apiVersion: v1 kind: ConfigMap metadata: name: kube-router-kubeconfig namespace: kube-system labels: tier: node k8s-app: kube-router data: kubeconfig.conf: | apiVersion: v1 kind: Config clusters: - cluster: certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt server: https://127.0.0.1:{{ kubernetes_api_lb_port | default('6443') }} name: default contexts: - context: cluster: default namespace: default user: default name: default current-context: default users: - name: default user: tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: kube-router tier: node name: kube-router namespace: kube-system spec: selector: matchLabels: k8s-app: kube-router tier: node template: metadata: labels: k8s-app: kube-router tier: node annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" spec: priorityClassName: system-node-critical serviceAccountName: kube-router serviceAccount: kube-router containers: - name: kube-router image: docker.io/cloudnativelabs/kube-router:v{{ kubernetes_network_plugin_version }} imagePullPolicy: Always args: - --run-router=false - --run-firewall=true - --run-service-proxy={{ kubernetes_network_plugin_replaces_kube_proxy | string | lower }} - --kubeconfig=/var/lib/kube-router/kubeconfig - --hairpin-mode - --iptables-sync-period=10s - --ipvs-sync-period=10s env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName livenessProbe: httpGet: path: /healthz port: 20244 initialDelaySeconds: 10 periodSeconds: 3 resources: requests: cpu: 250m memory: 250Mi securityContext: privileged: true volumeMounts: - name: lib-modules mountPath: /lib/modules readOnly: true - name: kubeconfig mountPath: /var/lib/kube-router readOnly: true - name: xtables-lock mountPath: /run/xtables.lock readOnly: false hostNetwork: true tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node.kubernetes.io/not-ready operator: Exists volumes: - name: lib-modules hostPath: path: /lib/modules - name: kubeconfig configMap: name: kube-router-kubeconfig items: - key: kubeconfig.conf path: kubeconfig - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate --- apiVersion: v1 kind: ServiceAccount metadata: name: kube-router namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kube-router namespace: kube-system rules: - apiGroups: - "" resources: - namespaces - pods - services - nodes - endpoints verbs: - list - get - watch - apiGroups: - "networking.k8s.io" resources: - networkpolicies verbs: - list - get - watch - apiGroups: - extensions resources: - networkpolicies verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kube-router roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-router subjects: - kind: ServiceAccount name: kube-router namespace: kube-system