1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: v1
16kind: ServiceAccount
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 iam.gke.io/gcp-service-account: cnrm-system-${NAMESPACE?}@${PROJECT_ID?}.iam.gserviceaccount.com
21 labels:
22 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
23 cnrm.cloud.google.com/system: "true"
24 name: cnrm-controller-manager-${NAMESPACE?}
25 namespace: cnrm-system
26---
27apiVersion: rbac.authorization.k8s.io/v1
28kind: RoleBinding
29metadata:
30 annotations:
31 cnrm.cloud.google.com/version: 1.106.0
32 labels:
33 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
34 cnrm.cloud.google.com/system: "true"
35 name: cnrm-admin-binding-${NAMESPACE?}
36 namespace: ${NAMESPACE?}
37roleRef:
38 apiGroup: rbac.authorization.k8s.io
39 kind: ClusterRole
40 name: cnrm-admin
41subjects:
42- kind: ServiceAccount
43 name: cnrm-controller-manager-${NAMESPACE?}
44 namespace: cnrm-system
45---
46apiVersion: rbac.authorization.k8s.io/v1
47kind: RoleBinding
48metadata:
49 annotations:
50 cnrm.cloud.google.com/version: 1.106.0
51 labels:
52 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
53 cnrm.cloud.google.com/system: "true"
54 name: cnrm-manager-ns-binding-${NAMESPACE?}
55 namespace: ${NAMESPACE?}
56roleRef:
57 apiGroup: rbac.authorization.k8s.io
58 kind: ClusterRole
59 name: cnrm-manager-ns-role
60subjects:
61- kind: ServiceAccount
62 name: cnrm-controller-manager-${NAMESPACE?}
63 namespace: cnrm-system
64---
65apiVersion: rbac.authorization.k8s.io/v1
66kind: RoleBinding
67metadata:
68 annotations:
69 cnrm.cloud.google.com/version: 1.106.0
70 labels:
71 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
72 cnrm.cloud.google.com/system: "true"
73 name: cnrm-manager-ns-binding-${NAMESPACE?}
74 namespace: cnrm-system
75roleRef:
76 apiGroup: rbac.authorization.k8s.io
77 kind: ClusterRole
78 name: cnrm-manager-ns-role
79subjects:
80- kind: ServiceAccount
81 name: cnrm-controller-manager-${NAMESPACE?}
82 namespace: cnrm-system
83---
84apiVersion: rbac.authorization.k8s.io/v1
85kind: ClusterRoleBinding
86metadata:
87 annotations:
88 cnrm.cloud.google.com/version: 1.106.0
89 labels:
90 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
91 cnrm.cloud.google.com/system: "true"
92 name: cnrm-manager-cluster-binding-${NAMESPACE?}
93roleRef:
94 apiGroup: rbac.authorization.k8s.io
95 kind: ClusterRole
96 name: cnrm-manager-cluster-role
97subjects:
98- kind: ServiceAccount
99 name: cnrm-controller-manager-${NAMESPACE?}
100 namespace: cnrm-system
101---
102apiVersion: v1
103kind: Service
104metadata:
105 annotations:
106 cnrm.cloud.google.com/version: 1.106.0
107 prometheus.io/port: "8888"
108 prometheus.io/scrape: "true"
109 labels:
110 cnrm.cloud.google.com/monitored: "true"
111 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
112 cnrm.cloud.google.com/system: "true"
113 name: cnrm-manager-${NAMESPACE?}
114 namespace: cnrm-system
115spec:
116 ports:
117 - name: controller-manager
118 port: 443
119 - name: metrics
120 port: 8888
121 selector:
122 cnrm.cloud.google.com/component: cnrm-controller-manager
123 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
124 cnrm.cloud.google.com/system: "true"
125---
126apiVersion: apps/v1
127kind: StatefulSet
128metadata:
129 annotations:
130 cnrm.cloud.google.com/version: 1.106.0
131 labels:
132 cnrm.cloud.google.com/component: cnrm-controller-manager
133 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
134 cnrm.cloud.google.com/system: "true"
135 name: cnrm-controller-manager-${NAMESPACE?}
136 namespace: cnrm-system
137spec:
138 selector:
139 matchLabels:
140 cnrm.cloud.google.com/component: cnrm-controller-manager
141 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
142 cnrm.cloud.google.com/system: "true"
143 serviceName: cnrm-manager-${NAMESPACE?}
144 template:
145 metadata:
146 annotations:
147 cnrm.cloud.google.com/version: 1.106.0
148 labels:
149 cnrm.cloud.google.com/component: cnrm-controller-manager
150 cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
151 cnrm.cloud.google.com/system: "true"
152 spec:
153 containers:
154 - args:
155 - --scoped-namespace=${NAMESPACE?}
156 - --prometheus-scrape-endpoint=:8888
157 command:
158 - /configconnector/manager
159 image: gcr.io/cnrm-eap/controller:2b4f8d7
160 imagePullPolicy: Always
161 name: manager
162 ports:
163 - containerPort: 23232
164 readinessProbe:
165 httpGet:
166 path: /ready
167 port: 23232
168 initialDelaySeconds: 7
169 periodSeconds: 3
170 resources:
171 limits:
172 memory: 512Mi
173 requests:
174 cpu: 100m
175 memory: 512Mi
176 securityContext:
177 allowPrivilegeEscalation: false
178 privileged: false
179 runAsNonRoot: true
180 runAsUser: 1000
181 enableServiceLinks: false
182 serviceAccountName: cnrm-controller-manager-${NAMESPACE?}
183 terminationGracePeriodSeconds: 10
View as plain text