kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-121-remediation labels: app.kubernetes.io/name: kubernetes-121-remediation rules: - apiGroups: - "" resources: - pods verbs: - list - read - delete - apiGroups: - "" resources: - secrets verbs: - "*" resourceNames: - vault-config - apiGroups: - apps resources: - statefulsets verbs: - get - update resourceNames: - vault --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-121-remediation labels: app.kubernetes.io/name: kubernetes-121-remediation subjects: - kind: ServiceAccount name: kubernetes-121-remediation roleRef: kind: Role name: kubernetes-121-remediation apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: kubernetes-121-remediation labels: app.kubernetes.io/name: kubernetes-121-remediation --- apiVersion: apps/v1 kind: Deployment metadata: name: kubernetes-121-remediation labels: app.kubernetes.io/name: kubernetes-121-remediation spec: selector: matchLabels: app.kubernetes.io/name: kubernetes-121-remediation template: metadata: labels: app.kubernetes.io/name: kubernetes-121-remediation spec: imagePullSecrets: - name: domino-quay-repos serviceAccountName: kubernetes-121-remediation securityContext: runAsUser: 65534 runAsNonRoot: true containers: - image: quay.io/domino/kubernetes-121-remediation:v2 imagePullPolicy: Always name: remediation command: ["/app"] args: # - -patch-vault-config=false # - -update-vault-statefulset=false - app.kubernetes.io/name=fluentd - app.kubernetes.io/name=newrelic-logging # env: # - name: TICK_DURATION # value: 5m # - name: POD_DURATION # value: 1440h # - name: BANK_VAULTS_IMAGE # value: quay.io/domino/vault.vault-bankvaults:1.15.2-20220824-0934 # - name: VAULT_IMAGE # value: quay.io/domino/vault.vault:1.10.1-20220824-0934 resources: limits: cpu: 100m memory: 100Mi securityContext: privileged: false allowPrivilegeEscalation: false capabilities: drop: - ALL nodeSelector: dominodatalab.com/node-pool: platform