cluster-policy-controller

assets/apps/0000_50_cluster_policy_controller_deploy.yaml

@@ -0,0 +1,91 @@
+# static pod container cluster-policy-controller
+# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/pod.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller
+  labels:
+    app: openshift-cluster-policy-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openshift-cluster-policy-controller
+  template:
+    metadata:
+      name: openshift-cluster-policy-controller
+      labels:
+        app: openshift-cluster-policy-controller
+    spec:
+      serviceAccountName: openshift-cluster-policy-controller-sa
+      containers:
+      - name: cluster-policy-controller
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        image: {{ .ReleaseImage.cluster_policy_controller }}
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+        command: ["/bin/bash", "-euxo", "pipefail", "-c"]
+        args:
+          - |
+            timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done'
+            exec cluster-policy-controller start --config=/var/run/config/config.yaml
+        resources:
+          requests:
+            memory: 200Mi
+            cpu: 10m
+        ports:
+          - containerPort: 10357
+        volumeMounts:
+        - mountPath: /var/run/kubeadmin
+          name: kubeconfig-dir
+        - mountPath: /var/run/secrets
+          name: signing-key
+        - mountPath: /var/run/configmaps/signing-cabundle
+          name: signing-cabundle
+        - mountPath: /var/run/config
+          name: config
+        startupProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 0
+          timeoutSeconds: 3
+        livenessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 45
+          timeoutSeconds: 10
+        readinessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 10
+          timeoutSeconds: 10
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      volumes:
+      - name: kubeconfig-dir
+        hostPath:
+          path: {{.KubeConfigDir}}
+      - name: signing-key
+        hostPath:
+          path: {{.KeyDir}}
+      - name: config
+        hostPath:
+          path: {{.ConfigDir}}
+      - hostPath:
+          path: {{.CADir}}
+        name: signing-cabundle

assets/core/0000_50_cluster-openshift-cluster-policy-controller_00_namespace.yaml

@@ -0,0 +1,13 @@
+# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/ns.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: "management"
+  labels:
+    # set value to avoid depending on kube admission that depends on openshift apis
+    openshift.io/run-level: "0"
+    # allow openshift-monitoring to look for ServiceMonitor objects in this namespace
+    openshift.io/cluster-monitoring: "true"
+  name: openshift-kube-controller-manager

assets/core/0000_50_cluster-openshift-cluster-policy-controller_service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller-sa

assets/core/0000_50_namespace-security-allocation-controller_sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: openshift-infra
+  name: namespace-security-allocation-controller

assets/crd/0000_03_securityinternal-openshift_01_rangeallocation.crd.yaml

@@ -0,0 +1,50 @@
+# https://github.com/openshift/api/blob/release-4.8/securityinternal/v1/0000_03_securityinternal-openshift_02_rangeallocation.crd.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/751
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  name: rangeallocations.security.internal.openshift.io
+spec:
+  group: security.internal.openshift.io
+  names:
+    kind: RangeAllocation
+    listKind: RangeAllocationList
+    plural: rangeallocations
+    singular: rangeallocation
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RangeAllocation is used so we can easily expose a RangeAllocation
+          typed for security group This is an internal API, not intended for external
+          consumption.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          data:
+            description: data is a byte array representing the serialized state of
+              a range allocation.  It is a bitmap with each bit set to one to represent
+              a range is taken.
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          range:
+            description: range is a string representing a unique label for a range
+              of uids, "1000000000-2000000000/10000".
+            type: string
+        type: object
+    served: true
+    storage: true

assets/rbac/0000_50_cluster-policy-controller_clusterrole.yaml

@@ -0,0 +1,34 @@
+# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+  name: namespace-security-allocation-controller
+rules:
+- apiGroups:
+  - security.openshift.io
+  - security.internal.openshift.io
+  resources:
+  - rangeallocations
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update

assets/rbac/0000_50_cluster-policy-controller_clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/namespace-security-allocation-controller-clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-security-allocation-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-security-allocation-controller
+subjects:
+- kind: ServiceAccount
+  name: namespace-security-allocation-controller
+  namespace: openshift-infra

pkg/assets/apps/bindata.go

@@ -1,6 +1,7 @@
 // Package assets Code generated by go-bindata. (@generated) DO NOT EDIT.
 // sources:
 // assets/apps/0000_00_flannel-daemonset.yaml
+// assets/apps/0000_50_cluster_policy_controller_deploy.yaml
 // assets/apps/0000_60_service-ca_05_deploy.yaml
 // assets/apps/0000_70_dns_01-dns-daemonset.yaml
 // assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml
@@ -179,6 +180,114 @@ func assetsApps0000_00_flannelDaemonsetYaml() (*asset, error) {
 	return a, nil
 }
 
