{ config, ... }: [ { apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { name = "create-csrs-for-bootstrapping"; }; subjects = [ { kind = "Group"; name = "system:bootstrappers"; apiGroup = "rbac.authorization.k8s.io"; } ]; roleRef = { kind = "ClusterRole"; name = "system:node-bootstrapper"; apiGroup = "rbac.authorization.k8s.io"; }; } { apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { name = "auto-approve-csrs-for-group"; }; subjects = [ { kind = "Group"; name = "system:bootstrappers"; apiGroup = "rbac.authorization.k8s.io"; } ]; roleRef = { kind = "ClusterRole"; name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"; apiGroup = "rbac.authorization.k8s.io"; }; } { apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { name = "auto-approve-renewals-for-nodes"; }; subjects = [ { kind = "Group"; name = "system:nodes"; apiGroup = "rbac.authorization.k8s.io"; } ]; roleRef = { kind = "ClusterRole"; name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"; apiGroup = "rbac.authorization.k8s.io"; }; } { apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRole"; metadata = { name = "kubelet-csr-approver"; }; rules = [ { apiGroups = [ "certificates.k8s.io" ]; resources = [ "certificatesigningrequests" ]; verbs = [ "get" "list" "watch" ]; } { apiGroups = [ "coordination.k8s.io" ]; resources = [ "leases" ]; verbs = [ "create" "get" "update" ]; } { apiGroups = [ "certificates.k8s.io" ]; resources = [ "certificatesigningrequests/approval" ]; verbs = [ "update" ]; } { apiGroups = [ "certificates.k8s.io" ]; resourceNames = [ "kubernetes.io/kubelet-serving" ]; resources = [ "signers" ]; verbs = [ "approve" ]; } { apiGroups = [ "" ]; resources = [ "events" ]; verbs = [ "create" ]; } ]; } { apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRoleBinding"; metadata = { name = "kubelet-csr-approver"; namespace = "kube-system"; }; roleRef = { apiGroup = "rbac.authorization.k8s.io"; kind = "ClusterRole"; name = "kubelet-csr-approver"; }; subjects = [ { kind = "ServiceAccount"; name = "kubelet-csr-approver"; namespace = "kube-system"; } ]; } { apiVersion = "v1"; kind = "ServiceAccount"; metadata = { name = "kubelet-csr-approver"; namespace = "kube-system"; }; } { apiVersion = "apps/v1"; kind = "Deployment"; metadata = { name = "kubelet-csr-approver"; namespace = "kube-system"; }; spec = { replicas = 1; selector = { matchLabels = { app = "kubelet-csr-approver"; }; }; template = { metadata = { labels = { app = "kubelet-csr-approver"; }; }; spec = { serviceAccountName = "kubelet-csr-approver"; containers = [ { name = "kubelet-csr-approver"; image = "postfinance/kubelet-csr-approver:latest"; args = [ "-metrics-bind-address" ":8080" "-health-probe-bind-address" ":8081" ]; livenessProbe = { httpGet = { path = "/healthz"; port = 8081; }; }; resources = { requests = { cpu = "100m"; memory = "200Mi"; }; }; env = [ { name = "PROVIDER_REGEX"; value = "^${config.networking.fqdnOrHostName}$"; } { name = "PROVIDER_IP_PREFIXES"; value = "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16,::1/128,fe80::/10,fc00::/7"; } { name = "MAX_EXPIRATION_SEC"; value = "31622400"; } { name = "BYPASS_DNS_RESOLUTION"; value = "true"; } ]; } ]; tolerations = [ { effect = "NoSchedule"; key = "node-role.kubernetes.io/control-plane"; operator = "Equal"; } ]; }; }; }; } ]