--- # https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ apiVersion: apps/v1 kind: DaemonSet metadata: name: node-init namespace: kube-system labels: root-init.k8s.exa.fi/component-name: node-init spec: selector: matchLabels: root-init.k8s.exa.fi/component-name: node-init template: metadata: labels: root-init.k8s.exa.fi/component-name: node-init spec: tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if your masters can't run pods - key: node-role.kubernetes.io/master effect: NoSchedule initContainers: # this is implemented dorkily like this to cause it to be recreated # whenever there's a change. this is intended to eventually be moved # into a helm chart to use in argocd where this will make more sense - name: set-sysctls image: alpine:3.7 command: ["sh", "-c"] args: - |- set -x while [ $# -gt 0 ];do nsenter --mount=/proc/1/ns/mnt -- sysctl "$1" shift done - unused - net.core.rmem_max=67108864 - net.core.wmem_max=67108864 - net.ipv4.tcp_rmem=4096 87380 33554432 - net.ipv4.tcp_wmem=4096 65536 33554432 - net.ipv4.tcp_mtu_probing=1 - fs.inotify.max_user_instances=511 - fs.inotify.max_user_watches=524288 - vm.max_map_count=262144 securityContext: privileged: true - name: install-packages image: alpine:3.7 command: ["sh", "-c"] args: - |- nsenter --mount=/proc/1/ns/mnt -- dpkg --configure -a for f in open-iscsi uuid htop curl nfs-common iptables qemu-kvm virtinst neovim htop ethtool iproute2 moreutils;do echo "installing $f" nsenter --mount=/proc/1/ns/mnt -- apt-get install -y "$f" shift done securityContext: privileged: true - name: iptables image: alpine:3.7 command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "sh", "-c"] args: - |- iptables -A FORWARD -i br0 -j ACCEPT securityContext: privileged: true containers: - name: finished-sleep-forever image: k8s.gcr.io/pause:3.1 securityContext: privileged: false terminationGracePeriodSeconds: 0 hostNetwork: true hostPID: true