diff --git a/Makefile b/Makefile index 5c11eae..937c81b 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ YAML_PATH=build/installer.yaml # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.29.0 # This should be same as the antrea version in go.mod file since it is using that version in the library. -ANTREA_VERSION=v1.15.0 +ANTREA_VERSION=v1.15.2 ignore-not-found=true # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) @@ -129,6 +129,15 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default >> dist/install.yaml +## +# Build YAML file that can be used for deployment +dist: manifests kustomize + mkdir -p dist/yaml + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/crd > dist/yaml/crd.yaml + $(KUSTOMIZE) build config/rbac > dist/yaml/rbac.yaml + $(KUSTOMIZE) build config/default > dist/yaml/default.yaml + ##@ Deployment ifndef ignore-not-found diff --git a/dist/yaml/crd.yaml b/dist/yaml/crd.yaml new file mode 100644 index 0000000..8f07207 --- /dev/null +++ b/dist/yaml/crd.yaml @@ -0,0 +1,184 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: subnamespaces.multitenancy.edge-net.io +spec: + group: multitenancy.edge-net.io + names: + kind: SubNamespace + listKind: SubNamespaceList + plural: subnamespaces + shortNames: + - sns + singular: subnamespace + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SubNamespace is the Schema for the subnamespaces API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SubNamespaceSpec defines the desired state of SubNamespace + properties: + foo: + description: Foo is an example field of SubNamespace. Edit subnamespace_types.go + to remove/update + type: string + type: object + status: + description: SubNamespaceStatus defines the observed state of SubNamespace + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tenants.multitenancy.edge-net.io +spec: + group: multitenancy.edge-net.io + names: + kind: Tenant + listKind: TenantList + plural: tenants + shortNames: + - tenant + singular: tenant + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.fullName + name: Full Name + type: string + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .spec.admin + name: Admin + type: string + name: v1 + schema: + openAPIV3Schema: + description: Tenant is the Schema for the tenants API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TenantSpec defines the desired state of Tenant + properties: + admin: + description: |- + This is the admin username for the tenant. A role binding will be created for user with this username. + The username for some cases can also be emails. This was the old method. But with different identity + providers this can be any name. + maxLength: 200 + pattern: ^[a-z0-9]([-.@_a-z0-9]*[a-z0-9])?$ + type: string + clusterNetworkPolicy: + default: false + description: Whether cluster-level network policies will be applied + to tenant namespaces for security purposes. + type: boolean + description: + description: Description provides additional information about the + tenant. + maxLength: 200 + type: string + fullName: + description: Full name of the tenant. + maxLength: 80 + type: string + initialRequest: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + This represents the initial resource allocation for the tenant. If not specified, the tenant resource + quota will not be created. + type: object + url: + description: Website of the tenant. + maxLength: 2000 + pattern: ^(https?://)?([\da-z\.-]+)\.([a-z\.]{2,6})([/\w \.-]*)*/?$ + type: string + required: + - admin + - fullName + - initialRequest + - url + type: object + status: + description: TenantStatus defines the observed state of Tenant + properties: + failed: + description: Failed sets the backoff limit. + type: integer + message: + description: Additional description can be located here. + type: string + state: + description: The state can be Established or Failed. + type: string + required: + - failed + - message + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +data: + maxmind_accountid: "" + maxmind_token: "" +kind: Secret +metadata: + name: maxmind-secret + namespace: edgenet-system +type: Opaque diff --git a/dist/yaml/default.yaml b/dist/yaml/default.yaml new file mode 100644 index 0000000..e515588 --- /dev/null +++ b/dist/yaml/default.yaml @@ -0,0 +1,618 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: edgenet-system + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: namespace + app.kubernetes.io/part-of: edgenet + control-plane: controller-manager + name: edgenet-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: subnamespaces.multitenancy.edge-net.io +spec: + group: multitenancy.edge-net.io + names: + kind: SubNamespace + listKind: SubNamespaceList + plural: subnamespaces + shortNames: + - sns + singular: subnamespace + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SubNamespace is the Schema for the subnamespaces API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SubNamespaceSpec defines the desired state of SubNamespace + properties: + foo: + description: Foo is an example field of SubNamespace. Edit subnamespace_types.go + to remove/update + type: string + type: object + status: + description: SubNamespaceStatus defines the observed state of SubNamespace + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: tenants.multitenancy.edge-net.io +spec: + group: multitenancy.edge-net.io + names: + kind: Tenant + listKind: TenantList + plural: tenants + shortNames: + - tenant + singular: tenant + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.fullName + name: Full Name + type: string + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .spec.admin + name: Admin + type: string + name: v1 + schema: + openAPIV3Schema: + description: Tenant is the Schema for the tenants API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TenantSpec defines the desired state of Tenant + properties: + admin: + description: |- + This is the admin username for the tenant. A role binding will be created for user with this username. + The username for some cases can also be emails. This was the old method. But with different identity + providers this can be any name. + maxLength: 200 + pattern: ^[a-z0-9]([-.