apiVersion: apps/v1 kind: DaemonSet metadata: name: flock-agent namespace: kube-system labels: app: flock-agent spec: selector: matchLabels: app: flock-agent updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app: flock-agent spec: serviceAccountName: flock-agent hostNetwork: true dnsPolicy: ClusterFirstWithHostNet priorityClassName: system-node-critical # M1: opt-in per-node via this label. Remove the nodeSelector when # ready to roll flock to all nodes. nodeSelector: flock.fritzlab.net/agent: "" # Tolerate the cni-test taint applied during migration. tolerations: - key: fritzlab.net/cni-test operator: Equal value: "true" effect: NoSchedule - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule - key: node.kubernetes.io/not-ready operator: Exists effect: NoExecute - key: node.kubernetes.io/unreachable operator: Exists effect: NoExecute containers: - name: flock-agent image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always args: - --node=$(NODE_NAME) - --state=/var/lib/flock/allocations.json - --socket=/run/flock/flock.sock env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # M1: no privileged caps. M2 adds NET_ADMIN/NET_RAW for netlink. securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: - name: lib-flock mountPath: /var/lib/flock - name: run-flock mountPath: /run/flock resources: requests: cpu: 25m memory: 32Mi limits: memory: 128Mi volumes: - name: lib-flock hostPath: path: /var/lib/flock type: DirectoryOrCreate - name: run-flock hostPath: path: /run/flock type: DirectoryOrCreate imagePullSecrets: - name: code-fritzlab-net