kops/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml

# Borrowed from https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/metadata-proxy

apiVersion: v1
kind: ServiceAccount
metadata:
  name: metadata-proxy
  namespace: kube-system
  labels:
    k8s-app: metadata-proxy
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: metadata-proxy-v0.12
  namespace: kube-system
  labels:
    k8s-app: metadata-proxy
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    version: v0.12
spec:
  selector:
    matchLabels:
      k8s-app: metadata-proxy
      version: v0.12
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: metadata-proxy
        kubernetes.io/cluster-service: "true"
        version: v0.12
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: metadata-proxy
      hostNetwork: true
      dnsPolicy: Default
      tolerations:
      - operator: "Exists"
        effect: "NoExecute"
      - operator: "Exists"
        effect: "NoSchedule"
      hostNetwork: true
      initContainers:
      - name: update-ipdtables
        securityContext:
          privileged: true
        image: registry.k8s.io/k8s-custom-iptables:1.0
        imagePullPolicy: Always
        command:
        - "/bin/sh"
        - "-c"
        # Based on https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L181-L184
        - |
          set -e
          set -x

          if (ip link show ens4); then
            PRIMARY_DEV=ens4
          else
            PRIMARY_DEV=eth0
          fi

          ip addr add dev lo 169.254.169.252/32
          iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 ! -i "${PRIMARY_DEV}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:988
          iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 ! -i "${PRIMARY_DEV}" --dport 8080 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 169.254.169.252:987          
        volumeMounts:
        - name: host
          mountPath: /host
      volumes:
      - name: host
        hostPath:
          path: /
          type: Directory
      containers:
      - name: metadata-proxy
        image: registry.k8s.io/metadata-proxy:v0.1.12
        securityContext:
          privileged: true
        args:
        - -addr=169.254.169.252:988
        # Request and limit resources to get guaranteed QoS.
        resources:
          requests:
            memory: "25Mi"
            cpu: "30m"
          limits:
            memory: "25Mi"
            cpu: "30m"
      # BEGIN_PROMETHEUS_TO_SD
      - name: prometheus-to-sd-exporter
        image: registry.k8s.io/prometheus-to-sd:v0.5.0
        # Request and limit resources to get guaranteed QoS.
        resources:
          requests:
            memory: "20Mi"
            cpu: "2m"
          limits:
            memory: "20Mi"
            cpu: "2m"
        command:
          - /monitor
          - --stackdriver-prefix=custom.googleapis.com/addons
          - --source=metadata_proxy:http://127.0.0.1:989?whitelisted=request_count
          - --pod-id=$(POD_NAME)
          - --namespace-id=$(POD_NAMESPACE)
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
      # END_PROMETHEUS_TO_SD
      nodeSelector:
        cloud.google.com/metadata-proxy-ready: "true"
        kubernetes.io/os: linux
      terminationGracePeriodSeconds: 30