apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager name: system --- apiVersion: apps/v1 kind: Deployment metadata: name: controller-manager namespace: system labels: control-plane: controller-manager spec: selector: matchLabels: control-plane: controller-manager replicas: 1 template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: control-plane: controller-manager spec: securityContext: runAsUser: 0 # required to read etcd certs and keys from /etc/kubernetes/pki containers: - command: - /manager args: - --leader-elect image: controller:latest name: manager securityContext: allowPrivilegeEscalation: false livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 volumeMounts: - mountPath: /etc/kubernetes/pki/etcd name: etcd-certs - mountPath: /etc/azure name: azureconfig readOnly: true - mountPath: /etc/gce name: gceconf readOnly: true resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi volumes: - name: etcd-certs hostPath: path: /etc/kubernetes/pki/etcd type: Directory - name: azureconfig secret: secretName: azureconfig optional: true - name: gceconf configMap: name: gceconf optional: true nodeSelector: node-role.kubernetes.io/control-plane: "" imagePullSecrets: - name: constellation-pull # workaround until https://github.com/operator-framework/operator-lifecycle-manager/issues/2682 is fixed tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists serviceAccountName: controller-manager terminationGracePeriodSeconds: 10