kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: citrix rules: - apiGroups: [""] resources: ["endpoints", "ingresses", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] verbs: ["get", "list", "watch"] # services/status is needed to update the loadbalancer IP in service status for integrating # service of type LoadBalancer with external-dns - apiGroups: [""] resources: ["services/status"] verbs: ["patch"] - apiGroups: [""] resources: ["services", "events"] verbs: ["create"] - apiGroups: ["extensions"] resources: ["ingresses", "ingresses/status"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingresses/status", "ingressclasses"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies", "authpolicies", "ratelimits", "listeners", "httproutes", "continuousdeployments", "apigatewaypolicies", "wafs", "bots"] verbs: ["get", "list", "watch", "create", "delete", "patch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status"] verbs: ["get", "list", "patch"] - apiGroups: ["citrix.com"] resources: ["vips"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["crd.projectcalico.org"] resources: ["ipamblocks"] verbs: ["get", "list", "watch"] - apiGroups: ["route.openshift.io"] resources: ["routes"] verbs: ["get", "list", "watch"] - apiGroups: ["config.openshift.io"] resources: ["networks"] verbs: ["get", "list"] - apiGroups: ["network.openshift.io"] resources: ["hostsubnets"] verbs: ["get", "list", "watch"] - apiGroups: ["crd.projectcalico.org"] resources: ["ipamblocks"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: citrix roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: citrix subjects: - kind: ServiceAccount name: citrix namespace: default --- apiVersion: v1 kind: ServiceAccount metadata: name: citrix namespace: default --- apiVersion: apps/v1 kind: Deployment metadata: name: cpx-cic labels: name: cpx-cic app: cpx-cic spec: selector: matchLabels: app: cpx-cic replicas: 1 template: metadata: name: cpx-cic labels: app: cpx-cic annotations: spec: serviceAccountName: citrix containers: - name: cpx image: "quay.io/citrix/citrix-k8s-cpx-ingress:14.1-17.38" tty: true securityContext: privileged: true env: - name: "EULA" value: "yes" - name: "KUBERNETES_TASK_ID" value: "" volumeMounts: - mountPath: /var/deviceinfo name: shared-data - mountPath: /cpx/ name: cpx-volume - mountPath: /cpx/conf name: cpx-volume-conf imagePullPolicy: IfNotPresent # Add cic as a sidecar - name: cic image: "quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4" volumeMounts: - mountPath: /var/deviceinfo name: shared-data env: - name: "EULA" value: "yes" - name: "NS_IP" value: "127.0.0.1" - name: "NS_PROTOCOL" value: "HTTP" - name: "NS_PORT" value: "80" - name: "NS_DEPLOYMENT_MODE" value: "SIDECAR" - name: "NS_ENABLE_MONITORING" value: "YES" - name: "LOGLEVEL" value: "INFO" - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace args: - --default-ssl-certificate $(POD_NAMESPACE)/default-cert imagePullPolicy: Always volumes: - name: shared-data emptyDir: {} - name: cpx-volume emptyDir: {} - name: cpx-volume-conf emptyDir: {}