suse-edge/Factory
SHA256
11
0
Fork 4
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
59e3b94744
Factory/kubevirt-chart/templates/kubevirt-operator.yaml

1362 lines
26 KiB
YAML
Raw Blame History

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: kubevirt-cluster-critical
value: 1000000000
globalDefault: false
description: "This priority class should be used for core kubevirt components only."
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubevirt.io:operator
labels:
operator.kubevirt.io: ""
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
kubevirt.io: ""
name: kubevirt-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
kubevirt.io: ""
name: kubevirt-operator
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resourceNames:
- kubevirt-ca
- kubevirt-export-ca
- kubevirt-virt-handler-certs
- kubevirt-virt-handler-server-certs
- kubevirt-operator-certs
- kubevirt-virt-api-certs
- kubevirt-controller-certs
- kubevirt-exportproxy-certs
resources:
- secrets
verbs:
- create
- get
- list
- watch
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- patch
- delete
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- create
- get
- list
- watch
- patch
- delete
- apiGroups:
- route.openshift.io
resources:
- routes/custom-host
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- delete
- update
- create
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- get
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- delete
- update
- create
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- kubevirt-export-ca
resources:
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
kubevirt.io: ""
name: kubevirt-operator-rolebinding
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubevirt-operator
subjects:
- kind: ServiceAccount
name: kubevirt-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubevirt.io: ""
name: kubevirt-operator
rules:
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- watch
- patch
- update
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
- services
- endpoints
- pods/exec
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- patch
- delete
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- watch
- list
- create
- delete
- patch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- get
- list
- watch
- create
- delete
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- create
- get
- list
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- get
- patch
- update
- apiGroups:
- security.openshift.io
resourceNames:
- kubevirt-handler
- kubevirt-controller
resources:
- securitycontextconstraints
verbs:
- get
- list
- watch
- update
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
- validatingadmissionpolicybindings
- validatingadmissionpolicies
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
- watch
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- kubevirt.io
resources:
- virtualmachines/status
verbs:
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstancemigrations
verbs:
- create
- get
- list
- watch
- patch
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstancepresets
verbs:
- watch
- list
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- limitranges
verbs:
- watch
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinerestores
- virtualmachinesnapshotcontents
verbs:
- get
- list
- watch
- apiGroups:
- cdi.kubevirt.io
resources:
- datasources
- datavolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- create
- list
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- patch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- delete
- create
- patch
- apiGroups:
- ""
resources:
- pods
- configmaps
- endpoints
- services
verbs:
- get
- list
- watch
- delete
- update
- create
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- update
- create
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
- apiGroups:
- ""
resources:
- pods/status
verbs:
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- list
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- watch
- list
- create
- delete
- get
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- snapshot.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- export.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
- virtualmachinepools/finalizers
- virtualmachinepools/status
- virtualmachinepools/scale
verbs:
- watch
- list
- create
- delete
- update
- patch
- get
- apiGroups:
- kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
- virtualmachineinstances/sev/setupsession
- virtualmachineinstances/sev/injectlaunchsecret
verbs:
- update
- apiGroups:
- cdi.kubevirt.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
- virtualmachineclones/status
- virtualmachineclones/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- resourcequotas
verbs:
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- virtualmachineinstances
verbs:
- update
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- list
- watch
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- apiGroups:
- subresources.kubevirt.io
resources:
- version
- guestfs
