-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmanifest.example.yaml
More file actions
146 lines (146 loc) · 3.96 KB
/
manifest.example.yaml
File metadata and controls
146 lines (146 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
apiVersion: v1
kind: Namespace
metadata:
name: node-taint-controller
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-taint-controller
namespace: node-taint-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-taint-controller
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: node-taint-controller-leader-election
namespace: node-taint-controller
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: node-taint-controller-leader-election
namespace: node-taint-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: node-taint-controller-leader-election
subjects:
- kind: ServiceAccount
name: node-taint-controller
namespace: node-taint-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-taint-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-taint-controller
subjects:
- kind: ServiceAccount
name: node-taint-controller
namespace: node-taint-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: node-taint-controller
namespace: node-taint-controller
labels:
app: node-taint-controller
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
selector:
matchLabels:
app: node-taint-controller
template:
metadata:
labels:
app: node-taint-controller
spec:
serviceAccountName: node-taint-controller
containers:
- name: controller
image: ghcr.io/dcelasun/node-taint-controller:latest # Or pin to a specific version
args:
- --not-ready-threshold=10m
- --reconcile-interval=30s
env: {}
# Optional: Enable notifications via shoutrrr
# See https://containrrr.dev/shoutrrr/services/overview/ for supported services
# - name: SHOUTRRR_URLS
# value: "slack://token@channel,telegram://token@chat"
ports:
- name: metrics
containerPort: 8080
- name: health
containerPort: 8081
livenessProbe:
httpGet:
path: /healthz
port: health
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /readyz
port: health
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
tolerations:
# Required to schedule on control plane nodes (they have NoSchedule taints)
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: node-taint-controller
topologyKey: kubernetes.io/hostname