## Namespace apiVersion: v1 kind: Namespace metadata: name: metallb-system --- ## RBAC roles apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metallb-system:controller rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["services/status"] verbs: ["update"] - apiGroups: [""] resources: ["events"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metallb-system:speaker rules: - apiGroups: [""] resources: ["services", "endpoints"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: metallb-system name: leader-election rules: - apiGroups: [""] resources: ["endpoints"] resourceNames: ["metallb-speaker"] verbs: ["get", "update"] - apiGroups: [""] resources: ["endpoints"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: metallb-system name: config-watcher rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] - # Allow creating events in the metallb-system namespace # so that watchers can post config errors. apiGroups: [""] resources: ["events"] verbs: ["create"] --- ## Service accounts apiVersion: v1 kind: ServiceAccount metadata: namespace: metallb-system name: controller --- apiVersion: v1 kind: ServiceAccount metadata: namespace: metallb-system name: speaker --- ## Role bindings apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metallb-system:controller subjects: - kind: ServiceAccount namespace: metallb-system name: controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metallb-system:controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metallb-system:speaker subjects: - kind: ServiceAccount namespace: metallb-system name: speaker roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metallb-system:speaker --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: metallb-system name: config-watcher subjects: - kind: ServiceAccount name: controller - kind: ServiceAccount name: speaker roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: config-watcher --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: metallb-system name: leader-election subjects: - kind: ServiceAccount name: speaker roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: leader-election --- ## Controller deployment apiVersion: apps/v1beta2 kind: Deployment metadata: namespace: metallb-system name: controller labels: app: controller annotations: prometheus.io/scrape: "true" prometheus.io/port: "7472" spec: revisionHistoryLimit: 3 selector: matchLabels: app: controller template: metadata: labels: app: controller spec: serviceAccountName: controller terminationGracePeriodSeconds: 0 securityContext: runAsNonRoot: true runAsUser: 65534 # nobody containers: - name: controller image: metallb/controller:v0.3.1 args: - --port=7472 ports: - name: monitoring containerPort: 7472 resources: limits: cpu: "0.1" memory: "100Mi" securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true --- # Speaker DaemonSet apiVersion: apps/v1beta2 kind: DaemonSet metadata: namespace: metallb-system name: speaker labels: app: speaker spec: selector: matchLabels: app: speaker template: metadata: labels: app: speaker annotations: prometheus.io/scrape: "true" prometheus.io/port: "7472" spec: serviceAccountName: speaker terminationGracePeriodSeconds: 0 hostNetwork: true containers: - name: speaker image: metallb/speaker:v0.3.1 args: - --port=7472 env: - name: METALLB_NODE_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: METALLB_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName ports: - name: monitoring containerPort: 7472 resources: limits: cpu: "0.1" memory: "100Mi" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - all add: - net_raw