apiVersion: v1
kind: ServiceAccount
metadata:
name: orb8-agent
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: orb8-agent
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: orb8-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: orb8-agent
subjects:
- kind: ServiceAccount
name: orb8-agent
namespace: default
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: orb8-agent
namespace: default
labels:
app: orb8-agent
spec:
selector:
matchLabels:
app: orb8-agent
template:
metadata:
labels:
app: orb8-agent
spec:
serviceAccountName: orb8-agent
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: orb8-agent
image: orb8-agent:test
imagePullPolicy: Never
env:
- name: RUST_LOG
value: info
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
ports:
- containerPort: 9090
name: grpc
protocol: TCP
securityContext:
privileged: false
capabilities:
add:
- BPF
- NET_ADMIN
- SYS_ADMIN
- PERFMON
- SYS_RESOURCE
volumeMounts:
- name: sys
mountPath: /sys
readOnly: true
- name: debugfs
mountPath: /sys/kernel/debug
- name: cgroup
mountPath: /sys/fs/cgroup
readOnly: true
tolerations:
- operator: Exists
volumes:
- name: sys
hostPath:
path: /sys
- name: debugfs
hostPath:
path: /sys/kernel/debug
- name: cgroup
hostPath:
path: /sys/fs/cgroup