# Policy to ensure the API server isn't cut off. Can be modified, but ensure # that the main API server is always able to reach the Calico API server. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-apiserver namespace: calico-apiserver spec: podSelector: matchLabels: apiserver: "true" ingress: - ports: - protocol: TCP port: 5443 --- apiVersion: v1 kind: Service metadata: name: calico-api namespace: calico-apiserver spec: ports: - name: apiserver port: 443 protocol: TCP targetPort: 5443 selector: apiserver: "true" type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: apiserver: "true" k8s-app: calico-apiserver name: calico-apiserver namespace: calico-apiserver spec: replicas: 1 selector: matchLabels: apiserver: "true" strategy: type: Recreate template: metadata: labels: apiserver: "true" k8s-app: calico-apiserver name: calico-apiserver namespace: calico-apiserver spec: containers: - args: - --secure-port=5443 env: - name: DATASTORE_TYPE value: kubernetes image: {{ calico_apiserver_image_repo }}:{{ calico_apiserver_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} livenessProbe: httpGet: path: /version port: 5443 scheme: HTTPS initialDelaySeconds: 90 periodSeconds: 10 name: calico-apiserver readinessProbe: exec: command: - /code/filecheck failureThreshold: 5 initialDelaySeconds: 5 periodSeconds: 10 securityContext: privileged: false runAsUser: 0 volumeMounts: - mountPath: /code/apiserver.local.config/certificates name: calico-apiserver-certs dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux restartPolicy: Always serviceAccount: calico-apiserver serviceAccountName: calico-apiserver tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - name: calico-apiserver-certs secret: secretName: calico-apiserver-certs --- apiVersion: v1 kind: ServiceAccount metadata: name: calico-apiserver namespace: calico-apiserver --- # Cluster-scoped resources below here. apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v3.projectcalico.org spec: group: projectcalico.org groupPriorityMinimum: 1500 caBundle: {{ calico_apiserver_cabundle }} service: name: calico-api namespace: calico-apiserver port: 443 version: v3 versionPriority: 200 --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-crds rules: - apiGroups: - extensions - networking.k8s.io - "" resources: - networkpolicies - nodes - namespaces - pods - serviceaccounts verbs: - get - list - watch - apiGroups: - crd.projectcalico.org resources: - globalnetworkpolicies - networkpolicies - clusterinformations - hostendpoints - globalnetworksets - networksets - bgpconfigurations - bgppeers - felixconfigurations - kubecontrollersconfigurations - ippools - ipreservations - ipamblocks - blockaffinities - caliconodestatuses verbs: - get - list - watch - create - update - delete - apiGroups: - policy resourceNames: - calico-apiserver resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-extension-apiserver-auth-access rules: - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - list - watch - get - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-webhook-reader rules: - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-access-crds roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-crds subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-delegate-auth roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-webhook-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-webhook-reader subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-extension-apiserver-auth-access roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-extension-apiserver-auth-access subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' name: calico-apiserver spec: allowPrivilegeEscalation: false fsGroup: ranges: - max: 65535 min: 1 rule: MustRunAs hostPorts: - max: 65535 min: 0 requiredDropCapabilities: - ALL runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: ranges: - max: 65535 min: 1 rule: MustRunAs volumes: - secret