github.com/Azure/aad-pod-identity@v1.8.17/manifest_staging/deploy/infra/managed-mode-deployment.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: aad-pod-id-nmi-service-account 5 namespace: kube-system 6 --- 7 apiVersion: apiextensions.k8s.io/v1 8 kind: CustomResourceDefinition 9 metadata: 10 annotations: 11 api-approved.kubernetes.io: unapproved 12 controller-gen.kubebuilder.io/version: v0.5.0 13 name: azureidentities.aadpodidentity.k8s.io 14 spec: 15 group: aadpodidentity.k8s.io 16 names: 17 kind: AzureIdentity 18 listKind: AzureIdentityList 19 plural: azureidentities 20 singular: azureidentity 21 scope: Namespaced 22 versions: 23 - additionalPrinterColumns: 24 - jsonPath: .spec.type 25 name: Type 26 type: string 27 - jsonPath: .spec.clientID 28 name: ClientID 29 type: string 30 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 31 jsonPath: .metadata.creationTimestamp 32 name: Age 33 type: date 34 name: v1 35 schema: 36 openAPIV3Schema: 37 description: AzureIdentity is the specification of the identity data structure. 38 properties: 39 apiVersion: 40 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 41 type: string 42 kind: 43 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 44 type: string 45 metadata: 46 type: object 47 spec: 48 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 49 properties: 50 adEndpoint: 51 type: string 52 adResourceID: 53 description: For service principal. Option param for specifying the AD details. 54 type: string 55 auxiliaryTenantIDs: 56 description: Service principal auxiliary tenant ids 57 items: 58 type: string 59 nullable: true 60 type: array 61 clientID: 62 description: Both User Assigned MSI and SP can use this field. 63 type: string 64 clientPassword: 65 description: Used for service principal 66 properties: 67 name: 68 description: Name is unique within a namespace to reference a secret resource. 69 type: string 70 namespace: 71 description: Namespace defines the space within which the secret name must be unique. 72 type: string 73 type: object 74 metadata: 75 type: object 76 replicas: 77 format: int32 78 nullable: true 79 type: integer 80 resourceID: 81 description: User assigned MSI resource id. 82 type: string 83 tenantID: 84 description: Service principal primary tenant id. 85 type: string 86 type: 87 description: UserAssignedMSI or Service Principal 88 type: integer 89 type: object 90 status: 91 description: AzureIdentityStatus contains the replica status of the resource. 92 properties: 93 availableReplicas: 94 format: int32 95 type: integer 96 metadata: 97 type: object 98 type: object 99 type: object 100 served: true 101 storage: true 102 subresources: {} 103 status: 104 acceptedNames: 105 kind: "" 106 plural: "" 107 conditions: [] 108 storedVersions: [] 109 --- 110 apiVersion: apiextensions.k8s.io/v1 111 kind: CustomResourceDefinition 112 metadata: 113 annotations: 114 api-approved.kubernetes.io: unapproved 115 controller-gen.kubebuilder.io/version: v0.5.0 116 name: azureidentitybindings.aadpodidentity.k8s.io 117 spec: 118 group: aadpodidentity.k8s.io 119 names: 120 kind: AzureIdentityBinding 121 listKind: AzureIdentityBindingList 122 plural: azureidentitybindings 123 singular: azureidentitybinding 124 scope: Namespaced 125 versions: 126 - additionalPrinterColumns: 127 - jsonPath: .spec.azureIdentity 128 name: AzureIdentity 129 type: string 130 - jsonPath: .spec.selector 131 name: Selector 132 type: string 133 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 134 jsonPath: .metadata.creationTimestamp 135 name: Age 136 type: date 137 name: v1 138 schema: 139 openAPIV3Schema: 140 description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. 141 properties: 142 apiVersion: 143 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 144 type: string 145 kind: 146 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 147 type: string 148 metadata: 149 type: object 150 spec: 151 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 152 properties: 153 azureIdentity: 154 type: string 155 metadata: 156 type: object 157 selector: 158 type: string 159 weight: 160 description: Weight is used to figure out which of the matching identities would be selected. 