mirror of
https://github.com/kairos-io/osbuilder.git
synced 2026-01-05 23:44:27 +00:00
224291994f
Currently fails with: ``` Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:hello-kairos" cannot list resource "pods" in API group "" at the cluster scope ``` because we try to list pods with `-A`. This means we are going to get a similar error if we try to copy files to a Pod on another namespace unless we grant permission at the cluster scope or just that namespace. (Is that possible? Maybe if we create the Role in the same namespace as the server.) Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
71 lines
2.1 KiB
YAML
71 lines
2.1 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
labels:
|
|
control-plane: controller-manager
|
|
name: system
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: controller-manager
|
|
labels:
|
|
control-plane: controller-manager
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
control-plane: controller-manager
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
kubectl.kubernetes.io/default-container: manager
|
|
labels:
|
|
control-plane: controller-manager
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
# TODO(user): For common cases that do not require escalating privileges
|
|
# it is recommended to ensure that all your Pods/Containers are restrictive.
|
|
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
|
|
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
|
|
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
|
|
# seccompProfile:
|
|
# type: RuntimeDefault
|
|
containers:
|
|
- command:
|
|
- /manager
|
|
args:
|
|
- --leader-elect
|
|
image: controller:latest
|
|
name: manager
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
# TODO(user): uncomment for common cases that do not require escalating privileges
|
|
# capabilities:
|
|
# drop:
|
|
# - "ALL"
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8081
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 20
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: 8081
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
# TODO(user): Configure the resources accordingly based on the project requirements.
|
|
# More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
serviceAccountName: controller-manager
|
|
terminationGracePeriodSeconds: 10
|