--- apiVersion: v1 kind: ServiceAccount metadata: name: cloud-controller-manager namespace: kube-system labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:cloud-node-controller labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-node-controller subjects: - kind: ServiceAccount name: cloud-node-controller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:cloud-controller-manager labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: cloud-controller-manager namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:cloud-controller-manager labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - create - update - apiGroups: - "" resources: - events verbs: - create - patch - update - apiGroups: - "" resources: - nodes verbs: - '*' - apiGroups: - "" resources: - nodes/status verbs: - patch - apiGroups: - "" resources: - services verbs: - list - patch - update - watch - apiGroups: - "" resources: - serviceaccounts verbs: - create - get - apiGroups: - "" resources: - persistentvolumes verbs: - '*' - apiGroups: - "" resources: - endpoints verbs: - create - get - list - watch - update - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - list - get - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:cloud-node-controller labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io rules: - apiGroups: - "" resources: - nodes verbs: - '*' - apiGroups: - "" resources: - nodes/status verbs: - patch - apiGroups: - "" resources: - events verbs: - create - patch - update --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: openstack-cloud-provider labels: k8s-app: openstack-cloud-provider k8s-addon: openstack.addons.k8s.io annotations: scheduler.alpha.kubernetes.io/critical-pod: "" spec: updateStrategy: type: RollingUpdate selector: matchLabels: name: openstack-cloud-provider template: metadata: labels: name: openstack-cloud-provider spec: # run on the host network (don't depend on CNI) hostNetwork: true # run on each master node nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: system-node-critical securityContext: runAsUser: 1001 serviceAccountName: cloud-controller-manager tolerations: - effect: NoSchedule operator: Exists - key: CriticalAddonsOnly operator: Exists containers: - name: openstack-cloud-controller-manager image: "{{- if .ExternalCloudControllerManager.Image -}} {{ .ExternalCloudControllerManager.Image }} {{- else -}} docker.io/k8scloudprovider/openstack-cloud-controller-manager:{{OpenStackCCMTag}} {{- end -}}" args: - /bin/openstack-cloud-controller-manager {{- range $arg := CloudControllerConfigArgv }} - {{ $arg }} {{- end }} - --cloud-config=/etc/kubernetes/cloud.config - --address=127.0.0.1 resources: requests: cpu: 200m volumeMounts: - mountPath: /etc/kubernetes/cloud.config name: cloudconfig readOnly: true {{ if .UseHostCertificates }} - mountPath: /etc/ssl/certs name: etc-ssl-certs readOnly: true {{ end }} volumes: - hostPath: path: /etc/kubernetes/cloud.config name: cloudconfig {{ if .UseHostCertificates }} - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: etc-ssl-certs {{ end }}