apiVersion: v1 kind: Namespace metadata: name: system --- apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: system labels: app.kubernetes.io/name: azure-service-operator --- apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager namespace: system labels: control-plane: controller-manager app.kubernetes.io/name: azure-service-operator app.kubernetes.io/version: ${VERSION} spec: selector: matchLabels: control-plane: controller-manager replicas: 2 strategy: type: Recreate revisionHistoryLimit: 10 template: metadata: labels: control-plane: controller-manager app.kubernetes.io/name: azure-service-operator app.kubernetes.io/version: ${VERSION} annotations: kubectl.kubernetes.io/default-container: manager spec: serviceAccountName: default containers: - args: - --metrics-addr=0.0.0.0:8443 - --secure-metrics=true - --profiling-metrics=false - --health-addr=:8081 - --enable-leader-election - --v=2 - --crd-pattern= ports: - containerPort: 8081 name: health-port protocol: TCP - containerPort: 8443 name: metrics-port protocol: TCP livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 60 readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 60 image: controller:latest name: manager resources: limits: cpu: 500m memory: 512Mi # Make sure to change the GOMEMLIMIT env variable if you change this too requests: cpu: 200m memory: 256Mi securityContext: runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL terminationGracePeriodSeconds: 10