forked from F5Networks/k8s-bigip-ctlr
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add manifests for cis 3.0 (F5Networks#3158)
* add manifests for cis 3.0 * add security context, volume mounts to the sample deployment manifest * update deploy config, no verify ssl and trusted certs cfg map args values * remove trusted certs cfgmap arg
- Loading branch information
1 parent
aad08ea
commit 93660f7
Showing
2 changed files
with
108 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# for reference only | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: k8s-bigip-ctlr-deployment | ||
namespace: kube-system | ||
spec: | ||
# DO NOT INCREASE REPLICA COUNT | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: k8s-bigip-ctlr-deployment | ||
template: | ||
metadata: | ||
labels: | ||
app: k8s-bigip-ctlr-deployment | ||
spec: | ||
# Name of the Service Account bound to a Cluster Role with the required | ||
# permissions | ||
securityContext: | ||
runAsUser: 1000 | ||
runAsGroup: 1000 | ||
fsGroup: 1000 | ||
volumes: | ||
- name: cm-creds | ||
secret: | ||
secretName: f5-bigip-ctlr-login | ||
containers: | ||
- name: k8s-bigip-ctlr | ||
image: "f5networks/k8s-bigip-ctlr:latest" | ||
livenessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /health | ||
port: 8080 | ||
scheme: HTTP | ||
initialDelaySeconds: 15 | ||
periodSeconds: 15 | ||
successThreshold: 1 | ||
timeoutSeconds: 15 | ||
readinessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /health | ||
port: 8080 | ||
scheme: HTTP | ||
initialDelaySeconds: 30 | ||
periodSeconds: 30 | ||
successThreshold: 1 | ||
timeoutSeconds: 15 | ||
volumeMounts: | ||
- name: cm-creds | ||
mountPath: "/tmp/creds" | ||
readOnly: true | ||
command: ["/app/bin/k8s-bigip-ctlr"] | ||
args: [ | ||
# See the k8s-bigip-ctlr documentation for information about | ||
# all config options | ||
# https://clouddocs.f5.com/containers/latest/ | ||
"--cm-url=<ip_address-or-hostname>", | ||
"--orchestration-cni=nodeport", | ||
"--deploy-config=kube-system/cis-config", | ||
"--manage-custom-resources=true", | ||
"--credentials-directory=/tmp/creds", | ||
"--kubeconfig=/tmp/kubeconfig", | ||
"--log-file=/tmp/k8s-bigip-ctlr.log", | ||
"--log-level=INFO", | ||
"--http-client-metrics=true", | ||
"--no-verify-ssl=true" | ||
] | ||
serviceAccountName: bigip-ctlr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# for reference only | ||
# Should be changed as per your cluster requirements | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: bigip-ctlr-clusterrole | ||
rules: | ||
- apiGroups: ["", "extensions"] | ||
resources: ["nodes", "services", "endpoints", "namespaces", "pods"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["", "extensions"] | ||
resources: ["events", "services/status"] | ||
verbs: ["get", "list", "watch", "update", "create", "patch"] | ||
- apiGroups: ["cis.f5.com"] | ||
resources: ["transportservers", "transportservers/status", "deployconfigs", "policies"] | ||
verbs: ["get", "list", "watch", "update", "patch"] | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: bigip-ctlr-clusterrole-binding | ||
namespace: kube-system | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: bigip-ctlr-clusterrole | ||
subjects: | ||
- apiGroup: "" | ||
kind: ServiceAccount | ||
name: bigip-ctlr | ||
namespace: kube-system | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: bigip-ctlr | ||
namespace: kube-system |