minikube/deploy/addons/istio-provisioner/istio-operator.yaml.tmpl

276 lines
5.4 KiB
Cheetah

---
apiVersion: v1
kind: Namespace
metadata:
name: istio-operator
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
...
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
spec:
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
versions:
- name: v1alpha1
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
...
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: istio-operator
name: istio-operator
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: istio-operator
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
rules:
# istio groups
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- install.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
- '*'
verbs:
- '*'
# k8s groups
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions.apiextensions.k8s.io
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
- deployments
- deployments/finalizers
- replicasets
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- create
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- pods
- pods/proxy
- pods/portforward
- persistentvolumeclaims
- secrets
- services
- serviceaccounts
verbs:
- '*'
...
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-operator
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
subjects:
- kind: ServiceAccount
name: istio-operator
namespace: istio-operator
roleRef:
kind: ClusterRole
name: istio-operator
apiGroup: rbac.authorization.k8s.io
...
---
apiVersion: v1
kind: Service
metadata:
namespace: istio-operator
labels:
name: istio-operator
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
name: istio-operator-metrics
spec:
ports:
- name: http-metrics
port: 8383
targetPort: 8383
protocol: TCP
selector:
name: istio-operator
...
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: istio-operator
name: istio-operator
labels:
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: Reconcile
spec:
replicas: 1
selector:
matchLabels:
name: istio-operator
template:
metadata:
labels:
name: istio-operator
kubernetes.io/minikube-addons: istio
addonmanager.kubernetes.io/mode: EnsureExists
spec:
serviceAccountName: istio-operator
containers:
- name: istio-operator
image: {{.CustomRegistries.IstioOperator | default .ImageRepository | default .Registries.IstioOperator }}{{.Images.IstioOperator}}
command:
- operator
- server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
env:
- name: WATCH_NAMESPACE
value: "istio-system"
- name: LEADER_ELECTION_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "istio-operator"
- name: WAIT_FOR_RESOURCES_TIMEOUT
value: "300s"
...