apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: kubevirt-cluster-critical value: 1000000000 globalDefault: false description: "This priority class should be used for core kubevirt components only." --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubevirt.io:operator labels: operator.kubevirt.io: "" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - delete - create - update - patch - list - watch - deletecollection --- apiVersion: v1 kind: ServiceAccount metadata: labels: kubevirt.io: "" name: kubevirt-operator namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: kubevirt.io: "" name: kubevirt-operator namespace: {{ .Release.Namespace }} rules: - apiGroups: - "" resourceNames: - kubevirt-ca - kubevirt-export-ca - kubevirt-virt-handler-certs - kubevirt-virt-handler-server-certs - kubevirt-operator-certs - kubevirt-virt-api-certs - kubevirt-controller-certs - kubevirt-exportproxy-certs resources: - secrets verbs: - create - get - list - watch - patch - delete - apiGroups: - "" resources: - configmaps verbs: - create - get - list - watch - patch - delete - apiGroups: - route.openshift.io resources: - routes verbs: - create - get - list - watch - patch - delete - apiGroups: - route.openshift.io resources: - routes/custom-host verbs: - create - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - delete - update - create - patch - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - route.openshift.io resources: - routes verbs: - list - get - watch - apiGroups: - "" resources: - secrets verbs: - list - get - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - get - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - delete - update - create - patch - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resourceNames: - kubevirt-export-ca resources: - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: kubevirt.io: "" name: kubevirt-operator-rolebinding namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubevirt-operator subjects: - kind: ServiceAccount name: kubevirt-operator namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubevirt.io: "" name: kubevirt-operator rules: - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - watch - patch - update - patch - apiGroups: - "" resources: - serviceaccounts - services - endpoints - pods/exec verbs: - get - list - watch - create - update - delete - patch - apiGroups: - "" resources: - configmaps verbs: - patch - delete - apiGroups: - batch resources: - jobs verbs: - get - list - watch - create - delete - patch - apiGroups: - apps resources: - controllerrevisions verbs: - watch - list - create - delete - patch - apiGroups: - apps resources: - deployments - daemonsets verbs: - get - list - watch - create - delete - patch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - get - list - watch - create - delete - patch - update - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - create - delete - patch - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - create - get - list - watch - apiGroups: - security.openshift.io resourceNames: - privileged resources: - securitycontextconstraints verbs: - get - patch - update - apiGroups: - security.openshift.io resourceNames: - kubevirt-handler - kubevirt-controller resources: - securitycontextconstraints verbs: - get - list - watch - update - delete - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations - validatingadmissionpolicybindings - validatingadmissionpolicies verbs: - get - list - watch - create - delete - update - patch - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - get - list - watch - create - delete - update - patch - apiGroups: - monitoring.coreos.com resources: - servicemonitors - prometheusrules verbs: - get - list - watch - create - delete - update - patch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - patch - apiGroups: - "" resources: - pods verbs: - get - list - delete - patch - apiGroups: - kubevirt.io resources: - virtualmachines - virtualmachineinstances verbs: - get - list - watch - patch - update - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - apiGroups: - kubevirt.io resources: - virtualmachines/status verbs: - patch - apiGroups: - kubevirt.io resources: - virtualmachineinstancemigrations verbs: - create - get - list - watch - patch - apiGroups: - kubevirt.io resources: - virtualmachineinstancepresets verbs: - watch - list - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - limitranges verbs: - watch - list - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - watch - apiGroups: - snapshot.kubevirt.io resources: - virtualmachinesnapshots - virtualmachinerestores - virtualmachinesnapshotcontents verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - datasources - datavolumes verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineinstancetypes - virtualmachineclusterinstancetypes - virtualmachinepreferences - virtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions verbs: - create - list - get - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - patch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - delete - create - patch - apiGroups: - "" resources: - pods - configmaps - endpoints - services verbs: - get - list - watch - delete - update - create - patch - apiGroups: - "" resources: - events verbs: - update - create - patch - apiGroups: - "" resources: - secrets verbs: - create - apiGroups: - "" resources: - pods/finalizers verbs: - update - apiGroups: - "" resources: - pods/eviction verbs: - create - apiGroups: - "" resources: - pods/status verbs: - patch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - update - patch - apiGroups: - apps resources: - daemonsets verbs: - list - apiGroups: - apps resources: - controllerrevisions verbs: - watch - list - create - delete - get - update - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - list - watch - create - update - delete - patch - apiGroups: - snapshot.