github.com/Azure/aad-pod-identity@v1.8.17/manifest_staging/deploy/infra/deployment.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 api-approved.kubernetes.io: unapproved 6 controller-gen.kubebuilder.io/version: v0.5.0 7 name: azureassignedidentities.aadpodidentity.k8s.io 8 spec: 9 group: aadpodidentity.k8s.io 10 names: 11 kind: AzureAssignedIdentity 12 listKind: AzureAssignedIdentityList 13 plural: azureassignedidentities 14 singular: azureassignedidentity 15 scope: Namespaced 16 versions: 17 - name: v1 18 schema: 19 openAPIV3Schema: 20 description: AzureAssignedIdentity contains the identity <-> pod mapping which is matched. 21 properties: 22 apiVersion: 23 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 24 type: string 25 kind: 26 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 27 type: string 28 metadata: 29 type: object 30 spec: 31 description: AzureAssignedIdentitySpec contains the relationship between an AzureIdentity and an AzureIdentityBinding. 32 properties: 33 azureBindingRef: 34 description: AzureBindingRef is an embedded resource referencing the AzureIdentityBinding used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 35 properties: 36 apiVersion: 37 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 38 type: string 39 kind: 40 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 41 type: string 42 metadata: 43 type: object 44 spec: 45 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 46 properties: 47 azureIdentity: 48 type: string 49 metadata: 50 type: object 51 selector: 52 type: string 53 weight: 54 description: Weight is used to figure out which of the matching identities would be selected. 55 type: integer 56 type: object 57 status: 58 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 59 properties: 60 availableReplicas: 61 format: int32 62 type: integer 63 metadata: 64 type: object 65 type: object 66 type: object 67 x-kubernetes-embedded-resource: true 68 azureIdentityRef: 69 description: AzureIdentityRef is an embedded resource referencing the AzureIdentity used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 70 properties: 71 apiVersion: 72 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 73 type: string 74 kind: 75 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 76 type: string 77 metadata: 78 type: object 79 spec: 80 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 81 properties: 82 adEndpoint: 83 type: string 84 adResourceID: 85 description: For service principal. Option param for specifying the AD details. 86 type: string 87 auxiliaryTenantIDs: 88 description: Service principal auxiliary tenant ids 89 items: 90 type: string 91 nullable: true 92 type: array 93 clientID: 94 description: Both User Assigned MSI and SP can use this field. 95 type: string 96 clientPassword: 97 description: Used for service principal 98 properties: 99 name: 100 description: Name is unique within a namespace to reference a secret resource. 101 type: string 102 namespace: 103 description: Namespace defines the space within which the secret name must be unique. 104 type: string 105 type: object 106 metadata: 107 type: object 108 replicas: 109 format: int32 110 nullable: true 111 type: integer 112 resourceID: 113 description: User assigned MSI resource id. 114 type: string 115 tenantID: 116 description: Service principal primary tenant id. 117 type: string 118 type: 119 description: UserAssignedMSI or Service Principal 120 type: integer 121 type: object 122 status: 123 description: AzureIdentityStatus contains the replica status of the resource. 124 properties: 125 availableReplicas: 126 format: int32 127 type: integer 128 metadata: 129 type: object 130 type: object 131 type: object 132 x-kubernetes-embedded-resource: true 133 metadata: 134 type: object 135 nodename: 136 type: string 137 pod: 138 type: string 139 podNamespace: 140 type: string 141 replicas: 142 format: int32 143 nullable: true 144 type: integer 145 type: object 146 status: 147 description: AzureAssignedIdentityStatus contains the replica status of the resource. 