apiVersion: v1
kind: ServiceAccount
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    k8s-app: ip-masq-agent
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
# https://github.com/kubernetes-incubator/ip-masq-agent/blob/v2.0.0/README.md
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile  
spec:
  template:
    metadata:
      labels:
        k8s-app: ip-masq-agent
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      serviceAccountName: ip-masq-agent
      hostNetwork: true
      containers:
      - name: ip-masq-agent
        image: gcr.io/google-containers/ip-masq-agent-amd64:v2.0.2
        resources:
          requests:
            cpu: 10m
            memory: 16Mi
        securityContext:
          privileged: true
        volumeMounts:
          - name: config
            mountPath: /etc/config
      nodeSelector:
        beta.kubernetes.io/masq-agent-ds-ready: "true"  
      volumes:
        - name: config
          configMap:
            # Note this ConfigMap must be created in the same namespace as the daemon pods - this spec uses kube-system
            name: ip-masq-agent
            optional: true
            items:
              # The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
              - key: config
                path: ip-masq-agent
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"