Merge pull request #25 from annismckenzie/release-v0.2.0

Release v0.2.0
annismckenzie · Jan 11, 2021 · 94a2ce5 · 94a2ce5
2 parents 996f6df + bea9a3f
commit 94a2ce5
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ That Kubernetes operator doesn't exist. At least, it didn't until now. 🤠
 ## Installation
 
 ```sh
-  kubectl apply -f https://raw.githubusercontent.com/annismckenzie/k3os-config-operator/v0.1.2/deploy/operator.yaml
+  kubectl apply -f https://raw.githubusercontent.com/annismckenzie/k3os-config-operator/v0.2.0/deploy/operator.yaml
 ```
 
 

diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml
@@ -6,4 +6,4 @@ bases:
 
 images:
   - name: ghcr.io/annismckenzie/k3os-config-operator
-    newTag: v0.1.2
+    newTag: v0.2.0
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -149,6 +149,43 @@ status:
   conditions: []
   storedVersions: []
 ---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  labels:
+    app: k3os-config-operator
+    app.kubernetes.io/name: k3os-config-operator
+  name: k3os-config-operator-manager
+spec:
+  allowPrivilegeEscalation: false
+  allowedHostPaths:
+  - pathPrefix: /var/lib/rancher/k3os
+    readOnly: false
+  forbiddenSysctls:
+  - '*'
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: false
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - hostPath
+  - secret
+  - downwardAPI
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -210,6 +247,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - policy
+  resourceNames:
+  - k3os-config-operator-manager
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -389,6 +434,8 @@ spec:
         command:
         - /manager
         env:
+        - name: ENABLE_NODECONFIG_FILE_MANAGEMENT
+          value: "true"
         - name: NODE_NAME
           valueFrom:
             fieldRef:
@@ -397,7 +444,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/annismckenzie/k3os-config-operator:v0.1.2
+        image: ghcr.io/annismckenzie/k3os-config-operator:v0.2.0
         name: manager
         resources:
           limits:
@@ -406,4 +453,12 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+        volumeMounts:
+        - mountPath: /etc/k3osconfig.yaml
+          name: varlibrancherk3osconfigyaml
       terminationGracePeriodSeconds: 10
+      volumes:
+      - hostPath:
+          path: /var/lib/rancher/k3os/config.yaml
+          type: FileOrCreate
+        name: varlibrancherk3osconfigyaml