148 properties: 149 availableReplicas: 150 format: int32 151 type: integer 152 metadata: 153 type: object 154 status: 155 type: string 156 type: object 157 type: object 158 served: true 159 storage: true 160 status: 161 acceptedNames: 162 kind: "" 163 plural: "" 164 conditions: [] 165 storedVersions: [] 166 --- 167 apiVersion: apiextensions.k8s.io/v1 168 kind: CustomResourceDefinition 169 metadata: 170 annotations: 171 api-approved.kubernetes.io: unapproved 172 controller-gen.kubebuilder.io/version: v0.5.0 173 name: azureidentities.aadpodidentity.k8s.io 174 spec: 175 group: aadpodidentity.k8s.io 176 names: 177 kind: AzureIdentity 178 listKind: AzureIdentityList 179 plural: azureidentities 180 singular: azureidentity 181 scope: Namespaced 182 versions: 183 - additionalPrinterColumns: 184 - jsonPath: .spec.type 185 name: Type 186 type: string 187 - jsonPath: .spec.clientID 188 name: ClientID 189 type: string 190 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 191 jsonPath: .metadata.creationTimestamp 192 name: Age 193 type: date 194 name: v1 195 schema: 196 openAPIV3Schema: 197 description: AzureIdentity is the specification of the identity data structure. 198 properties: 199 apiVersion: 200 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 201 type: string 202 kind: 203 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 204 type: string 205 metadata: 206 type: object 207 spec: 208 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 209 properties: 210 adEndpoint: 211 type: string 212 adResourceID: 213 description: For service principal. Option param for specifying the AD details. 214 type: string 215 auxiliaryTenantIDs: 216 description: Service principal auxiliary tenant ids 217 items: 218 type: string 219 nullable: true 220 type: array 221 clientID: 222 description: Both User Assigned MSI and SP can use this field. 223 type: string 224 clientPassword: 225 description: Used for service principal 226 properties: 227 name: 228 description: Name is unique within a namespace to reference a secret resource. 229 type: string 230 namespace: 231 description: Namespace defines the space within which the secret name must be unique. 232 type: string 233 type: object 234 metadata: 235 type: object 236 replicas: 237 format: int32 238 nullable: true 239 type: integer 240 resourceID: 241 description: User assigned MSI resource id. 242 type: string 243 tenantID: 244 description: Service principal primary tenant id. 245 type: string 246 type: 247 description: UserAssignedMSI or Service Principal 248 type: integer 249 type: object 250 status: 251 description: AzureIdentityStatus contains the replica status of the resource. 252 properties: 253 availableReplicas: 254 format: int32 255 type: integer 256 metadata: 257 type: object 258 type: object 259 type: object 260 served: true 261 storage: true 262 subresources: {} 263 status: 264 acceptedNames: 265 kind: "" 266 plural: "" 267 conditions: [] 268 storedVersions: [] 269 --- 270 apiVersion: apiextensions.k8s.io/v1 271 kind: CustomResourceDefinition 272 metadata: 273 annotations: 274 api-approved.kubernetes.io: unapproved 275 controller-gen.kubebuilder.io/version: v0.5.0 276 name: azureidentitybindings.aadpodidentity.k8s.io 277 spec: 278 group: aadpodidentity.k8s.io 279 names: 280 kind: AzureIdentityBinding 281 listKind: AzureIdentityBindingList 282 plural: azureidentitybindings 283 singular: azureidentitybinding 284 scope: Namespaced 285 versions: 286 - additionalPrinterColumns: 287 - jsonPath: .spec.azureIdentity 288 name: AzureIdentity 289 type: string 290 - jsonPath: .spec.selector 291 name: Selector 292 type: string 293 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 294 jsonPath: .metadata.creationTimestamp 295 name: Age 296 type: date 297 name: v1 298 schema: 299 openAPIV3Schema: 300 description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. 301 properties: 302 apiVersion: 303 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 304 type: string 305 kind: 306 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 307 type: string 308 metadata: 309 type: object 310 spec: 311 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 312 properties: 313 azureIdentity: 314 type: string 315 metadata: 316 type: object 317 selector: 318 type: string 319 weight: 320 description: Weight is used to figure out which of the matching identities would be selected. 