apiVersion: v1
kind: ServiceAccount
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    k8s-app: ip-masq-agent
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      k8s-app: ip-masq-agent
  template:
    metadata:
      labels:
        k8s-app: ip-masq-agent
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: ip-masq-agent
      hostNetwork: true
      containers:
      - name: ip-masq-agent
        image: registry.k8s.io/networking/ip-masq-agent-amd64:v2.6.0
        args:
          - --masq-chain=IP-MASQ
          - --nomasq-all-reserved-ranges
        resources:
          requests:
            cpu: 10m
            memory: 16Mi
        securityContext:
          privileged: true
        volumeMounts:
          - name: config
            mountPath: /etc/config
      nodeSelector:
        kubernetes.io/os: linux
        node.kubernetes.io/masq-agent-ds-ready: "true"
      volumes:
        - name: config
          configMap:
            # Note this ConfigMap must be created in the same namespace as the daemon pods - this spec uses kube-system
            name: ip-masq-agent
            optional: true
            items:
              # The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
              - key: config
                path: ip-masq-agent
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: "CriticalAddonsOnly"
        operator: "Exists"