apiVersion: v1 kind: Namespace metadata: name: metallb-system labels: app: metallb --- apiVersion: v1 kind: ServiceAccount metadata: namespace: metallb-system name: controller labels: app: metallb --- apiVersion: v1 kind: ServiceAccount metadata: namespace: metallb-system name: speaker labels: app: metallb --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metallb-system:controller labels: app: metallb rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["services/status"] verbs: ["update"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metallb-system:speaker labels: app: metallb rules: - apiGroups: [""] resources: ["services", "endpoints", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: metallb-system name: config-watcher labels: app: metallb rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["create"] --- ## Role bindings apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metallb-system:controller labels: app: metallb subjects: - kind: ServiceAccount name: controller namespace: metallb-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metallb-system:controller --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metallb-system:speaker labels: app: metallb subjects: - kind: ServiceAccount name: speaker namespace: metallb-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metallb-system:speaker --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: metallb-system name: config-watcher labels: app: metallb subjects: - kind: ServiceAccount name: controller - kind: ServiceAccount name: speaker roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: config-watcher --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: metallb-system name: speaker labels: app: metallb component: speaker spec: selector: matchLabels: app: metallb component: speaker template: metadata: labels: app: metallb component: speaker annotations: prometheus.io/scrape: "true" prometheus.io/port: "metallb_container_port" spec: serviceAccountName: speaker terminationGracePeriodSeconds: 0 hostNetwork: true containers: - name: speaker image: metallb/speaker:v0.7.3 imagePullPolicy: IfNotPresent args: - --port=metallb_container_port - --config=config env: - name: METALLB_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName ports: - name: monitoring containerPort: metallb_container_port resources: limits: cpu: 100m memory: 100Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - all add: - net_raw --- apiVersion: apps/v1 kind: Deployment metadata: namespace: metallb-system name: controller labels: app: metallb component: controller spec: revisionHistoryLimit: 3 selector: matchLabels: app: metallb component: controller template: metadata: labels: app: metallb component: controller annotations: prometheus.io/scrape: "true" prometheus.io/port: "metallb_container_port" spec: serviceAccountName: controller terminationGracePeriodSeconds: 0 securityContext: runAsNonRoot: true runAsUser: metallb_run_as_user_port # nobody containers: - name: controller image: metallb/controller:v0.7.3 imagePullPolicy: IfNotPresent args: - --port=metallb_container_port - --config=config ports: - name: monitoring containerPort: metallb_container_port resources: limits: cpu: 100m memory: 100Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true ---