@_a-z0-9]*[a-z0-9])?$ + type: string + clusterNetworkPolicy: + default: false + description: Whether cluster-level network policies will be applied + to tenant namespaces for security purposes. + type: boolean + description: + description: Description provides additional information about the + tenant. + maxLength: 200 + type: string + fullName: + description: Full name of the tenant. + maxLength: 80 + type: string + initialRequest: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + This represents the initial resource allocation for the tenant. If not specified, the tenant resource + quota will not be created. + type: object + url: + description: Website of the tenant. + maxLength: 2000 + pattern: ^(https?://)?([\da-z\.-]+)\.([a-z\.]{2,6})([/\w \.-]*)*/?$ + type: string + required: + - admin + - fullName + - initialRequest + - url + type: object + status: + description: TenantStatus defines the observed state of Tenant + properties: + failed: + description: Failed sets the backoff limit. + type: integer + message: + description: Additional description can be located here. + type: string + state: + description: The state can be Established or Failed. + type: string + required: + - failed + - message + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: edgenet + name: edgenet-controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: role + app.kubernetes.io/part-of: edgenet + name: edgenet-leader-election-role + namespace: edgenet-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: tenant-admin-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + edge-net.io/generated: "true" + name: edgenet-edgenet:tenant-admin +rules: +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: edgenet-manager-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - node + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces/finalizers + verbs: + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces/status + verbs: + - get + - patch + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants/finalizers + verbs: + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + name: edgenet-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + name: edgenet-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: edgenet + name: edgenet-leader-election-rolebinding + namespace: edgenet-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: edgenet-leader-election-role +subjects: +- kind: ServiceAccount + name: edgenet-controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: edgenet + name: edgenet-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edgenet-manager-role +subjects: +- kind: ServiceAccount + name: edgenet-controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: edgenet + name: edgenet-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edgenet-proxy-role +subjects: +- kind: ServiceAccount + name: edgenet-controller-manager + namespace: edgenet-system +--- +apiVersion: v1 +data: + maxmind_accountid: "" + maxmind_token: "" +kind: Secret +metadata: + name: edgenet-maxmind-secret + namespace: edgenet-system +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: edgenet + control-plane: controller-manager + name: edgenet-controller-manager-metrics-service + namespace: edgenet-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: edgenet + control-plane: controller-manager + name: edgenet-controller-manager + namespace: edgenet-system +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: edgenetio/edgenet-controller:main + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /var/run/secrets/edge-net.io/maxmind-secret + name: maxmind-credentials + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: edgenet-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: maxmind-credentials + secret: + secretName: edgenet-maxmind-secret diff --git a/dist/yaml/rbac.yaml b/dist/yaml/rbac.yaml new file mode 100644 index 0000000..4fb2614 --- /dev/null +++ b/dist/yaml/rbac.yaml @@ -0,0 +1,324 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/part-of: edgenet + name: controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: role + app.kubernetes.io/part-of: edgenet + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: tenant-admin-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + edge-net.io/generated: "true" + name: edgenet:tenant-admin +rules: +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - node + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces/finalizers + verbs: + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - subnamespaces/status + verbs: + - get + - patch + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants/finalizers + verbs: + - update +- apiGroups: + - multitenancy.edge-net.io + resources: + - tenants/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + name: metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: edgenet + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: rolebinding + app.kubernetes.io/part-of: edgenet + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: edgenet + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: edgenet-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/part-of: edgenet + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: edgenet-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: edgenet + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: service + app.kubernetes.io/part-of: edgenet + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: edgenet-system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager