github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-12 05:43:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bring in the YAML files from KMM

Browse Source
This commit is contained in:
M. Mert Yildiran 2023-08-11 22:00:23 +03:00
parent 67038e324b
commit 9eaded51a2
No known key found for this signature in database
GPG Key ID: DA5D6DCBB758A461
32 changed files with 3603 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
helm-chart/templates/kmm/certificate/certificate.yaml Normal file
View File

@ -0,0 +1,39 @@
# The following manifests contain a self-signed issuer CR and a certificate CR.
# More document can be found at https://docs.cert-manager.io
# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
app.kubernetes.io/name: issuer
app.kubernetes.io/instance: selfsigned-issuer
app.kubernetes.io/component: certificate
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kernel-module-management
app.kubernetes.io/managed-by: kustomize
name: selfsigned-issuer
namespace: system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
app.kubernetes.io/name: certificate
app.kubernetes.io/instance: serving-cert
app.kubernetes.io/component: certificate
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kernel-module-management
app.kubernetes.io/managed-by: kustomize
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# svc-name and svc-namespace will be substituted by kustomize
dnsNames:
- svc-name.svc-namespace.svc
- svc-name.svc-namespace.svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: webhook-server-cert

8
helm-chart/templates/kmm/certificate/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml
configurations:
- kustomizeconfig.yaml

22
helm-chart/templates/kmm/certificate/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,22 @@
# This configuration is for teaching kustomize how to update name ref and var substitution
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name
varReference:
- kind: Certificate
group: cert-manager.io
path: spec/commonName
- kind: Certificate
group: cert-manager.io
path: spec/dnsNames
namePrefix:
- kind: Certificate
group: cert-manager.io
name: serving-cert
path: spec/secretName

2451
helm-chart/templates/kmm/crd/bases/kmm.sigs.x-k8s.io_modules.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

297
helm-chart/templates/kmm/crd/bases/kmm.sigs.x-k8s.io_nodemodulesconfigs.yaml Normal file
View File

@ -0,0 +1,297 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: nodemodulesconfigs.kmm.sigs.x-k8s.io
spec:
group: kmm.sigs.x-k8s.io
names:
kind: NodeModulesConfig
listKind: NodeModulesConfigList
plural: nodemodulesconfigs
shortNames:
- nmc
singular: nodemodulesconfig
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: NodeModulesConfig keeps spec and state of the KMM modules on
a node.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'NodeModulesConfigSpec describes the desired state of modules
on the node More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
properties:
modules:
description: Modules list the spec of all the modules that need to
be executed on the node
items:
properties:
config:
properties:
containerImage:
type: string
inTreeModuleToRemove:
type: string
insecurePull:
description: When InsecurePull is true, the container image
can be pulled without TLS.
type: boolean
kernelVersion:
type: string
modprobe:
properties:
args:
description: 'Args is an optional list of arguments
to be passed to modprobe before the name of the kernel
module. The resulting commands will be: `modprobe
${Args} module_name`.'
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
dirName:
default: /opt
description: DirName is the root directory for modules.
It adds `-d ${DirName}` to the modprobe command-line.
type: string
firmwarePath:
description: FirmwarePath is the path of the firmware(s).
The firmware(s) will be copied to the host for the
kernel to find them.
type: string
moduleName:
description: ModuleName is the name of the Module to
be loaded.
type: string
modulesLoadingOrder:
description: 'ModulesLoadingOrder defines the dependency
between kernel modules loading, in case it was not
created by depmod (independent kernel modules). The
list order should be: upmost module, then the module
it depends on and so on. Example: if moduleA depends
on first loading moduleB, and moduleB depends on first
loading moduleC the entry should look: ModulesLoadingOrder:
- moduleA - moduleB - moduleC In order to load all
3 modules, moduleA shoud be defined in the ModuleName
parameter of this struct'
items:
type: string
type: array
parameters:
description: 'Parameters is an optional list of kernel
module parameters to be provided to modprobe. They
should be in the form of key=value and will be separated
by spaces in the modprobe command. The resulting loading
command will be: `modprobe module_name ${Parameters}`.'
items:
type: string
type: array
rawArgs:
description: 'If RawArgs are specified, they are passed
straight to the modprobe binary; all other properties
in this object are ignored. The resulting commands
will be: `modprobe ${RawArgs}`.'
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
required:
- moduleName
type: object
required:
- containerImage
- insecurePull
- kernelVersion
- modprobe
type: object
name:
type: string
namespace:
type: string
serviceAccountName:
type: string
required:
- config
- name
- namespace
- serviceAccountName
type: object
type: array
type: object
status:
description: 'NodeModuleConfigStatus is the most recently observed status
of the KMM modules on node. It is populated by the system and is read-only.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
properties:
modules:
description: Modules contain observations about each Module's node
state status
items:
properties:
config:
properties:
containerImage:
type: string
inTreeModuleToRemove:
type: string
insecurePull:
description: When InsecurePull is true, the container image
can be pulled without TLS.
type: boolean
kernelVersion:
type: string
modprobe:
properties:
args:
description: 'Args is an optional list of arguments
to be passed to modprobe before the name of the kernel
module. The resulting commands will be: `modprobe
${Args} module_name`.'
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
dirName:
default: /opt
description: DirName is the root directory for modules.
It adds `-d ${DirName}` to the modprobe command-line.
type: string
firmwarePath:
description: FirmwarePath is the path of the firmware(s).
The firmware(s) will be copied to the host for the
kernel to find them.
type: string
moduleName:
description: ModuleName is the name of the Module to
be loaded.
type: string
modulesLoadingOrder:
description: 'ModulesLoadingOrder defines the dependency
between kernel modules loading, in case it was not
created by depmod (independent kernel modules). The
list order should be: upmost module, then the module
it depends on and so on. Example: if moduleA depends
on first loading moduleB, and moduleB depends on first
loading moduleC the entry should look: ModulesLoadingOrder:
- moduleA - moduleB - moduleC In order to load all
3 modules, moduleA shoud be defined in the ModuleName
parameter of this struct'
items:
type: string
type: array
parameters:
description: 'Parameters is an optional list of kernel
module parameters to be provided to modprobe. They
should be in the form of key=value and will be separated
by spaces in the modprobe command. The resulting loading
command will be: `modprobe module_name ${Parameters}`.'
items:
type: string
type: array
rawArgs:
description: 'If RawArgs are specified, they are passed
straight to the modprobe binary; all other properties
in this object are ignored. The resulting commands
will be: `modprobe ${RawArgs}`.'
properties:
load:
description: Load is an optional list of arguments
to be used when loading the kernel module.
items:
type: string
minItems: 1
type: array
unload:
description: Unload is an optional list of arguments
to be used when unloading the kernel module.
items:
type: string
minItems: 1
type: array
type: object
required:
- moduleName
type: object
required:
- containerImage
- insecurePull
- kernelVersion
- modprobe
type: object
inProgress:
type: boolean
lastTransitionTime:
format: date-time
type: string
name:
type: string
namespace:
type: string
serviceAccountName:
type: string
required:
- inProgress
- name
- namespace
- serviceAccountName
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

103
helm-chart/templates/kmm/crd/bases/kmm.sigs.x-k8s.io_preflightvalidations.yaml Normal file
View File

@ -0,0 +1,103 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: preflightvalidations.kmm.sigs.x-k8s.io
spec:
group: kmm.sigs.x-k8s.io
names:
kind: PreflightValidation
listKind: PreflightValidationList
plural: preflightvalidations
shortNames:
- pfv
singular: preflightvalidation
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: PreflightValidation initiates a preflight validations for all
Modules on the current Kubernetes cluster.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: 'PreflightValidationSpec describes the desired state of the
resource, such as the kernel version that Module CRs need to be verified
against as well as the debug configuration of the logs More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
properties:
kernelVersion:
description: KernelVersion describes the kernel image that all Modules
need to be checked against.
type: string
pushBuiltImage:
description: Boolean flag that determines whether images build during
preflight must also be pushed to a defined repository
type: boolean
required:
- kernelVersion
type: object
status:
description: 'PreflightValidationStatus is the most recently observed
status of the PreflightValidation. It is populated by the system and
is read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
properties:
crStatuses:
additionalProperties:
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the CR status
transitioned from one status to another. This should be when
the underlying status changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
statusReason:
description: StatusReason contains a string describing the status
source.
type: string
verificationStage:
description: 'Current stage of the verification process: image
(image existence verification), build(build process verification)'
enum:
- Image
- Build
- Sign
- Requeued
- Done
type: string
verificationStatus:
description: 'Status of Module CR verification: true (verified),
false (verification failed), error (error during verification
process), unknown (verification has not started yet)'
enum:
- "True"
- "False"
type: string
required:
- lastTransitionTime
- verificationStage
- verificationStatus
type: object
description: CRStatuses contain observations about each Module's preflight
upgradability validation
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

28
helm-chart/templates/kmm/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/kmm.sigs.x-k8s.io_modules.yaml
- bases/kmm.sigs.x-k8s.io_nodemodulesconfigs.yaml
- bases/kmm.sigs.x-k8s.io_preflightvalidations.yaml
#+kubebuilder:scaffold:crdkustomizeresource
patches:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- path: patches/webhook_in_modules.yaml
#- path: patches/webhook_in_managedclustermodules.yaml
#+kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
- path: patches/cainjection_in_modules.yaml
#- path: patches/cainjection_in_preflightvalidations.yaml
#+kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

19
helm-chart/templates/kmm/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,19 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
version: v1
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

8
helm-chart/templates/kmm/crd/patches/cainjection_in_modules.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
# `default` and `serving-cert` may be substituted by kustomize
cert-manager.io/inject-ca-from: default/serving-cert
name: modules.kmm.sigs.x-k8s.io

8
helm-chart/templates/kmm/crd/patches/cainjection_in_preflightvalidations.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
# `default` and `serving-cert` may be substituted by kustomize
cert-manager.io/inject-ca-from: default/serving-cert
name: preflightvalidations.kmm.sigs.x-k8s.io

16
helm-chart/templates/kmm/crd/patches/webhook_in_modules.yaml Normal file
View File

@ -0,0 +1,16 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: modules.kmm.sigs.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

16
helm-chart/templates/kmm/crd/patches/webhook_in_preflightvalidations.yaml Normal file
View File

@ -0,0 +1,16 @@
# The following patch enables a conversion webhook for the CRD
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: preflightvalidations.kmm.sigs.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
namespace: system
name: webhook-service
path: /convert
conversionReviewVersions:
- v1

100
helm-chart/templates/kmm/default/kustomization.yaml Normal file
View File

@ -0,0 +1,100 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Adds namespace to all resources.
namespace: kmm-operator-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: kmm-operator-
# Labels to add to all resources and selectors.
commonLabels:
app.kubernetes.io/name: kmm
app.kubernetes.io/component: kmm
app.kubernetes.io/part-of: kmm
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
resources:
- ../crd
- ../rbac
- ../manager
- ../webhook
- ../certificate
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
patches:
- path: manager_webhook_patch.yaml
- path: webhookcainjection_patch.yaml
replacements:
# The following patches adds a directive for certmanager to inject CA into the CRD
- source:
kind: Certificate
fieldPath: metadata.namespace
targets:
- select:
kind: CustomResourceDefinition
name: modules.kmm.sigs.x-k8s.io
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
- source:
kind: Certificate
fieldPath: metadata.name
targets:
- select:
kind: CustomResourceDefinition
name: modules.kmm.sigs.x-k8s.io
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
index: 1
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
index: 1
# Patch dnsNames in webhook Certificate
- source:
kind: Service
name: webhook-service
fieldPath: metadata.name
targets:
- select:
kind: Certificate
fieldPaths:
- spec.dnsNames.*
options:
delimiter: .
- source:
kind: Service
name: webhook-service
fieldPath: metadata.namespace
targets:
- select:
kind: Certificate
fieldPaths:
- spec.dnsNames.*
options:
delimiter: .
index: 1
configurations:
- kustomizeconfig.yaml

4
helm-chart/templates/kmm/default/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,4 @@
namePrefix:
- kind: Deployment
name: controller-manager
path: spec/template/spec/volumes/secret/secretName

23
helm-chart/templates/kmm/default/manager_webhook_patch.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

15
helm-chart/templates/kmm/default/webhookcainjection_patch.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: validatingwebhookconfiguration
app.kubernetes.io/instance: validating-webhook-configuration
app.kubernetes.io/component: webhook
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kernel-module-management
app.kubernetes.io/managed-by: kustomize
name: validating-webhook-configuration
annotations:
# `default` and `serving-cert` may be substituted by kustomize
cert-manager.io/inject-ca-from: default/serving-cert

17
helm-chart/templates/kmm/manager-base/kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manager.yaml
images:
- name: signer
newName: gcr.io/k8s-staging-kmm/kernel-module-management-signimage
newTag: latest
patches:
- path: manager_auth_proxy_patch.yaml
- path: manager_config_patch.yaml
configurations:
- kustomizeconfig.yaml