verbs:
- get
- list
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/console
- virtualmachineinstances/vnc
- virtualmachineinstances/vnc/screenshot
- virtualmachineinstances/portforward
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
- virtualmachineinstances/sev/setupsession
- virtualmachineinstances/sev/injectlaunchsecret
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachines/portforward
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/start
- virtualmachines/stop
- virtualmachines/restart
- virtualmachines/addvolume
- virtualmachines/removevolume
- virtualmachines/migrate
- virtualmachines/memorydump
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- deletecollection
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/console
- virtualmachineinstances/vnc
- virtualmachineinstances/vnc/screenshot
- virtualmachineinstances/portforward
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachineinstances/pause
- virtualmachineinstances/unpause
- virtualmachineinstances/addvolume
- virtualmachineinstances/removevolume
- virtualmachineinstances/freeze
- virtualmachineinstances/unfreeze
- virtualmachineinstances/softreboot
- virtualmachineinstances/sev/setupsession
- virtualmachineinstances/sev/injectlaunchsecret
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachines/portforward
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/start
- virtualmachines/stop
- virtualmachines/restart
- virtualmachines/addvolume
- virtualmachines/removevolume
- virtualmachines/migrate
- virtualmachines/memorydump
verbs:
- update
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- delete
- create
- update
- patch
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- kubevirt.io
resources:
- kubevirts
verbs:
- get
- list
- apiGroups:
- subresources.kubevirt.io
resources:
- virtualmachines/expand-spec
- virtualmachineinstances/guestosinfo
- virtualmachineinstances/filesystemlist
- virtualmachineinstances/userlist
- virtualmachineinstances/sev/fetchcertchain
- virtualmachineinstances/sev/querylaunchmeasurement
verbs:
- get
- apiGroups:
- subresources.kubevirt.io
resources:
- expand-vm-spec
verbs:
- update
- apiGroups:
- kubevirt.io
resources:
- virtualmachines
- virtualmachineinstances
- virtualmachineinstancepresets
- virtualmachineinstancereplicasets
- virtualmachineinstancemigrations
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.kubevirt.io
resources:
- virtualmachinesnapshots
- virtualmachinesnapshotcontents
- virtualmachinerestores
verbs:
- get
- list
- watch
- apiGroups:
- export.kubevirt.io
resources:
- virtualmachineexports
verbs:
- get
- list
- watch
- apiGroups:
- clone.kubevirt.io
resources:
- virtualmachineclones
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineinstancetypes
- virtualmachineclusterinstancetypes
- virtualmachinepreferences
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- pool.kubevirt.io
resources:
- virtualmachinepools
verbs:
- get
- list
- watch
- apiGroups:
- migrations.kubevirt.io
resources:
- migrationpolicies
verbs:
- get
- list
- watch
- apiGroups:
- instancetype.kubevirt.io
resources:
- virtualmachineclusterinstancetypes
- virtualmachineclusterpreferences
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
kubevirt.io: ""
name: kubevirt-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubevirt-operator
subjects:
- kind: ServiceAccount
name: kubevirt-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
kubevirt.io: virt-operator
name: virt-operator
namespace: {{ .Release.Namespace }}
spec:
replicas: 2
selector:
matchLabels:
kubevirt.io: virt-operator
strategy:
type: RollingUpdate
template:
metadata:
labels:
kubevirt.io: virt-operator
name: virt-operator
prometheus.kubevirt.io: "true"
name: virt-operator
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: kubevirt.io
operator: In
values:
- virt-operator
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- args:
- --port
- "8443"
- -v
- "2"
command:
- virt-operator
env:
- name: VIRT_OPERATOR_IMAGE
value: {{ .Values.operator.image }}:{{ .Values.operator.version }}
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: KUBEVIRT_VERSION
value: {{ .Values.operator.version }}
image: {{ .Values.operator.image }}:{{ .Values.operator.version }}
imagePullPolicy: {{ .Values.operator.pullPolicy }}
name: virt-operator
ports:
- containerPort: 8443
name: metrics
protocol: TCP
- containerPort: 8444
name: webhooks
protocol: TCP
readinessProbe:
httpGet:
path: /metrics
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 450Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/virt-operator/certificates
name: kubevirt-operator-certs
readOnly: true
- mountPath: /profile-data
name: profile-data
nodeSelector:
kubernetes.io/os: linux
priorityClassName: kubevirt-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: kubevirt-operator
tolerations:
- key: CriticalAddonsOnly
operator: Exists
volumes:
- name: kubevirt-operator-certs
secret:
optional: true
secretName: kubevirt-operator-certs
- emptyDir: {}
name: profile-data
Reference in New Issue View Git Blame Copy Permalink