGroups: [""]
	resources: ["services", "endpoints"]
	verbs: ["get", "list", "watch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	namespace: metallb-system
	name: leader-election
	rules:
	- apiGroups: [""]
	resources: ["endpoints"]
	resourceNames: ["metallb-speaker"]
	verbs: ["get", "update"]
	- apiGroups: [""]
	resources: ["endpoints"]
	verbs: ["create"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	namespace: metallb-system
	name: config-watcher
	rules:
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["get", "list", "watch"]
	- # Allow creating events in the metallb-system namespace
	# so that watchers can post config errors.
	apiGroups: [""]
	resources: ["events"]
	verbs: ["create"]
	---

	## Service accounts
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	namespace: metallb-system
	name: controller
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	namespace: metallb-system
	name: speaker
	---

	## Role bindings
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: metallb-system:controller
	subjects:
	- kind: ServiceAccount
	namespace: metallb-system
	name: controller
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: metallb-system:controller
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: metallb-system:speaker
	subjects:
	- kind: ServiceAccount
	namespace: metallb-system
	name: speaker
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: metallb-system:speaker
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	namespace: metallb-system
	name: config-watcher
	subjects:
	- kind: ServiceAccount
	name: controller
	- kind: ServiceAccount
	name: speaker
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: config-watcher
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	namespace: metallb-system
	name: leader-election
	subjects:
	- kind: ServiceAccount
	name: speaker
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: leader-election
	---

	## Controller deployment
	apiVersion: apps/v1beta2
	kind: Deployment
	metadata:
	namespace: metallb-system
	name: controller
	labels:
	app: controller
	annotations:
	prometheus.io/scrape: "true"
	prometheus.io/port: "7472"
	spec:
	revisionHistoryLimit: 3
	selector:
	matchLabels:
	app: controller
	template:
	metadata:
	labels:
	app: controller
	spec:
	serviceAccountName: controller
	terminationGracePeriodSeconds: 0
	securityContext:
	runAsNonRoot: true
	runAsUser: 65534 # nobody
	tolerations:
	- key: CriticalAddonsOnly
	operator: Exists
	- effect: NoSchedule
	key: node-role.kubernetes.io/master
	operator: Exists
	containers:
	- name: controller
	image: metallb/controller:v0.3.1
	args:
	- --port=7472
	ports:
	- name: monitoring
	containerPort: 7472
	resources:
	limits:
	cpu: "0.1"
	memory: "100Mi"
	securityContext:
	allowPrivilegeEscalation: false
	capabilities:
	drop:
	- all
	readOnlyRootFilesystem: true
	---

	# Speaker DaemonSet
	apiVersion: apps/v1beta2
	kind: DaemonSet
	metadata:
	namespace: metallb-system
	name: speaker
	labels:
	app: speaker
	spec:
	selector:
	matchLabels:
	app: speaker
	template:
	metadata:
	labels:
	app: speaker
	annotations:
	prometheus.io/scrape: "true"
	prometheus.io/port: "7472"
	spec:
	serviceAccountName: speaker
	terminationGracePeriodSeconds: 0
	hostNetwork: true
	tolerations:
	- key: CriticalAddonsOnly
	operator: Exists
	- effect: NoSchedule
	key: node-role.kubernetes.io/master
	operator: Exists
	containers:
	- name: speaker
	image: metallb/speaker:v0.3.1
	args:
	- --port=7472
	env:
	- name: METALLB_NODE_IP
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	- name: METALLB_NODE_NAME
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	ports:
	- name: monitoring
	containerPort: 7472
	resources:
	limits:
	cpu: "0.1"
	memory: "100Mi"
	securityContext:
	allowPrivilegeEscalation: false
	readOnlyRootFilesystem: true
	capabilities:
	drop:
	- all
	add:
	- net_raw