forked from samisalkosuo/k8s-dynamic-hostpath-provisioner
-
Notifications
You must be signed in to change notification settings - Fork 0
/
deployment.yaml
134 lines (123 loc) · 3.05 KB
/
deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#
# Create required Kubernetes stuff.
#
# Original file provided by Torchbox Ltd.
#
# Modified to use PodSecurityPolicy
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: dynamic-hostpath-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dynamic-hostpath-provisioner
subjects:
- kind: ServiceAccount
name: dynamic-hostpath-provisioner
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:persistent-volume-provisioner
---
#security policy to allow privileged pods
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: dynamic-hostpath-provisioner-pod-security-policy
spec:
privileged: true # Allow privileged pods
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynamic-hostpath-provisioner-extra
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["dynamic-hostpath-provisioner-pod-security-policy"]
verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynamic-hostpath-provisioner-extra
subjects:
- kind: ServiceAccount
namespace: kube-system
name: dynamic-hostpath-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynamic-hostpath-provisioner-extra
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: dynamic-hostpath-provisioner
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: dynamic-hostpath-provisioner
strategy:
type: Recreate
template:
metadata:
labels:
app: dynamic-hostpath-provisioner
spec:
serviceAccountName: dynamic-hostpath-provisioner
containers:
- name: dynamic-hostpath-provisioner
image: kazhar/k8s-dynamic-hostpath-provisioner:0.1
securityContext:
privileged: true
volumeMounts:
- name: volumes
#change to your own directory
#change directory also in storageclass.yaml
mountPath: /dynfs
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
volumes:
- name: volumes
hostPath:
#change to your own directory
#change directory also in storageclass.yaml
path: /dynfs