apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system # This annotation ensures that kube-proxy does not get evicted if the node # supports critical pod annotation based priority scheme. # Note that kube-proxy runs as a static pod so this annotation does NOT have # any effect on rescheduler (default scheduler and rescheduler are not # involved in scheduling kube-proxy). annotations: scheduler.alpha.kubernetes.io/critical-pod: '' labels: tier: node component: kube-proxy spec: {{pod_priority}} hostNetwork: true tolerations: - operator: "Exists" effect: "NoExecute" - operator: "Exists" effect: "NoSchedule" containers: - name: kube-proxy image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}} resources: requests: cpu: {{ cpurequest }} command: - /bin/sh - -c - exec kube-proxy {{api_servers_with_port}} {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1 {{container_env}} {{kube_cache_mutation_detector_env_name}} {{kube_cache_mutation_detector_env_value}} securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: etc-ssl-certs readOnly: true - mountPath: /usr/share/ca-certificates name: usr-ca-certs readOnly: true - mountPath: /var/log name: varlog readOnly: false - mountPath: /var/lib/kube-proxy/kubeconfig name: kubeconfig readOnly: false - mountPath: /run/xtables.lock name: iptableslock readOnly: false - mountPath: /lib/modules name: lib-modules readOnly: true volumes: - hostPath: path: /usr/share/ca-certificates name: usr-ca-certs - hostPath: path: /etc/ssl/certs name: etc-ssl-certs - hostPath: path: /var/lib/kube-proxy/kubeconfig type: FileOrCreate name: kubeconfig - hostPath: path: /var/log name: varlog - hostPath: path: /run/xtables.lock type: FileOrCreate name: iptableslock - name: lib-modules hostPath: path: /lib/modules