diff --git a/deploy/ccm-linode-template.yaml b/deploy/ccm-linode-template.yaml index 4f0048b1..829da922 100644 --- a/deploy/ccm-linode-template.yaml +++ b/deploy/ccm-linode-template.yaml @@ -77,10 +77,17 @@ spec: labels: app: ccm-linode spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: ccm-linode - nodeSelector: - # The CCM will only run on a Node labelled as a master, you may want to change this - node-role.kubernetes.io/control-plane: "" tolerations: # The CCM can run on Nodes tainted as masters - key: "node-role.kubernetes.io/control-plane" @@ -122,6 +129,11 @@ spec: secretKeyRef: name: ccm-linode key: region + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumes: - name: k8s hostPath: diff --git a/deploy/chart/templates/daemonset.yaml b/deploy/chart/templates/daemonset.yaml index f2ca2985..6f1c304d 100644 --- a/deploy/chart/templates/daemonset.yaml +++ b/deploy/chart/templates/daemonset.yaml @@ -15,13 +15,21 @@ spec: app: ccm-linode spec: serviceAccountName: ccm-linode - {{- if .Values.nodeSelector }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.tolerations }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} hostNetwork: true containers: @@ -33,8 +41,8 @@ spec: - --v=3 - --secure-port=10253 - --webhook-secure-port=0 - {{- if .Values.linodegoDebug }} - - --linodego-debug={{ .Values.linodegoDebug }} + {{- with .Values.linodegoDebug }} + - --linodego-debug={{ . }} {{- end }} {{- if .Values.routeController }} - --enable-route-controller=true @@ -44,36 +52,40 @@ spec: {{- if not (or .Values.routeController.vpcName .Values.routeController.vpcNames) }} {{- fail "Neither vpcName nor vpcNames is set. Please set one of them." }} {{- end }} - {{- if .Values.routeController.vpcName }} - - --vpc-name={{ .Values.routeController.vpcName }} + {{- with .Values.routeController.vpcName }} + - --vpc-name={{ . }} {{- end }} - {{- if .Values.routeController.vpcNames }} - - --vpc-names={{ .Values.routeController.vpcNames }} + {{- with .Values.routeController.vpcNames }} + - --vpc-names={{ . }} {{- end }} - --configure-cloud-routes={{ default true .Values.routeController.configureCloudRoutes }} - --cluster-cidr={{ required "A valid .Values.routeController.clusterCIDR is required" .Values.routeController.clusterCIDR }} - {{- if .Values.routeController.routeReconciliationPeriod }} - - --route-reconciliation-period={{ .Values.routeController.routeReconciliationPeriod }} + {{- with .Values.routeController.routeReconciliationPeriod }} + - --route-reconciliation-period={{ . }} {{- end }} {{- end }} {{- if .Values.sharedIPLoadBalancing }} - {{- if .Values.sharedIPLoadBalancing.bgpNodeSelector }} - - --bgp-node-selector={{ .Values.sharedIPLoadBalancing.bgpNodeSelector }} + {{- with .Values.sharedIPLoadBalancing.bgpNodeSelector }} + - --bgp-node-selector={{ . }} {{- end }} - {{- if .Values.sharedIPLoadBalancing.ipHolderSuffix }} - - --ip-holder-suffix={{ .Values.sharedIPLoadBalancing.ipHolderSuffix }} + {{- with .Values.sharedIPLoadBalancing.ipHolderSuffix }} + - --ip-holder-suffix={{ . }} {{- end}} - --load-balancer-type={{ required "A valid .Values.sharedIPLoadBalancing.loadBalancerType is required for shared IP load-balancing" .Values.sharedIPLoadBalancing.loadBalancerType }} {{- end }} - {{- if .Values.tokenHealthChecker }} - - --enable-token-health-checker={{ .Values.tokenHealthChecker }} + {{- with .Values.tokenHealthChecker }} + - --enable-token-health-checker={{ . }} {{- end }} - {{- if .Values.nodeBalancerTags }} - - --nodebalancer-tags={{ join " " .Values.nodeBalancerTags }} + {{- with .Values.nodeBalancerTags }} + - --nodebalancer-tags={{ join " " . }} {{- end }} {{- if .Values.allowUnauthorizedMetrics }} - --authorization-always-allow-paths="/metrics" {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /etc/kubernetes name: k8s diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml index 40c51f65..cea0ae26 100644 --- a/deploy/chart/values.yaml +++ b/deploy/chart/values.yaml @@ -10,10 +10,27 @@ region: "" # apiTokenRef: "apiToken" # regionRef: "region" -# node-role.kubernetes.io/master - if set true, it deploys the svc on the master node -nodeSelector: - # The CCM will only run on a Node labelled as a master, you may want to change this - node-role.kubernetes.io/control-plane: "" +# Ensures the CCM runs on control plane nodes +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + +# DEPRECATED: use affinity instead +nodeSelector: {} + +securityContext: + seccompProfile: + type: RuntimeDefault + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # Image repository must be 'linode/linode-cloud-controller-manager'. The tag can be changed/set to various ccm versions. # The pullPolicy is set to Always but can be changed when it is not required to always pull the new image