infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

kubelet-csr-approver: Initial commit 

The [kubelet-csr-approver][0] is a controller that automatically approves
CSRs for Kublets that match certain criteria.  I've had it deployed in
the cluster for a while, but apparently never committed the resources.
These manifest files are taken from the [k8s deployment example][1] in
the upstream repository.

[0]: https://github.com/postfinance/kubelet-csr-approver
[1]: https://github.com/postfinance/kubelet-csr-approver/tree/v1.2.10/deploy/k8s
pull/74/head
Dustin 2025-07-21 18:27:54 -05:00
parent da2b1e60cd
commit 717f9244e7
5 changed files with 155 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
kubelet-csr-approver/clusterrole.yaml Normal file
View File

@ -0,0 +1,42 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubelet-csr-approver
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kubelet-serving
resources:
- signers
verbs:
- approve
- apiGroups:
- ""
resources:
- events
verbs:
- create

53
kubelet-csr-approver/deployment.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubelet-csr-approver
namespace: kube-system
spec:
replicas: 2
selector:
matchLabels:
app: kubelet-csr-approver
template:
metadata:
annotations:
prometheus.io/port: '8080'
prometheus.io/scrape: 'true'
labels:
app: kubelet-csr-approver
spec:
serviceAccountName: kubelet-csr-approver
containers:
- name: kubelet-csr-approver
image: postfinance/kubelet-csr-approver:latest
resources:
limits:
memory: "128Mi"
cpu: "500m"
args:
- -metrics-bind-address
- ":8080"
- -health-probe-bind-address
- ":8081"
- -leader-election
livenessProbe:
httpGet:
path: /healthz
port: 8081
env:
- name: PROVIDER_REGEX
value: ^[abcdef]\.test\.ch$
- name: PROVIDER_IP_PREFIXES
value: "0.0.0.0/0,::/0"
- name: MAX_EXPIRATION_SEC
value: "31622400" # 366 days
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Equal

42
kubelet-csr-approver/kustomization.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: kubelet-csr-approver
resources:
- clusterrole.yaml
- deployment.yaml
- rolebinding.yaml
- serviceaccount.yaml
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubelet-csr-approver
namespace: kube-system
spec:
template:
spec:
containers:
- name: kubelet-csr-approver
imagePullPolicy: IfNotPresent
env:
- name: PROVIDER_REGEX
value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$
- name: PROVIDER_IP_PREFIXES
value: 172.30.0.0/16
- name: BYPASS_DNS_RESOLUTION
value: 'true'
replicas:
- name: kubelet-csr-approver
count: 1
images:
- name: postfinance/kubelet-csr-approver
newName: ghcr.io/postfinance/kubelet-csr-approver
newTag: v1.2.10

13
kubelet-csr-approver/rolebinding.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubelet-csr-approver
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubelet-csr-approver
subjects:
- kind: ServiceAccount
name: kubelet-csr-approver
namespace: kube-system

5
kubelet-csr-approver/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubelet-csr-approver
namespace: kube-system