78 lines
2.4 KiB
YAML
78 lines
2.4 KiB
YAML
---
|
|
# https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: node-init
|
|
namespace: kube-system
|
|
labels:
|
|
root-init.k8s.exa.fi/component-name: node-init
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
root-init.k8s.exa.fi/component-name: node-init
|
|
template:
|
|
metadata:
|
|
labels:
|
|
root-init.k8s.exa.fi/component-name: node-init
|
|
spec:
|
|
tolerations:
|
|
# this toleration is to have the daemonset runnable on master nodes
|
|
# remove it if your masters can't run pods
|
|
- key: node-role.kubernetes.io/master
|
|
effect: NoSchedule
|
|
initContainers:
|
|
# this is implemented dorkily like this to cause it to be recreated
|
|
# whenever there's a change. this is intended to eventually be moved
|
|
# into a helm chart to use in argocd where this will make more sense
|
|
- name: set-sysctls
|
|
image: alpine:3.7
|
|
command: ["sh", "-c"]
|
|
args:
|
|
- |-
|
|
set -x
|
|
while [ $# -gt 0 ];do
|
|
nsenter --mount=/proc/1/ns/mnt -- sysctl "$1"
|
|
shift
|
|
done
|
|
- unused
|
|
- net.core.rmem_max=67108864
|
|
- net.core.wmem_max=67108864
|
|
- net.ipv4.tcp_rmem=4096 87380 33554432
|
|
- net.ipv4.tcp_wmem=4096 65536 33554432
|
|
- net.ipv4.tcp_mtu_probing=1
|
|
- fs.inotify.max_user_instances=511
|
|
- fs.inotify.max_user_watches=524288
|
|
- vm.max_map_count=262144
|
|
securityContext:
|
|
privileged: true
|
|
- name: install-packages
|
|
image: alpine:3.7
|
|
command: ["sh", "-c"]
|
|
args:
|
|
- |-
|
|
nsenter --mount=/proc/1/ns/mnt -- dpkg --configure -a
|
|
for f in open-iscsi uuid htop curl nfs-common iptables qemu-kvm virtinst neovim htop ethtool iproute2 moreutils;do
|
|
echo "installing $f"
|
|
nsenter --mount=/proc/1/ns/mnt -- apt-get install -y "$f"
|
|
shift
|
|
done
|
|
securityContext:
|
|
privileged: true
|
|
- name: iptables
|
|
image: alpine:3.7
|
|
command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "sh", "-c"]
|
|
args:
|
|
- |-
|
|
iptables -A FORWARD -i br0 -j ACCEPT
|
|
securityContext:
|
|
privileged: true
|
|
containers:
|
|
- name: finished-sleep-forever
|
|
image: k8s.gcr.io/pause:3.1
|
|
securityContext:
|
|
privileged: false
|
|
terminationGracePeriodSeconds: 0
|
|
hostNetwork: true
|
|
hostPID: true
|