manager_auth_proxy_patch.yaml 1.1 KB

123456789101112131415161718192021222324252627282930313233343536373839
  1. # This patch inject a sidecar container which is a HTTP proxy for the
  2. # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
  3. apiVersion: apps/v1
  4. kind: Deployment
  5. metadata:
  6. name: controller-manager
  7. namespace: system
  8. spec:
  9. template:
  10. spec:
  11. containers:
  12. - name: kube-rbac-proxy
  13. securityContext:
  14. allowPrivilegeEscalation: false
  15. capabilities:
  16. drop:
  17. - "ALL"
  18. image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
  19. args:
  20. - "--secure-listen-address=0.0.0.0:8443"
  21. - "--upstream=http://127.0.0.1:8080/"
  22. - "--logtostderr=true"
  23. - "--v=0"
  24. ports:
  25. - containerPort: 8443
  26. protocol: TCP
  27. name: https
  28. resources:
  29. limits:
  30. cpu: 500m
  31. memory: 128Mi
  32. requests:
  33. cpu: 5m
  34. memory: 64Mi
  35. - name: manager
  36. args:
  37. - "--health-probe-bind-address=:8081"
  38. - "--metrics-bind-address=127.0.0.1:8080"
  39. - "--leader-elect"