321 type: integer 322 type: object 323 status: 324 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 325 properties: 326 availableReplicas: 327 format: int32 328 type: integer 329 metadata: 330 type: object 331 type: object 332 type: object 333 served: true 334 storage: true 335 subresources: {} 336 status: 337 acceptedNames: 338 kind: "" 339 plural: "" 340 conditions: [] 341 storedVersions: [] 342 --- 343 apiVersion: apiextensions.k8s.io/v1 344 kind: CustomResourceDefinition 345 metadata: 346 annotations: 347 api-approved.kubernetes.io: unapproved 348 controller-gen.kubebuilder.io/version: v0.5.0 349 name: azurepodidentityexceptions.aadpodidentity.k8s.io 350 spec: 351 group: aadpodidentity.k8s.io 352 names: 353 kind: AzurePodIdentityException 354 listKind: AzurePodIdentityExceptionList 355 plural: azurepodidentityexceptions 356 singular: azurepodidentityexception 357 scope: Namespaced 358 versions: 359 - name: v1 360 schema: 361 openAPIV3Schema: 362 description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. 363 properties: 364 apiVersion: 365 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 366 type: string 367 kind: 368 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 369 type: string 370 metadata: 371 type: object 372 spec: 373 description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. 374 properties: 375 metadata: 376 type: object 377 podLabels: 378 additionalProperties: 379 type: string 380 type: object 381 type: object 382 status: 383 description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. 384 properties: 385 metadata: 386 type: object 387 status: 388 type: string 389 type: object 390 type: object 391 served: true 392 storage: true 393 status: 394 acceptedNames: 395 kind: "" 396 plural: "" 397 conditions: [] 398 storedVersions: [] 399 --- 400 apiVersion: apps/v1 401 kind: DaemonSet 402 metadata: 403 labels: 404 component: nmi 405 tier: node 406 name: nmi 407 namespace: default 408 spec: 409 updateStrategy: 410 type: RollingUpdate 411 selector: 412 matchLabels: 413 component: nmi 414 tier: node 415 template: 416 metadata: 417 labels: 418 component: nmi 419 tier: node 420 spec: 421 hostNetwork: true 422 dnsPolicy: ClusterFirstWithHostNet 423 volumes: 424 - hostPath: 425 path: /run/xtables.lock 426 type: FileOrCreate 427 name: iptableslock 428 - name: kubelet-config 429 hostPath: 430 path: /etc/default/kubelet 431 type: FileOrCreate 432 containers: 433 - name: nmi 434 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" 435 args: 436 - "--node=$(NODE_NAME)" 437 - "--http-probe-port=8085" 438 - "--enableScaleFeatures=true" 439 - "--metadata-header-required=true" 440 env: 441 - name: HOST_IP 442 valueFrom: 443 fieldRef: 444 fieldPath: status.podIP 445 - name: NODE_NAME 446 valueFrom: 447 fieldRef: 448 fieldPath: spec.nodeName 449 securityContext: 450 runAsUser: 0 451 capabilities: 452 drop: 453 - ALL 454 add: 455 - DAC_READ_SEARCH 456 - NET_ADMIN 457 - NET_RAW 458 resources: 459 limits: 460 cpu: 200m 461 memory: 512Mi 462 requests: 463 cpu: 100m 464 memory: 256Mi 465 volumeMounts: 466 - mountPath: /run/xtables.lock 467 name: iptableslock 468 - name: kubelet-config 469 mountPath: /etc/default/kubelet 470 readOnly: true 471 livenessProbe: 472 httpGet: 473 path: /healthz 474 port: 8085 475 initialDelaySeconds: 10 476 periodSeconds: 5 477 tolerations: 478 - operator: Exists 479 nodeSelector: 480 kubernetes.io/os: linux 481 --- 482 apiVersion: apps/v1 483 kind: Deployment 484 metadata: 485 labels: 486 component: mic 487 name: mic 488 namespace: default 489 spec: 490 replicas: 2 491 selector: 492 matchLabels: 493 component: mic 494 template: 495 metadata: 496 labels: 497 component: mic 498 spec: 499 containers: 500 - name: mic 501 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.17" 502 args: 503 - "--kubeconfig=/var/lib/kubelet/kubeconfig" 504 - "--cloudconfig=/etc/kubernetes/azure.json" 505 - "--logtostderr" 506 securityContext: 507 runAsUser: 0 508 readOnlyRootFilesystem: true 509 env: 510 - name: MIC_POD_NAMESPACE 511 valueFrom: 512 fieldRef: 513 fieldPath: metadata.namespace 514 resources: 515 limits: 516 cpu: 200m 517 memory: 1024Mi 518 requests: 519 cpu: 100m 520 memory: 256Mi 521 volumeMounts: 522 - name: kubelet-config 523 mountPath: /var/lib/kubelet 524 readOnly: true 525 - name: certificates 526 mountPath: /etc/kubernetes/certs 527 readOnly: true 528 - name: k8s-azure-file 529 mountPath: /etc/kubernetes/azure.json 530 readOnly: true 531 livenessProbe: 532 httpGet: 533 path: /healthz 534 port: 8080 535 initialDelaySeconds: 10 536 periodSeconds: 5 537 volumes: 538 - name: kubelet-config 539 hostPath: 540 path: /var/lib/kubelet 541 - name: certificates 542 hostPath: 543 path: /etc/kubernetes/certs 544 - name: k8s-azure-file 545 hostPath: 546 path: /etc/kubernetes/azure.json 547 nodeSelector: 548 kubernetes.io/os: linux