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - export.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - pool.kubevirt.io resources: - virtualmachinepools - virtualmachinepools/finalizers - virtualmachinepools/status - virtualmachinepools/scale verbs: - watch - list - create - delete - update - patch - get - apiGroups: - kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - subresources.kubevirt.io resources: - virtualmachineinstances/addvolume - virtualmachineinstances/removevolume - virtualmachineinstances/freeze - virtualmachineinstances/unfreeze - virtualmachineinstances/softreboot - virtualmachineinstances/sev/setupsession - virtualmachineinstances/sev/injectlaunchsecret verbs: - update - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - k8s.cni.cncf.io resources: - network-attachment-definitions verbs: - get - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshotclasses verbs: - get - list - watch - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - get - list - watch - create - update - delete - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineinstancetypes - virtualmachineclusterinstancetypes - virtualmachinepreferences - virtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - clone.kubevirt.io resources: - virtualmachineclones - virtualmachineclones/status - virtualmachineclones/finalizers verbs: - get - list - watch - update - patch - delete - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - resourcequotas verbs: - list - watch - apiGroups: - kubevirt.io resources: - virtualmachineinstances verbs: - update - list - watch - apiGroups: - "" resources: - nodes verbs: - patch - list - watch - get - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - watch - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - export.kubevirt.io resources: - virtualmachineexports verbs: - get - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - apiGroups: - subresources.kubevirt.io resources: - version - guestfs verbs: - get - list - apiGroups: - subresources.kubevirt.io resources: - virtualmachineinstances/console - virtualmachineinstances/vnc - virtualmachineinstances/vnc/screenshot - virtualmachineinstances/portforward - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist - virtualmachineinstances/sev/fetchcertchain - virtualmachineinstances/sev/querylaunchmeasurement verbs: - get - apiGroups: - subresources.kubevirt.io resources: - virtualmachineinstances/pause - virtualmachineinstances/unpause - virtualmachineinstances/addvolume - virtualmachineinstances/removevolume - virtualmachineinstances/freeze - virtualmachineinstances/unfreeze - virtualmachineinstances/softreboot - virtualmachineinstances/sev/setupsession - virtualmachineinstances/sev/injectlaunchsecret verbs: - update - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/expand-spec - virtualmachines/portforward verbs: - get - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/start - virtualmachines/stop - virtualmachines/restart - virtualmachines/addvolume - virtualmachines/removevolume - virtualmachines/migrate - virtualmachines/memorydump verbs: - update - apiGroups: - subresources.kubevirt.io resources: - expand-vm-spec verbs: - update - apiGroups: - kubevirt.io resources: - virtualmachines - virtualmachineinstances - virtualmachineinstancepresets - virtualmachineinstancereplicasets - virtualmachineinstancemigrations verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - snapshot.kubevirt.io resources: - virtualmachinesnapshots - virtualmachinesnapshotcontents - virtualmachinerestores verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - export.kubevirt.io resources: - virtualmachineexports verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - clone.kubevirt.io resources: - virtualmachineclones verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineinstancetypes - virtualmachineclusterinstancetypes - virtualmachinepreferences - virtualmachineclusterpreferences verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - pool.kubevirt.io resources: - virtualmachinepools verbs: - get - delete - create - update - patch - list - watch - deletecollection - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - subresources.kubevirt.io resources: - virtualmachineinstances/console - virtualmachineinstances/vnc - virtualmachineinstances/vnc/screenshot - virtualmachineinstances/portforward - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist - virtualmachineinstances/sev/fetchcertchain - virtualmachineinstances/sev/querylaunchmeasurement verbs: - get - apiGroups: - subresources.kubevirt.io resources: - virtualmachineinstances/pause - virtualmachineinstances/unpause - virtualmachineinstances/addvolume - virtualmachineinstances/removevolume - virtualmachineinstances/freeze - virtualmachineinstances/unfreeze - virtualmachineinstances/softreboot - virtualmachineinstances/sev/setupsession - virtualmachineinstances/sev/injectlaunchsecret verbs: - update - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/expand-spec - virtualmachines/portforward verbs: - get - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/start - virtualmachines/stop - virtualmachines/restart - virtualmachines/addvolume - virtualmachines/removevolume - virtualmachines/migrate - virtualmachines/memorydump verbs: - update - apiGroups: - subresources.kubevirt.io resources: - expand-vm-spec verbs: - update - apiGroups: - kubevirt.io resources: - virtualmachines - virtualmachineinstances - virtualmachineinstancepresets - virtualmachineinstancereplicasets - virtualmachineinstancemigrations verbs: - get - delete - create - update - patch - list - watch - apiGroups: - snapshot.kubevirt.io resources: - virtualmachinesnapshots - virtualmachinesnapshotcontents - virtualmachinerestores verbs: - get - delete - create - update - patch - list - watch - apiGroups: - export.kubevirt.io resources: - virtualmachineexports verbs: - get - delete - create - update - patch - list - watch - apiGroups: - clone.kubevirt.io resources: - virtualmachineclones verbs: - get - delete - create - update - patch - list - watch - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineinstancetypes - virtualmachineclusterinstancetypes - virtualmachinepreferences - virtualmachineclusterpreferences verbs: - get - delete - create - update - patch - list - watch - apiGroups: - pool.kubevirt.io resources: - virtualmachinepools verbs: - get - delete - create - update - patch - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - kubevirt.io resources: - kubevirts verbs: - get - list - apiGroups: - subresources.kubevirt.io resources: - virtualmachines/expand-spec - virtualmachineinstances/guestosinfo - virtualmachineinstances/filesystemlist - virtualmachineinstances/userlist - virtualmachineinstances/sev/fetchcertchain - virtualmachineinstances/sev/querylaunchmeasurement verbs: - get - apiGroups: - subresources.kubevirt.io resources: - expand-vm-spec verbs: - update - apiGroups: - kubevirt.io resources: - virtualmachines - virtualmachineinstances - virtualmachineinstancepresets - virtualmachineinstancereplicasets - virtualmachineinstancemigrations verbs: - get - list - watch - apiGroups: - snapshot.kubevirt.io resources: - virtualmachinesnapshots - virtualmachinesnapshotcontents - virtualmachinerestores verbs: - get - list - watch - apiGroups: - export.kubevirt.io resources: - virtualmachineexports verbs: - get - list - watch - apiGroups: - clone.kubevirt.io resources: - virtualmachineclones verbs: - get - list - watch - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineinstancetypes - virtualmachineclusterinstancetypes - virtualmachinepreferences - virtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - pool.kubevirt.io resources: - virtualmachinepools verbs: - get - list - watch - apiGroups: - migrations.kubevirt.io resources: - migrationpolicies verbs: - get - list - watch - apiGroups: - instancetype.kubevirt.io resources: - virtualmachineclusterinstancetypes - virtualmachineclusterpreferences verbs: - get - list - watch - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: kubevirt.io: "" name: kubevirt-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt-operator subjects: - kind: ServiceAccount name: kubevirt-operator namespace: {{ .Release.Namespace }} --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubevirt.io: virt-operator name: virt-operator namespace: {{ .Release.Namespace }} spec: replicas: 2 selector: matchLabels: kubevirt.io: virt-operator strategy: type: RollingUpdate template: metadata: labels: kubevirt.io: virt-operator name: virt-operator prometheus.kubevirt.io: "true" name: virt-operator spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: kubevirt.io operator: In values: - virt-operator topologyKey: kubernetes.io/hostname weight: 1 containers: - args: - --port - "8443" - -v - "2" command: - virt-operator env: - name: VIRT_OPERATOR_IMAGE value: {{ .Values.operator.image }}:{{ .Values.operator.version }} - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: KUBEVIRT_VERSION value: {{ .Values.operator.version }} image: {{ .Values.operator.image }}:{{ .Values.operator.version }} imagePullPolicy: {{ .Values.operator.pullPolicy }} name: virt-operator ports: - containerPort: 8443 name: metrics protocol: TCP - containerPort: 8444 name: webhooks protocol: TCP readinessProbe: httpGet: path: /metrics port: 8443 scheme: HTTPS initialDelaySeconds: 5 timeoutSeconds: 10 resources: requests: cpu: 10m memory: 450Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /etc/virt-operator/certificates name: kubevirt-operator-certs readOnly: true - mountPath: /profile-data name: profile-data nodeSelector: kubernetes.io/os: linux priorityClassName: kubevirt-cluster-critical securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccountName: kubevirt-operator tolerations: - key: CriticalAddonsOnly operator: Exists volumes: - name: kubevirt-operator-certs secret: optional: true secretName: kubevirt-operator-certs - emptyDir: {} name: profile-data