apiVersion: apps/v1 kind: Deployment metadata: name: netchecker-server namespace: {{ netcheck_namespace }} labels: app: netchecker-server spec: replicas: 1 selector: matchLabels: app: netchecker-server template: metadata: name: netchecker-server labels: app: netchecker-server spec: priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }} volumes: - name: etcd-data emptyDir: {} containers: - name: netchecker-server image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ netchecker_server_cpu_limit }} memory: {{ netchecker_server_memory_limit }} requests: cpu: {{ netchecker_server_cpu_requests }} memory: {{ netchecker_server_memory_requests }} securityContext: allowPrivilegeEscalation: false capabilities: drop: ['ALL'] runAsUser: {{ netchecker_server_user | default('0') }} runAsGroup: {{ netchecker_server_group | default('0') }} runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - containerPort: 8081 args: - -v={{ netchecker_server_log_level }} - -logtostderr - -kubeproxyinit=false - -endpoint=0.0.0.0:8081 - -etcd-endpoints=http://127.0.0.1:2379 - name: etcd image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} env: - name: ETCD_LOG_LEVEL value: "{{ netchecker_etcd_log_level }}" command: - etcd - --listen-client-urls=http://127.0.0.1:2379 - --advertise-client-urls=http://127.0.0.1:2379 - --data-dir=/var/lib/etcd - --enable-v2 - --force-new-cluster volumeMounts: - mountPath: /var/lib/etcd name: etcd-data resources: limits: cpu: {{ netchecker_etcd_cpu_limit }} memory: {{ netchecker_etcd_memory_limit }} requests: cpu: {{ netchecker_etcd_cpu_requests }} memory: {{ netchecker_etcd_memory_requests }} securityContext: allowPrivilegeEscalation: false capabilities: drop: ['ALL'] runAsUser: {{ netchecker_server_user | default('0') }} runAsGroup: {{ netchecker_server_group | default('0') }} runAsNonRoot: true seccompProfile: type: RuntimeDefault tolerations: - effect: NoSchedule operator: Exists serviceAccountName: netchecker-server