| # from https://github.com/metallb/metallb/tree/v0.9.3/manifests namespace.yaml and metallb.yaml |
| apiVersion: v1 |
| kind: Namespace |
| metadata: |
| name: metallb-system |
| labels: |
| app: metallb |
| --- |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| labels: |
| app: metallb |
| name: controller |
| namespace: metallb-system |
| spec: |
| allowPrivilegeEscalation: false |
| allowedCapabilities: [] |
| allowedHostPaths: [] |
| defaultAddCapabilities: [] |
| defaultAllowPrivilegeEscalation: false |
| fsGroup: |
| ranges: |
| - max: 65535 |
| min: 1 |
| rule: MustRunAs |
| hostIPC: false |
| hostNetwork: false |
| hostPID: false |
| privileged: false |
| readOnlyRootFilesystem: true |
| requiredDropCapabilities: |
| - ALL |
| runAsUser: |
| ranges: |
| - max: 65535 |
| min: 1 |
| rule: MustRunAs |
| seLinux: |
| rule: RunAsAny |
| supplementalGroups: |
| ranges: |
| - max: 65535 |
| min: 1 |
| rule: MustRunAs |
| volumes: |
| - configMap |
| - secret |
| - emptyDir |
| --- |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| labels: |
| app: metallb |
| name: speaker |
| namespace: metallb-system |
| spec: |
| allowPrivilegeEscalation: false |
| allowedCapabilities: |
| - NET_ADMIN |
| - NET_RAW |
| - SYS_ADMIN |
| allowedHostPaths: [] |
| defaultAddCapabilities: [] |
| defaultAllowPrivilegeEscalation: false |
| fsGroup: |
| rule: RunAsAny |
| hostIPC: false |
| hostNetwork: true |
| hostPID: false |
| hostPorts: |
| - max: 7472 |
| min: 7472 |
| privileged: true |
| readOnlyRootFilesystem: true |
| requiredDropCapabilities: |
| - ALL |
| runAsUser: |
| rule: RunAsAny |
| seLinux: |
| rule: RunAsAny |
| supplementalGroups: |
| rule: RunAsAny |
| volumes: |
| - configMap |
| - secret |
| - emptyDir |
| --- |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| labels: |
| app: metallb |
| name: controller |
| namespace: metallb-system |
| --- |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| labels: |
| app: metallb |
| name: speaker |
| namespace: metallb-system |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| labels: |
| app: metallb |
| name: metallb-system:controller |
| rules: |
| - apiGroups: |
| - '' |
| resources: |
| - services |
| verbs: |
| - get |
| - list |
| - watch |
| - update |
| - apiGroups: |
| - '' |
| resources: |
| - services/status |
| verbs: |
| - update |
| - apiGroups: |
| - '' |
| resources: |
| - events |
| verbs: |
| - create |
| - patch |
| - apiGroups: |
| - policy |
| resourceNames: |
| - controller |
| resources: |
| - podsecuritypolicies |
| verbs: |
| - use |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| labels: |
| app: metallb |
| name: metallb-system:speaker |
| rules: |
| - apiGroups: |
| - '' |
| resources: |
| - services |
| - endpoints |
| - nodes |
| verbs: |
| - get |
| - list |
| - watch |
| - apiGroups: |
| - '' |
| resources: |
| - events |
| verbs: |
| - create |
| - patch |
| - apiGroups: |
| - policy |
| resourceNames: |
| - speaker |
| resources: |
| - podsecuritypolicies |
| verbs: |
| - use |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: Role |
| metadata: |
| labels: |
| app: metallb |
| name: config-watcher |
| namespace: metallb-system |
| rules: |
| - apiGroups: |
| - '' |
| resources: |
| - configmaps |
| verbs: |
| - get |
| - list |
| - watch |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: Role |
| metadata: |
| labels: |
| app: metallb |
| name: pod-lister |
| namespace: metallb-system |
| rules: |
| - apiGroups: |
| - '' |
| resources: |
| - pods |
| verbs: |
| - list |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| labels: |
| app: metallb |
| name: metallb-system:controller |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: metallb-system:controller |
