--- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: kube-system name: aws-iam-authenticator labels: k8s-app: aws-iam-authenticator spec: updateStrategy: type: RollingUpdate selector: matchLabels: k8s-app: aws-iam-authenticator template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" labels: k8s-app: aws-iam-authenticator spec: # run on the host network (don't depend on CNI) hostNetwork: true # run on each master node nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: system-node-critical tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists # run `aws-iam-authenticator server` with three volumes # - config (mounted from the ConfigMap at /etc/aws-iam-authenticator/config.yaml) # - state (persisted TLS certificate and keys, mounted from the host) # - output (output kubeconfig to plug into your apiserver configuration, mounted from the host) containers: - name: aws-iam-authenticator image: {{ or .Authentication.Aws.Image "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.4.0" }} args: - server - --config=/etc/aws-iam-authenticator/config.yaml - --state-dir=/var/aws-iam-authenticator - --kubeconfig-pregenerated=true resources: requests: memory: {{ or .Authentication.Aws.MemoryRequest "20Mi" }} cpu: {{ or .Authentication.Aws.CPURequest "10m" }} limits: memory: {{ or .Authentication.Aws.MemoryLimit "20Mi" }} cpu: {{ or .Authentication.Aws.CPULimit "100m" }} volumeMounts: - name: config mountPath: /etc/aws-iam-authenticator/ - name: state mountPath: /var/aws-iam-authenticator/ - name: output mountPath: /etc/kubernetes/aws-iam-authenticator/ volumes: - name: config configMap: name: aws-iam-authenticator - name: output hostPath: path: /srv/kubernetes/aws-iam-authenticator/ - name: state hostPath: path: /srv/kubernetes/aws-iam-authenticator/