-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathpacket-ccm.yaml
143 lines (142 loc) · 3.23 KB
/
packet-ccm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: packet-cloud-controller-manager
namespace: kube-system
labels:
app: packet-cloud-controller-manager
spec:
replicas: 1
selector:
matchLabels:
app: packet-cloud-controller-manager
template:
metadata:
labels:
app: packet-cloud-controller-manager
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
dnsPolicy: Default
hostNetwork: true
serviceAccountName: cloud-controller-manager
tolerations:
# this taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the packet ccm
- key: "node.cloudprovider.kubernetes.io/uninitialized"
value: "true"
effect: "NoSchedule"
- key: "CriticalAddonsOnly"
operator: "Exists"
# cloud controller manager should be able to run on masters
- key: "node-role.kubernetes.io/master"
effect: NoSchedule
containers:
- image: packethost/packet-ccm:v2.0.0
name: packet-cloud-controller-manager
command:
- "./packet-cloud-controller-manager"
- "--cloud-provider=packet"
- "--leader-elect=false"
- "--allow-untagged-cloud=true"
- "--authentication-skip-lookup=true"
- "--provider-config=/etc/cloud-sa/cloud-sa.json"
resources:
requests:
cpu: 100m
memory: 50Mi
volumeMounts:
- name: cloud-sa-volume
readOnly: true
mountPath: "/etc/cloud-sa"
volumes:
- name: cloud-sa-volume
secret:
secretName: packet-cloud-config
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: system:cloud-controller-manager
rules:
- apiGroups:
# reason: so ccm can monitor and update endpoints, used for control plane loadbalancer
- ""
resources:
- endpoints
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
# reason: so ccm can read and update nodes and annotations
- ""
resources:
- nodes
verbs:
- '*'
- apiGroups:
# reason: so ccm can update the status of nodes
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
# reason: so ccm can manage services for loadbalancer
- ""
resources:
- services
verbs:
- get
- list
- patch
- update
- watch
- create
- apiGroups:
# reason: so ccm can update the status of services for loadbalancer
- ""
resources:
- services/status
verbs:
- list
- patch
- update
- watch
- apiGroups:
# reason: so ccm can read and update configmap/metallb-system:config
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:cloud-controller-manager
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: kube-system