127 lines
3.1 KiB
YAML
127 lines
3.1 KiB
YAML
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: longhorn-uninstall-psp
|
|
spec:
|
|
privileged: true
|
|
allowPrivilegeEscalation: true
|
|
requiredDropCapabilities:
|
|
- NET_RAW
|
|
allowedCapabilities:
|
|
- SYS_ADMIN
|
|
hostNetwork: false
|
|
hostIPC: false
|
|
hostPID: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- secret
|
|
- projected
|
|
- hostPath
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: longhorn-uninstall-service-account
|
|
namespace: default
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: longhorn-uninstall-role
|
|
rules:
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- "*"
|
|
- apiGroups: [""]
|
|
resources: ["pods", "persistentvolumes", "persistentvolumeclaims", "nodes", "configmaps", "secrets", "services", "endpoints"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["daemonsets", "statefulsets", "deployments"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["batch"]
|
|
resources: ["jobs", "cronjobs"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["policy"]
|
|
resources: ["poddisruptionbudgets"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["scheduling.k8s.io"]
|
|
resources: ["priorityclasses"]
|
|
verbs: ["watch", "list"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["csidrivers", "storageclasses"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["longhorn.io"]
|
|
resources: ["volumes", "engines", "replicas", "settings", "engineimages", "nodes", "instancemanagers", "sharemanagers", "backingimages", "backingimagemanagers"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources: ["leases"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["policy"]
|
|
resources: ["podsecuritypolicies"]
|
|
verbs: ["use"]
|
|
resourceNames: ["longhorn-uninstall-psp"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: longhorn-uninstall-bind
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: longhorn-uninstall-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: longhorn-uninstall-service-account
|
|
namespace: default
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: longhorn-uninstall
|
|
namespace: default
|
|
spec:
|
|
activeDeadlineSeconds: 900
|
|
backoffLimit: 1
|
|
template:
|
|
metadata:
|
|
name: longhorn-uninstall
|
|
spec:
|
|
containers:
|
|
- name: longhorn-uninstall
|
|
image: longhornio/longhorn-manager:v1.1.3
|
|
imagePullPolicy: Always
|
|
securityContext:
|
|
privileged: true
|
|
command:
|
|
- longhorn-manager
|
|
- uninstall
|
|
- --force
|
|
env:
|
|
- name: LONGHORN_NAMESPACE
|
|
value: longhorn-system
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: longhorn-uninstall-service-account
|
|
# imagePullSecrets:
|
|
# - name: ""
|
|
# priorityClassName:
|
|
# tolerations:
|
|
# - key: "key"
|
|
# operator: "Equal"
|
|
# value: "value"
|
|
# effect: "NoSchedule"
|
|
# nodeSelector:
|
|
# label-key1: "label-value1"
|
|
# label-key2: "label-value2" |