--- apiVersion: apps/v1 kind: DaemonSet metadata: name: cloud-controller-manager namespace: kube-system labels: component: cloud-controller-manager spec: selector: matchLabels: component: cloud-controller-manager updateStrategy: type: RollingUpdate template: metadata: labels: tier: control-plane component: cloud-controller-manager spec: nodeSelector: null affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/control-plane operator: Exists - matchExpressions: - key: node-role.kubernetes.io/master operator: Exists tolerations: - key: node.cloudprovider.kubernetes.io/uninitialized value: "true" effect: NoSchedule - key: node.kubernetes.io/not-ready effect: NoSchedule - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule serviceAccountName: cloud-controller-manager containers: - name: cloud-controller-manager image: {{ .ExternalCloudControllerManager.Image }} imagePullPolicy: IfNotPresent command: ['/usr/local/bin/cloud-controller-manager'] args: {{- range $arg := CloudControllerConfigArgv }} - {{ $arg }} {{- end }} env: - name: KUBERNETES_SERVICE_HOST value: "127.0.0.1" livenessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 path: /healthz port: 10258 scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15 resources: requests: cpu: {{ or .ExternalCloudControllerManager.CPURequest "200m" }} volumeMounts: - mountPath: /etc/kubernetes/cloud.config name: cloudconfig readOnly: true hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /etc/kubernetes/cloud.config type: "" name: cloudconfig --- apiVersion: v1 kind: ServiceAccount metadata: name: cloud-controller-manager namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cloud-controller-manager:apiserver-authentication-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - apiGroup: "" kind: ServiceAccount name: cloud-controller-manager namespace: kube-system --- # https://github.com/kubernetes/cloud-provider-gcp/blob/master/deploy/cloud-node-controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system:cloud-controller-manager rules: - apiGroups: - "" - events.k8s.io resources: - events verbs: - create - patch - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - list - watch - update - apiGroups: - coordination.k8s.io resourceNames: - cloud-controller-manager resources: - leases verbs: - get - update - apiGroups: - "" resources: - endpoints - serviceaccounts verbs: - create - get - update - apiGroups: - "" resources: - nodes verbs: - get - update - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - nodes/status verbs: - patch - update - apiGroups: - "" resources: - secrets verbs: - create - delete - get - update - apiGroups: - "authentication.k8s.io" resources: - tokenreviews verbs: - create - apiGroups: - "*" resources: - "*" verbs: - list - watch - apiGroups: - "" resources: - serviceaccounts/token verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system::leader-locking-cloud-controller-manager namespace: kube-system rules: - apiGroups: - "" resources: - configmaps verbs: - watch - apiGroups: - "" resources: - configmaps resourceNames: - cloud-controller-manager verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system:controller:cloud-node-controller rules: - apiGroups: - "" resources: - events verbs: - create - patch - update - apiGroups: - "" resources: - nodes verbs: - get - list - update - delete - patch - apiGroups: - "" resources: - nodes/status verbs: - get - list - update - delete - patch - apiGroups: - "" resources: - pods verbs: - list - delete - apiGroups: - "" resources: - pods/status verbs: - list - delete --- # https://github.com/kubernetes/cloud-provider-gcp/blob/master/deploy/cloud-node-controller-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system::leader-locking-cloud-controller-manager namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: system::leader-locking-cloud-controller-manager subjects: - kind: ServiceAccount name: cloud-controller-manager namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system:cloud-controller-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount apiGroup: "" name: cloud-controller-manager namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system:controller:cloud-node-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:controller:cloud-node-controller subjects: - kind: ServiceAccount name: cloud-node-controller namespace: kube-system --- # https://github.com/kubernetes/cloud-provider-gcp/blob/master/deploy/pvl-controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: addonmanager.kubernetes.io/mode: Reconcile name: system:controller:pvl-controller rules: - apiGroups: - "" resources: - events verbs: - create - patch - update - apiGroups: - "" resources: - persistentvolumeclaims - persistentvolumes verbs: - list - watch