| subjects: |
| - kind: ServiceAccount |
| name: controller |
| namespace: metallb-system |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| labels: |
| app: metallb |
| name: metallb-system:speaker |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: metallb-system:speaker |
| subjects: |
| - kind: ServiceAccount |
| name: speaker |
| namespace: metallb-system |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: RoleBinding |
| metadata: |
| labels: |
| app: metallb |
| name: config-watcher |
| namespace: metallb-system |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: Role |
| name: config-watcher |
| subjects: |
| - kind: ServiceAccount |
| name: controller |
| - kind: ServiceAccount |
| name: speaker |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: RoleBinding |
| metadata: |
| labels: |
| app: metallb |
| name: pod-lister |
| namespace: metallb-system |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: Role |
| name: pod-lister |
| subjects: |
| - kind: ServiceAccount |
| name: speaker |
| --- |
| apiVersion: apps/v1 |
| kind: DaemonSet |
| metadata: |
| labels: |
| app: metallb |
| component: speaker |
| name: speaker |
| namespace: metallb-system |
| spec: |
| selector: |
| matchLabels: |
| app: metallb |
| component: speaker |
| template: |
| metadata: |
| annotations: |
| prometheus.io/port: '7472' |
| prometheus.io/scrape: 'true' |
| labels: |
| app: metallb |
| component: speaker |
| spec: |
| containers: |
| - args: |
| - --port=7472 |
| - --config=config |
| env: |
| - name: METALLB_NODE_NAME |
| valueFrom: |
| fieldRef: |
| fieldPath: spec.nodeName |
| - name: METALLB_HOST |
| valueFrom: |
| fieldRef: |
| fieldPath: status.hostIP |
| - name: METALLB_ML_BIND_ADDR |
| valueFrom: |
| fieldRef: |
| fieldPath: status.podIP |
| - name: METALLB_ML_LABELS |
| value: "app=metallb,component=speaker" |
| - name: METALLB_ML_NAMESPACE |
| valueFrom: |
| fieldRef: |
| fieldPath: metadata.namespace |
| - name: METALLB_ML_SECRET_KEY |
| valueFrom: |
| secretKeyRef: |
| name: memberlist |
| key: secretkey |
| image: metallb/speaker:v0.9.3 |
| imagePullPolicy: Always |
| name: speaker |
| ports: |
| - containerPort: 7472 |
| name: monitoring |
| resources: |
| limits: |
| cpu: 100m |
| memory: 100Mi |
| securityContext: |
| allowPrivilegeEscalation: false |
| capabilities: |
| add: |
| - NET_ADMIN |
| - NET_RAW |
| - SYS_ADMIN |
| drop: |
| - ALL |
| readOnlyRootFilesystem: true |
| hostNetwork: true |
| nodeSelector: |
| beta.kubernetes.io/os: linux |
| serviceAccountName: speaker |
| terminationGracePeriodSeconds: 2 |
| tolerations: |
| - effect: NoSchedule |
| key: node-role.kubernetes.io/master |
| --- |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| labels: |
| app: metallb |
| component: controller |
| name: controller |
| namespace: metallb-system |
| spec: |
| revisionHistoryLimit: 3 |
| selector: |
| matchLabels: |
| app: metallb |
| component: controller |
| template: |
| metadata: |
| annotations: |
| prometheus.io/port: '7472' |
| prometheus.io/scrape: 'true' |
| labels: |
| app: metallb |
| component: controller |
| spec: |
| containers: |
| - args: |
| - --port=7472 |
| - --config=config |
| image: metallb/controller:v0.9.3 |
| imagePullPolicy: Always |
| name: controller |
| ports: |
| - containerPort: 7472 |
| name: monitoring |
| resources: |
| limits: |
| cpu: 100m |
| memory: 100Mi |
| securityContext: |
| allowPrivilegeEscalation: false |
| capabilities: |
| drop: |
| - all |
| readOnlyRootFilesystem: true |
| nodeSelector: |
| beta.kubernetes.io/os: linux |
| securityContext: |
| runAsNonRoot: true |
| runAsUser: 65534 |
| serviceAccountName: controller |
| terminationGracePeriodSeconds: 0 |