manifest-vds.yml

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: proxy-inject
spec:
  fsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  hostNetwork: true
  volumes:
  - '*'
---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: internal-kubectl
  namespace: ${DEPLOY_NS}

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: proxy-inject
rules:
  - apiGroups: ["","vmoperator.vmware.com"]
    resources:
      - virtualmachines
      - secrets
    verbs:
      - get
      - list
  - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs:     ['use']
    resourceNames:
      - proxy-inject

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: proxy-kubectl
  namespace: ${DEPLOY_NS}
subjects:
  - kind: ServiceAccount
    name: internal-kubectl
roleRef:
  kind: ClusterRole
  name: proxy-inject
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: proxy-inject
  namespace: ${DEPLOY_NS}
  labels:
    app: proxy-inject
spec:
  replicas: 1
  selector:
    matchLabels:
      app: proxy-inject
  template:
    metadata:
      labels:
        app: proxy-inject
    spec:
      serviceAccountName: internal-kubectl
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
      - image: localhost:5000/vmware/proxy-inject:1.3.0
        imagePullPolicy: Always
        name: proxy-inject
        env:
          - name: TKC_HTTP_PROXY
            value: "${TKC_HTTP_PROXY}"
          - name: TKC_HTTPS_PROXY
            value: "${TKC_HTTPS_PROXY}"
          - name: TKC_NO_PROXY
            value: "${TKC_NO_PROXY}"
          - name: REG_CERT
            value: "${REG_CERT}"
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "256Mi"
            cpu: "500m"
        volumeMounts:
          - mountPath: /tmp
            name: tmp
      volumes:
      - emptyDir: {}
        name: tmp
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      nodeSelector:
        node-role.kubernetes.io/master: ""
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoExecute
          key: node.alpha.kubernetes.io/notReady
          operator: Exists
        - effect: NoExecute
          key: node.alpha.kubernetes.io/unreachable
          operator: Exists
        - effect: NoSchedule
          key: kubeadmNode
          operator: Equal
          value: master