39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
# This patch inject a sidecar container which is a HTTP proxy for the
|
|
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: controller-manager
|
|
namespace: system
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: kube-rbac-proxy
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
|
|
args:
|
|
- "--secure-listen-address=0.0.0.0:8443"
|
|
- "--upstream=http://127.0.0.1:8080/"
|
|
- "--logtostderr=true"
|
|
- "--v=0"
|
|
ports:
|
|
- containerPort: 8443
|
|
protocol: TCP
|
|
name: https
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 5m
|
|
memory: 64Mi
|
|
- name: manager
|
|
args:
|
|
- "--health-probe-bind-address=:8081"
|
|
- "--metrics-bind-address=127.0.0.1:8080"
|
|
- "--leader-elect"
|