+var _assetsApps0000_50_cluster_policy_controller_deployYaml = []byte(`# static pod container cluster-policy-controller
+# https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.8/bindata/v4.1.0/kube-controller-manager/pod.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: openshift-cluster-policy-controller
+  labels:
+    app: openshift-cluster-policy-controller
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openshift-cluster-policy-controller
+  template:
+    metadata:
+      name: openshift-cluster-policy-controller
+      labels:
+        app: openshift-cluster-policy-controller
+    spec:
+      serviceAccountName: openshift-cluster-policy-controller-sa
+      containers:
+      - name: cluster-policy-controller
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        image: {{ .ReleaseImage.cluster_policy_controller }}
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+        command: ["/bin/bash", "-euxo", "pipefail", "-c"]
+        args:
+          - |
+            timeout 3m /bin/bash -exuo pipefail -c 'while [ -n "$(ss -Htanop \( sport = 10357 \))" ]; do sleep 1; done'
+            exec cluster-policy-controller start --config=/var/run/config/config.yaml
+        resources:
+          requests:
+            memory: 200Mi
+            cpu: 10m
+        ports:
+          - containerPort: 10357
+        volumeMounts:
+        - mountPath: /var/run/kubeadmin
+          name: kubeconfig-dir
+        - mountPath: /var/run/secrets
+          name: signing-key
+        - mountPath: /var/run/configmaps/signing-cabundle
+          name: signing-cabundle
+        - mountPath: /var/run/config
+          name: config
+        startupProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 0
+          timeoutSeconds: 3
+        livenessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 45
+          timeoutSeconds: 10
+        readinessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 10357
+            path: healthz
+          initialDelaySeconds: 10
+          timeoutSeconds: 10
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      volumes:
+      - name: kubeconfig-dir
+        hostPath:
+          path: {{.KubeConfigDir}}
+      - name: signing-key
+        hostPath:
+          path: {{.KeyDir}}
+      - name: config
+        hostPath:
+          path: {{.ConfigDir}}
+      - hostPath:
+          path: {{.CADir}}
+        name: signing-cabundle
+`)
+
+func assetsApps0000_50_cluster_policy_controller_deployYamlBytes() ([]byte, error) {
+	return _assetsApps0000_50_cluster_policy_controller_deployYaml, nil
+}
+
+func assetsApps0000_50_cluster_policy_controller_deployYaml() (*asset, error) {
+	bytes, err := assetsApps0000_50_cluster_policy_controller_deployYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "assets/apps/0000_50_cluster_policy_controller_deploy.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 var _assetsApps0000_60_serviceCa_05_deployYaml = []byte(`apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -795,12 +904,13 @@ func AssetNames() []string {
 
 // _bindata is a table, holding each asset generator, mapped to its name.
 var _bindata = map[string]func() (*asset, error){
-	"assets/apps/0000_00_flannel-daemonset.yaml":              assetsApps0000_00_flannelDaemonsetYaml,
-	"assets/apps/0000_60_service-ca_05_deploy.yaml":           assetsApps0000_60_serviceCa_05_deployYaml,
-	"assets/apps/0000_70_dns_01-dns-daemonset.yaml":           assetsApps0000_70_dns_01DnsDaemonsetYaml,
-	"assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml": assetsApps0000_70_dns_01NodeResolverDaemonsetYaml,
-	"assets/apps/0000_80_openshift-router-deployment.yaml":    assetsApps0000_80_openshiftRouterDeploymentYaml,
-	"assets/apps/000_80_hostpath-provisioner-daemonset.yaml":  assetsApps000_80_hostpathProvisionerDaemonsetYaml,
+	"assets/apps/0000_00_flannel-daemonset.yaml":                assetsApps0000_00_flannelDaemonsetYaml,
+	"assets/apps/0000_50_cluster_policy_controller_deploy.yaml": assetsApps0000_50_cluster_policy_controller_deployYaml,
+	"assets/apps/0000_60_service-ca_05_deploy.yaml":             assetsApps0000_60_serviceCa_05_deployYaml,
+	"assets/apps/0000_70_dns_01-dns-daemonset.yaml":             assetsApps0000_70_dns_01DnsDaemonsetYaml,
+	"assets/apps/0000_70_dns_01-node-resolver-daemonset.yaml":   assetsApps0000_70_dns_01NodeResolverDaemonsetYaml,
+	"assets/apps/0000_80_openshift-router-deployment.yaml":      assetsApps0000_80_openshiftRouterDeploymentYaml,
+	"assets/apps/000_80_hostpath-provisioner-daemonset.yaml":    assetsApps000_80_hostpathProvisionerDaemonsetYaml,
 }
 
 // AssetDir returns the file names below a certain
@@ -846,12 +956,13 @@ type bintree struct {
 var _bintree = &bintree{nil, map[string]*bintree{
 	"assets": {nil, map[string]*bintree{
 		"apps": {nil, map[string]*bintree{
-			"0000_00_flannel-daemonset.yaml":              {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}},
-			"0000_60_service-ca_05_deploy.yaml":           {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}},
-			"0000_70_dns_01-dns-daemonset.yaml":           {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}},
-			"0000_70_dns_01-node-resolver-daemonset.yaml": {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}},
-			"0000_80_openshift-router-deployment.yaml":    {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}},
-			"000_80_hostpath-provisioner-daemonset.yaml":  {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}},
+			"0000_00_flannel-daemonset.yaml":                {assetsApps0000_00_flannelDaemonsetYaml, map[string]*bintree{}},
+			"0000_50_cluster_policy_controller_deploy.yaml": {assetsApps0000_50_cluster_policy_controller_deployYaml, map[string]*bintree{}},
+			"0000_60_service-ca_05_deploy.yaml":             {assetsApps0000_60_serviceCa_05_deployYaml, map[string]*bintree{}},
+			"0000_70_dns_01-dns-daemonset.yaml":             {assetsApps0000_70_dns_01DnsDaemonsetYaml, map[string]*bintree{}},
+			"0000_70_dns_01-node-resolver-daemonset.yaml":   {assetsApps0000_70_dns_01NodeResolverDaemonsetYaml, map[string]*bintree{}},
+			"0000_80_openshift-router-deployment.yaml":      {assetsApps0000_80_openshiftRouterDeploymentYaml, map[string]*bintree{}},
+			"000_80_hostpath-provisioner-daemonset.yaml":    {assetsApps000_80_hostpathProvisionerDaemonsetYaml, map[string]*bintree{}},
 		}},
 	}},
 }}