3
helm-chart/templates/kmm/manager-base/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,3 @@
images:
- path: spec/template/spec/containers/env/value
kind: Deployment

85
helm-chart/templates/kmm/manager-base/manager.yaml Normal file
View File

@ -0,0 +1,85 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: Exists
securityContext:
runAsNonRoot: true
containers:
- command:
- /manager
image: controller:latest
name: manager
env:
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RELATED_IMAGES_BUILD
value: gcr.io/kaniko-project/executor:latest
- name: RELATED_IMAGES_SIGN
value: signer
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
# TODO(user): Configure the resources accordingly based on the project requirements.
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
serviceAccountName: controller-manager
terminationGracePeriodSeconds: 10
tolerations:
- key: node-role.kubernetes.io/master
operator: Equal
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Equal
effect: NoSchedule

29
helm-chart/templates/kmm/manager-base/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,29 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi

20
helm-chart/templates/kmm/manager-base/manager_config_patch.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
- name: manager-config
mountPath: /controller_manager_config.yaml
subPath: controller_manager_config.yaml
volumes:
- name: manager-config
configMap:
name: manager-config

6
helm-chart/templates/kmm/manager/controller_manager_config.yaml Normal file
View File

@ -0,0 +1,6 @@
healthProbeBindAddress: :8081
metricsBindAddress: 127.0.0.1:8080
webhookPort: 9443
leaderElection:
enabled: true
resourceID: kmm.sigs.x-k8s.io

24
helm-chart/templates/kmm/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../manager-base
patches:
- path: manager_worker_image_patch.yaml
images:
- name: controller
newName: gcr.io/k8s-staging-kmm/kernel-module-management-operator
newTag: latest
- name: worker
newName: gcr.io/k8s-staging-kmm/kernel-module-management-worker
newTag: latest
configMapGenerator:
- files:
- controller_manager_config.yaml
name: manager-config
generatorOptions:
disableNameSuffixHash: true

13
helm-chart/templates/kmm/manager/manager_worker_image_patch.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
env:
- name: RELATED_IMAGES_WORKER
value: worker

6
helm-chart/templates/kmm/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../rbac-base
- role.yaml

24
helm-chart/templates/kmm/rbac/module_editor_role.yaml Normal file
View File

@ -0,0 +1,24 @@
# permissions for end users to edit modules.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: module-editor-role
rules:
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules/status
verbs:
- get

20
helm-chart/templates/kmm/rbac/module_viewer_role.yaml Normal file
View File

@ -0,0 +1,20 @@
# permissions for end users to view modules.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: module-viewer-role
rules:
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules
verbs:
- get
- list
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules/status
verbs:
- get

126
helm-chart/templates/kmm/rbac/role.yaml Normal file
View File

@ -0,0 +1,126 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- cluster.open-cluster-management.io
resources:
- clusterclaims
verbs:
- create
- get
- list
- watch
- apiGroups:
- cluster.open-cluster-management.io
resourceNames:
- kernel-versions.kmm.node.kubernetes.io
resources:
- clusterclaims
verbs:
- delete
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- modules/status
verbs:
- get
- patch
- update
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- nodemodulesconfigs/status
verbs:
- patch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- preflightvalidations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kmm.sigs.x-k8s.io
resources:
- preflightvalidations/status
verbs:
- get
- patch
- update

9
helm-chart/templates/kmm/webhook/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service.yaml
- manifests.yaml
configurations:
- kustomizeconfig.yaml

18
helm-chart/templates/kmm/webhook/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,18 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations

26
helm-chart/templates/kmm/webhook/manifests.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: webhook-service
namespace: system
path: /validate-kmm-sigs-x-k8s-io-v1beta1-module
failurePolicy: Fail
name: vmodule.kb.io
rules:
- apiGroups:
- kmm.sigs.x-k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- modules
sideEffects: None

20
helm-chart/templates/kmm/webhook/service.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: service
app.kubernetes.io/instance: webhook-service
app.kubernetes.io/component: webhook
app.kubernetes.io/created-by: kernel-module-management
app.kubernetes.io/part-of: kernel-module-management
app.kubernetes.io/managed-by: kustomize
name: webhook-service
namespace: system
spec:
ports:
- port: 443
protocol: TCP
targetPort: 9443
selector:
control-plane: controller-manager