feat(core): add kube-rbac-proxy to virtualization-controller

Signed-off-by: Maksim Fedotov <[email protected]>
deckhouse · Nov 6, 2024 · fdec765 · fdec765
1 parent 083032e
commit fdec765
Showing 1 changed file with 61 additions and 0 deletions.
diff --git a/templates/virtualization-controller/deployment.yaml b/templates/virtualization-controller/deployment.yaml
@@ -92,6 +92,67 @@ spec:
           env:
             {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 12 }}
             {{- include "virtualization-controller.envs" . | nindent 12 }}
+        - name: kube-rbac-proxy
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+          image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
+          args:
+          - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):8443"
+          - "--client-ca-file=/etc/kube-rbac-proxy/ca.crt"
+          - "--v=2"
+          - "--logtostderr=true"
+          - "--stale-cache-interval=1h30m"
+          - "--livez-path=/livez"
+          env:
+          - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: KUBE_RBAC_PROXY_CONFIG
+            value: |
+              excludePaths:
+              - /config
+              upstreams:
+              - upstream: http://127.0.0.1:8080/
+                path: /
+                authorization:
+                  resourceAttributes:
+                    namespace: d8-virtualization
+                    apiGroup: apps
+                    apiVersion: v1
+                    resource: deployments
+                    subresource: http
+                    name: dashboard
+          ports:
+          - containerPort: 8443
+            name: https
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 8443
+              scheme: HTTPS
+          readinessProbe:
+            httpGet:
+              path: /livez
+              port: 8443
+              scheme: HTTPS
+          resources:
+            requests:
+              {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }}
+  {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler") }}
+              {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 12 }}
+  {{- end }}
+          volumeMounts:
+          - name: kube-rbac-proxy-ca
+            mountPath: /etc/kube-rbac-proxy
+      {{- end }}
+        serviceAccountName: dashboard
+        volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: kube-rbac-proxy-ca
+          configMap:
+            defaultMode: 420
+            name: kube-rbac-proxy-ca.crt
 
       dnsPolicy: ClusterFirst
       serviceAccountName: virtualization-controller