--- apiVersion: v1 kind: ServiceAccount metadata: name: kubelet-csr-approver namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubelet-csr-approver rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/approval verbs: - update - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/kubelet-serving resources: - signers verbs: - approve - apiGroups: - "" resources: - events verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubelet-csr-approver namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubelet-csr-approver subjects: - kind: ServiceAccount name: kubelet-csr-approver namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: kubelet-csr-approver namespace: kube-system spec: replicas: 2 selector: matchLabels: app: kubelet-csr-approver template: metadata: labels: app: kubelet-csr-approver spec: serviceAccountName: kubelet-csr-approver containers: - name: kubelet-csr-approver image: postfinance/kubelet-csr-approver:v1.2.10 resources: limits: memory: "128Mi" cpu: "500m" args: - -metrics-bind-address - ":8080" - -health-probe-bind-address - ":8081" - -leader-election livenessProbe: httpGet: path: /healthz port: 8081 env: - name: PROVIDER_REGEX value: ^.*$ - name: PROVIDER_IP_PREFIXES value: "0.0.0.0/0,::/0" - name: MAX_EXPIRATION_SECONDS value: "31622400" # 366 days - name: BYPASS_DNS_RESOLUTION value: "true" tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Equal - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Equal