--- # Source: kubelet-serving-cert-approver/templates/namespace.yaml apiVersion: v1 kind: Namespace metadata: name: kubelet-serving-cert-approver labels: app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/warn: restricted --- # Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: kubelet-serving-cert-approver labels: app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kubelet-serving-cert-approver helm.sh/chart: kubelet-serving-cert-approver-4.4.0 namespace: kubelet-serving-cert-approver secrets: - name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token --- # Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: kubelet-serving-cert-approver-kubelet-serving-cert-approver-sa-token labels: app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kubelet-serving-cert-approver helm.sh/chart: kubelet-serving-cert-approver-4.4.0 annotations: kubernetes.io/service-account.name: kubelet-serving-cert-approver namespace: kubelet-serving-cert-approver --- # Source: kubelet-serving-cert-approver/templates/cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "certificates-kubelet-serving-cert-approver" namespace: kubelet-serving-cert-approver labels: app.kubernetes.io/name: "certificates-kubelet-serving-cert-approver" app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/approval verbs: - update - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/kubelet-serving resources: - signers verbs: - approve --- # Source: kubelet-serving-cert-approver/templates/cluster-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "events-kubelet-serving-cert-approver" namespace: kubelet-serving-cert-approver labels: app.kubernetes.io/name: "events-kubelet-serving-cert-approver" app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver rules: - apiGroups: - "" resources: - events verbs: - create - patch --- # Source: kubelet-serving-cert-approver/templates/cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubelet-serving-cert-approver namespace: kubelet-serving-cert-approver labels: app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "certificates-kubelet-serving-cert-approver" subjects: - kind: ServiceAccount name: kubelet-serving-cert-approver namespace: kubelet-serving-cert-approver --- # Source: kubelet-serving-cert-approver/templates/role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "events-kubelet-serving-cert-approver" namespace: kubelet-serving-cert-approver labels: app.kubernetes.io/name: "events-kubelet-serving-cert-approver" app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: "events-kubelet-serving-cert-approver" subjects: - kind: ServiceAccount name: kubelet-serving-cert-approver namespace: kubelet-serving-cert-approver --- # Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml apiVersion: v1 kind: Service metadata: name: kubelet-serving-cert-approver labels: app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/service: kubelet-serving-cert-approver helm.sh/chart: kubelet-serving-cert-approver-4.4.0 namespace: kubelet-serving-cert-approver spec: type: ClusterIP ports: - port: 8080 targetPort: 8080 protocol: TCP name: health - port: 9090 targetPort: 9090 protocol: TCP name: metrics selector: app.kubernetes.io/controller: main app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/name: kubelet-serving-cert-approver --- # Source: kubelet-serving-cert-approver/charts/kubelet-serving-cert-approver/templates/common.yaml apiVersion: apps/v1 kind: Deployment metadata: name: kubelet-serving-cert-approver labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kubelet-serving-cert-approver helm.sh/chart: kubelet-serving-cert-approver-4.4.0 namespace: kubelet-serving-cert-approver spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: main app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/instance: kubelet-serving-cert-approver template: metadata: annotations: checksum/secrets: 591a33eca0bc5c4a8475d0538f3f4840841582c86a3ac2c97147b2b00e5774c5 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/name: kubelet-serving-cert-approver spec: enableServiceLinks: false serviceAccountName: kubelet-serving-cert-approver automountServiceAccountToken: true priorityClassName: system-cluster-critical securityContext: fsGroup: 65534 runAsGroup: 65534 runAsUser: 65534 seccompProfile: type: RuntimeDefault hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: node-role.kubernetes.io/master operator: DoesNotExist - key: node-role.kubernetes.io/control-plane operator: DoesNotExist weight: 100 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists containers: - args: - serve env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:0.10.0 imagePullPolicy: Always name: main resources: requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true