csr approver

This commit is contained in:
Kjeld Schouten 2024-06-20 01:10:29 +02:00
parent 07fdb4281e
commit d2d9d914d1
No known key found for this signature in database
GPG Key ID: 287011974D890A74

211
kubelet-cert-approver.yaml Normal file
View File

@ -0,0 +1,211 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
app.kubernetes.io/version: v1.2.1
helm.sh/chart: kubelet-csr-approver-1.2.1
name: kubelet-csr-approver
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
name: kubelet-csr-approver
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kubelet-serving
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
name: kubelet-csr-approver
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubelet-csr-approver
subjects:
- kind: ServiceAccount
name: kubelet-csr-approver
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
prometheus.io/port: "8080"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
app.kubernetes.io/version: v1.2.1
helm.sh/chart: kubelet-csr-approver-1.2.1
name: kubelet-csr-approver
namespace: kube-system
spec:
ports:
- name: metrics
port: 8080
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
app.kubernetes.io/version: v1.2.1
helm.sh/chart: kubelet-csr-approver-1.2.1
name: kubelet-csr-approver
namespace: kube-system
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
template:
metadata:
annotations:
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
spec:
containers:
- args:
- -metrics-bind-address
- :8080
- -health-probe-bind-address
- :8081
- -leader-election
env:
- name: ALLOWED_DNS_NAMES
value: "1"
image: ghcr.io/postfinance/kubelet-csr-approver:v1.2.1
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: 8081
name: kubelet-csr-approver
ports:
- containerPort: 8080
name: metrics
protocol: TCP
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
securityContext: {}
serviceAccountName: kubelet-csr-approver
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Equal
---
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test
meta.helm.sh/release-name: kubelet-csr-approver
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/instance: kubelet-csr-approver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubelet-csr-approver
app.kubernetes.io/version: v1.2.1
helm.sh/chart: kubelet-csr-approver-1.2.1
name: kubelet-csr-approver-test-connection
spec:
containers:
- command:
- /bin/sh
- -c
- |
sleep 10 ; wget -O- -S kubelet-csr-approver:8080/metrics
image: busybox
name: wget
restartPolicy: Never