161 type: integer 162 type: object 163 status: 164 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 165 properties: 166 availableReplicas: 167 format: int32 168 type: integer 169 metadata: 170 type: object 171 type: object 172 type: object 173 served: true 174 storage: true 175 subresources: {} 176 status: 177 acceptedNames: 178 kind: "" 179 plural: "" 180 conditions: [] 181 storedVersions: [] 182 --- 183 apiVersion: apiextensions.k8s.io/v1 184 kind: CustomResourceDefinition 185 metadata: 186 annotations: 187 api-approved.kubernetes.io: unapproved 188 controller-gen.kubebuilder.io/version: v0.5.0 189 name: azurepodidentityexceptions.aadpodidentity.k8s.io 190 spec: 191 group: aadpodidentity.k8s.io 192 names: 193 kind: AzurePodIdentityException 194 listKind: AzurePodIdentityExceptionList 195 plural: azurepodidentityexceptions 196 singular: azurepodidentityexception 197 scope: Namespaced 198 versions: 199 - name: v1 200 schema: 201 openAPIV3Schema: 202 description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. 203 properties: 204 apiVersion: 205 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 206 type: string 207 kind: 208 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 209 type: string 210 metadata: 211 type: object 212 spec: 213 description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. 214 properties: 215 metadata: 216 type: object 217 podLabels: 218 additionalProperties: 219 type: string 220 type: object 221 type: object 222 status: 223 description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. 224 properties: 225 metadata: 226 type: object 227 status: 228 type: string 229 type: object 230 type: object 231 served: true 232 storage: true 233 status: 234 acceptedNames: 235 kind: "" 236 plural: "" 237 conditions: [] 238 storedVersions: [] 239 --- 240 apiVersion: rbac.authorization.k8s.io/v1 241 kind: ClusterRole 242 metadata: 243 name: aad-pod-id-nmi-role 244 rules: 245 - apiGroups: ["apiextensions.k8s.io"] 246 resources: ["customresourcedefinitions"] 247 verbs: ["get", "list"] 248 - apiGroups: [""] 249 resources: ["pods"] 250 verbs: ["get", "list", "watch"] 251 - apiGroups: [""] 252 resources: ["secrets"] 253 verbs: ["get"] 254 - apiGroups: ["aadpodidentity.k8s.io"] 255 resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] 256 verbs: ["get", "list", "watch"] 257 --- 258 apiVersion: rbac.authorization.k8s.io/v1 259 kind: ClusterRoleBinding 260 metadata: 261 name: aad-pod-id-nmi-binding 262 labels: 263 k8s-app: aad-pod-id-nmi-binding 264 subjects: 265 - kind: ServiceAccount 266 name: aad-pod-id-nmi-service-account 267 namespace: kube-system 268 roleRef: 269 kind: ClusterRole 270 name: aad-pod-id-nmi-role 271 apiGroup: rbac.authorization.k8s.io 272 --- 273 apiVersion: apps/v1 274 kind: DaemonSet 275 metadata: 276 labels: 277 component: nmi 278 tier: node 279 k8s-app: aad-pod-id 280 name: nmi 281 namespace: kube-system 282 spec: 283 updateStrategy: 284 type: RollingUpdate 285 selector: 286 matchLabels: 287 component: nmi 288 tier: node 289 template: 290 metadata: 291 labels: 292 component: nmi 293 tier: node 294 spec: 295 serviceAccountName: aad-pod-id-nmi-service-account 296 hostNetwork: true 297 dnsPolicy: ClusterFirstWithHostNet 298 volumes: 299 - hostPath: 300 path: /run/xtables.lock 301 type: FileOrCreate 302 name: iptableslock 303 - name: kubelet-config 304 hostPath: 305 path: /etc/default/kubelet 306 type: FileOrCreate 307 containers: 308 - name: nmi 309 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" 310 args: 311 - "--node=$(NODE_NAME)" 312 - "--operation-mode=managed" 313 - "--forceNamespaced" 314 - "--http-probe-port=8085" 315 - "--enableScaleFeatures=true" 316 - "--metadata-header-required=true" 317 env: 318 - name: HOST_IP 319 valueFrom: 320 fieldRef: 321 fieldPath: status.podIP 322 - name: NODE_NAME 323 valueFrom: 324 fieldRef: 325 fieldPath: spec.nodeName 326 resources: 327 limits: 328 cpu: 200m 329 memory: 512Mi 330 requests: 331 cpu: 100m 332 memory: 256Mi 333 securityContext: 334 runAsUser: 0 335 capabilities: 336 drop: 337 - ALL 338 add: 339 - DAC_READ_SEARCH 340 - NET_ADMIN 341 - NET_RAW 342 volumeMounts: 343 - mountPath: /run/xtables.lock 344 name: iptableslock 345 - name: kubelet-config 346 mountPath: /etc/default/kubelet 347 readOnly: true 348 livenessProbe: 349 httpGet: 350 path: /healthz 351 port: 8085 352 initialDelaySeconds: 10 353 periodSeconds: 5 354 tolerations: 355 - operator: Exists 356 nodeSelector: 357 kubernetes.io/os: linux