pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
atst/deploy/azure/keyvault/deployment-rbac.yml
tomdds f8e95ae104 Initial FlexVol Setup 
This commit is the first part of consuming secrets from the Azure Key Vault. This will set up the required services to consume Azure's RBAC controls in the cluster, an identity to read the secrets, and the tool (FlexVol) to mount the secrets.
2019-11-25 11:19:55 -05:00

260 lines
6.3 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ServiceAccount
metadata:
name: aad-pod-id-nmi-service-account
namespace: default
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: azureassignedidentities.aadpodidentity.k8s.io
spec:
group: aadpodidentity.k8s.io
version: v1
names:
kind: AzureAssignedIdentity
plural: azureassignedidentities
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: azureidentitybindings.aadpodidentity.k8s.io
spec:
group: aadpodidentity.k8s.io
version: v1
names:
kind: AzureIdentityBinding
plural: azureidentitybindings
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: azureidentities.aadpodidentity.k8s.io
spec:
group: aadpodidentity.k8s.io
version: v1
names:
kind: AzureIdentity
singular: azureidentity
plural: azureidentities
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: azurepodidentityexceptions.aadpodidentity.k8s.io
spec:
group: aadpodidentity.k8s.io
version: v1
names:
kind: AzurePodIdentityException
singular: azurepodidentityexception
plural: azurepodidentityexceptions
scope: Namespaced
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aad-pod-id-nmi-role
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: ["aadpodidentity.k8s.io"]
resources:
["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["aadpodidentity.k8s.io"]
resources: ["azureassignedidentities"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: aad-pod-id-nmi-binding
labels:
k8s-app: aad-pod-id-nmi-binding
subjects:
- kind: ServiceAccount
name: aad-pod-id-nmi-service-account
namespace: default
roleRef:
kind: ClusterRole
name: aad-pod-id-nmi-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
kubernetes.io/cluster-service: "true"
component: nmi
tier: node
k8s-app: aad-pod-id
name: nmi
namespace: default
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
component: nmi
tier: node
template:
metadata:
labels:
component: nmi
tier: node
spec:
serviceAccountName: aad-pod-id-nmi-service-account
hostNetwork: true
volumes:
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: iptableslock
containers:
- name: nmi
image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.3"
imagePullPolicy: Always
args:
- "--host-ip=$(HOST_IP)"
- "--node=$(NODE_NAME)"
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
limits:
cpu: 200m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /run/xtables.lock
name: iptableslock
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
nodeSelector:
beta.kubernetes.io/os: linux
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: aad-pod-id-mic-service-account
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aad-pod-id-mic-role
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create", "get", "update"]
- apiGroups: ["aadpodidentity.k8s.io"]
resources: ["azureidentitybindings", "azureidentities"]
verbs: ["get", "list", "watch", "post"]
- apiGroups: ["aadpodidentity.k8s.io"]
resources: ["azureassignedidentities"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: aad-pod-id-mic-binding
labels:
k8s-app: aad-pod-id-mic-binding
subjects:
- kind: ServiceAccount
name: aad-pod-id-mic-service-account
namespace: default
roleRef:
kind: ClusterRole
name: aad-pod-id-mic-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
component: mic
k8s-app: aad-pod-id
name: mic
namespace: default
spec:
replicas: 2
selector:
matchLabels:
component: mic
app: mic
template:
metadata:
labels:
component: mic
app: mic
spec:
serviceAccountName: aad-pod-id-mic-service-account
containers:
- name: mic
image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.3"
imagePullPolicy: Always
args:
- "--cloudconfig=/etc/kubernetes/azure.json"
- "--logtostderr"
resources:
limits:
cpu: 200m
memory: 1024Mi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: k8s-azure-file
mountPath: /etc/kubernetes/azure.json
readOnly: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 10
periodSeconds: 5
volumes:
- name: k8s-azure-file
hostPath:
path: /etc/kubernetes/azure.json
nodeSelector:
beta.kubernetes.io/os: linux
Reference in New Issue View Git Blame Copy Permalink