in operator/pkg/controllers/addons/kubeproxy.go [206:287]
func kubeProxyPodSpecFor(controlPlane *v1alpha1.ControlPlane) v1.PodSpec {
hostPathFileOrCreate := v1.HostPathFileOrCreate
return v1.PodSpec{
TerminationGracePeriodSeconds: aws.Int64(1),
ServiceAccountName: "kube-proxy",
HostNetwork: true,
DNSPolicy: v1.DNSClusterFirst,
PriorityClassName: "system-node-critical",
Tolerations: []v1.Toleration{{
Operator: v1.TolerationOpExists,
}},
Containers: []v1.Container{
{
Name: "kubeproxy",
Image: imageprovider.KubeProxy(controlPlane.Spec.KubernetesVersion),
Resources: v1.ResourceRequirements{
Requests: map[v1.ResourceName]resource.Quantity{
v1.ResourceCPU: resource.MustParse("1"),
},
},
SecurityContext: &v1.SecurityContext{
Privileged: ptr.Bool(true),
},
Command: []string{"kube-proxy"},
Args: []string{
"--kubeconfig=/var/lib/kube-proxy/kubeconfig",
"--iptables-min-sync-period=0s",
"--oom-score-adj=-998",
},
VolumeMounts: []v1.VolumeMount{{
Name: "varlog",
MountPath: "/var/log",
}, {
Name: "xtables-lock",
MountPath: "/run/xtables.lock",
}, {
Name: "lib-modules",
MountPath: "/lib/modules",
ReadOnly: true,
}, {
Name: "kubeproxy-kubeconfig",
MountPath: "/var/lib/kube-proxy",
ReadOnly: true,
}},
}},
Volumes: []v1.Volume{{
Name: "varlog",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
Path: "/var/log",
},
},
}, {
Name: "xtables-lock",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
Path: "/run/xtables.lock",
Type: &hostPathFileOrCreate,
},
},
}, {
Name: "lib-modules",
VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{
Path: "/lib/modules",
},
},
}, {
Name: "kubeproxy-kubeconfig",
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: KubeProxyConfigNameFor(controlPlane.ClusterName()),
DefaultMode: aws.Int32(0400),
Items: []v1.KeyToPath{{
Key: "config",
Path: "kubeconfig",
}},
},
},
}},
}
}