-
Notifications
You must be signed in to change notification settings - Fork 392
/
criometricsproxy.yaml
77 lines (77 loc) · 2.66 KB
/
criometricsproxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
mode: 0644
path: "/etc/kubernetes/manifests/criometricsproxy.yaml"
contents:
inline: |-
apiVersion: v1
kind: Pod
metadata:
name: kube-rbac-proxy-crio
namespace: openshift-machine-config-operator
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
volumes:
- name: etc-kube
hostPath:
path: "/etc/kubernetes"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
hostNetwork: true
priorityClassName: system-cluster-critical
initContainers:
- name: setup
terminationMessagePolicy: FallbackToLogsOnError
image: {{.Images.kubeRbacProxyImage}}
imagePullPolicy: IfNotPresent
volumeMounts:
- name: var-lib-kubelet
mountPath: "/var"
mountPropagation: HostToContainer
command: ['/bin/bash', '-ec']
args:
- |
echo -n "Waiting for kubelet key and certificate to be available"
while [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do
echo -n "."
sleep 1
(( tries += 1 ))
if [[ "${tries}" -gt 10 ]]; then
echo "Timed out waiting for kubelet key and cert."
exit 1
fi
done
securityContext:
privileged: true
resources:
requests:
memory: 50Mi
cpu: 5m
containers:
- name: kube-rbac-proxy-crio
image: {{.Images.kubeRbacProxyImage}}
securityContext:
privileged: true
ports:
- containerPort: 9637
args:
- --secure-listen-address=:9637
- --config-file=/etc/kubernetes/crio-metrics-proxy.cfg
- --client-ca-file=/etc/kubernetes/kubelet-ca.crt
- --logtostderr=true
- --kubeconfig=/var/lib/kubelet/kubeconfig
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- --upstream=http://127.0.0.1:9537
- --tls-cert-file=/var/lib/kubelet/pki/kubelet-server-current.pem
- --tls-private-key-file=/var/lib/kubelet/pki/kubelet-server-current.pem
resources:
requests:
cpu: 20m
memory: 50Mi
volumeMounts:
- name: etc-kube
mountPath: "/etc/kubernetes"
mountPropagation: HostToContainer
- name: var-lib-kubelet
mountPath: "/var/lib/kubelet"
mountPropagation: HostToContainer