apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-nmi-service-account namespace: kube-system labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: {{GetCRDAPIVersion}} kind: CustomResourceDefinition metadata: name: azureassignedidentities.aadpodidentity.k8s.io labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: group: aadpodidentity.k8s.io version: v1 names: kind: AzureAssignedIdentity plural: azureassignedidentities scope: Namespaced --- apiVersion: {{GetCRDAPIVersion}} kind: CustomResourceDefinition metadata: name: azureidentitybindings.aadpodidentity.k8s.io labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: group: aadpodidentity.k8s.io version: v1 names: kind: AzureIdentityBinding plural: azureidentitybindings scope: Namespaced --- apiVersion: {{GetCRDAPIVersion}} kind: CustomResourceDefinition metadata: name: azureidentities.aadpodidentity.k8s.io labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: group: aadpodidentity.k8s.io version: v1 names: kind: AzureIdentity singular: azureidentity plural: azureidentities scope: Namespaced --- apiVersion: {{GetCRDAPIVersion}} kind: CustomResourceDefinition metadata: name: azurepodidentityexceptions.aadpodidentity.k8s.io labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: group: aadpodidentity.k8s.io version: v1 names: kind: AzurePodIdentityException singular: azurepodidentityexception plural: azurepodidentityexceptions scope: Namespaced --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aad-pod-id-nmi-role labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] verbs: ["get", "list", "watch"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["get", "list", "watch"] --- apiVersion: {{GetRBACAPIVersion}} kind: ClusterRoleBinding metadata: name: aad-pod-id-nmi-binding labels: k8s-app: aad-pod-id-nmi-binding kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount name: aad-pod-id-nmi-service-account namespace: kube-system roleRef: kind: ClusterRole name: aad-pod-id-nmi-role apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile component: nmi tier: node k8s-app: aad-pod-id name: nmi namespace: kube-system spec: updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 50% selector: matchLabels: component: nmi tier: node template: metadata: labels: component: nmi tier: node {{- if IsKubernetesVersionGe "1.17.0"}} annotations: cluster-autoscaler.kubernetes.io/daemonset-pod: "true" {{- end}} spec: priorityClassName: system-cluster-critical serviceAccountName: aad-pod-id-nmi-service-account hostNetwork: true volumes: - hostPath: path: /run/xtables.lock type: FileOrCreate name: iptableslock containers: - name: nmi image: {{ContainerImage "nmi"}} imagePullPolicy: IfNotPresent args: - "--host-ip=$(HOST_IP)" - "--node=$(NODE_NAME)" - "--http-probe-port={{ContainerConfig "probePort"}}" env: - name: HOST_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: requests: cpu: {{ContainerCPUReqs "nmi"}} memory: {{ContainerMemReqs "nmi"}} limits: cpu: {{ContainerCPULimits "nmi"}} memory: {{ContainerMemLimits "nmi"}} securityContext: privileged: true capabilities: add: - NET_ADMIN volumeMounts: - mountPath: /run/xtables.lock name: iptableslock livenessProbe: httpGet: path: /healthz port: {{ContainerConfig "probePort"}} initialDelaySeconds: 10 periodSeconds: 5 nodeSelector: kubernetes.io/os: linux tolerations: - key: {{GetAADPodIdentityTaintKey}} operator: Equal value: "true" effect: NoSchedule --- apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-mic-service-account namespace: kube-system labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aad-pod-id-mic-role labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: [""] resources: ["pods", "nodes"] verbs: [ "list", "watch" ] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "update"] - apiGroups: [""] resources: ["endpoints"] verbs: ["create", "get","update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities"] verbs: ["get", "list", "watch", "post", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azurepodidentityexceptions"] verbs: ["list", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["*"] --- apiVersion: {{GetRBACAPIVersion}} kind: ClusterRoleBinding metadata: name: aad-pod-id-mic-binding labels: k8s-app: aad-pod-id-mic-binding kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount name: aad-pod-id-mic-service-account namespace: kube-system roleRef: kind: ClusterRole name: aad-pod-id-mic-role apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment metadata: labels: component: mic k8s-app: aad-pod-id kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile name: mic namespace: kube-system spec: replicas: 2 selector: matchLabels: component: mic template: metadata: labels: component: mic app: mic spec: serviceAccountName: aad-pod-id-mic-service-account containers: - name: mic image: {{ContainerImage "mic"}} imagePullPolicy: IfNotPresent args: - "--cloudconfig=/etc/kubernetes/azure.json" - "--logtostderr" env: - name: MIC_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: requests: cpu: {{ContainerCPUReqs "mic"}} memory: {{ContainerMemReqs "mic"}} limits: cpu: {{ContainerCPULimits "mic"}} memory: {{ContainerMemLimits "mic"}} volumeMounts: - name: k8s-azure-file mountPath: /etc/kubernetes/azure.json readOnly: true livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 10 periodSeconds: 5 volumes: - name: k8s-azure-file hostPath: path: /etc/kubernetes/azure.json nodeSelector: kubernetes.io/os: linux