apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: privileged name: system-upgrade --- apiVersion: v1 kind: ServiceAccount metadata: name: system-upgrade namespace: system-upgrade --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: system-upgrade-controller namespace: system-upgrade rules: - apiGroups: - batch resources: - jobs verbs: - create - delete - deletecollection - patch - update - get - list - watch - apiGroups: - "" resources: - secrets verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system-upgrade-controller rules: - apiGroups: - batch resources: - jobs verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - create - patch - update - apiGroups: - "" resources: - namespaces - nodes verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - update - apiGroups: - "" resources: - events verbs: - get - create - patch - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - coordination.k8s.io resourceNames: - system-upgrade-controller resources: - leases verbs: - get - update - apiGroups: - upgrade.cattle.io resources: - plans - plans/status verbs: - get - list - watch - create - patch - update - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system-upgrade-controller-drainer rules: - apiGroups: - "" resources: - pods/eviction verbs: - create - apiGroups: - "" resources: - pods verbs: - get - list - delete - apiGroups: - "" resources: - nodes verbs: - get - patch - apiGroups: - apps resources: - statefulsets - daemonsets - replicasets verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system-upgrade namespace: system-upgrade roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: system-upgrade-controller subjects: - kind: ServiceAccount name: system-upgrade namespace: system-upgrade --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system-upgrade roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system-upgrade-controller subjects: - kind: ServiceAccount name: system-upgrade namespace: system-upgrade --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system-upgrade-drainer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system-upgrade-controller-drainer subjects: - kind: ServiceAccount name: system-upgrade namespace: system-upgrade --- apiVersion: v1 data: SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false" SYSTEM_UPGRADE_CONTROLLER_LEADER_ELECT: "true" SYSTEM_UPGRADE_CONTROLLER_THREADS: "2" SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900" SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99" SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: Always SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: rancher/kubectl:v1.30.3 SYSTEM_UPGRADE_JOB_PRIVILEGED: "true" SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900" SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m kind: ConfigMap metadata: name: default-controller-env namespace: system-upgrade --- apiVersion: apps/v1 kind: Deployment metadata: name: system-upgrade-controller namespace: system-upgrade spec: selector: matchLabels: upgrade.cattle.io/controller: system-upgrade-controller strategy: type: Recreate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: system-upgrade-controller upgrade.cattle.io/controller: system-upgrade-controller spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/control-plane operator: Exists - key: kubernetes.io/os operator: In values: - linux podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: - system-upgrade-controller topologyKey: kubernetes.io/hostname containers: - env: - name: SYSTEM_UPGRADE_CONTROLLER_NAME valueFrom: fieldRef: fieldPath: metadata.labels['upgrade.cattle.io/controller'] - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: SYSTEM_UPGRADE_CONTROLLER_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName envFrom: - configMapRef: name: default-controller-env image: rancher/system-upgrade-controller:v0.15.2 imagePullPolicy: IfNotPresent name: system-upgrade-controller securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 65534 runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /etc/ssl name: etc-ssl readOnly: true - mountPath: /etc/pki name: etc-pki readOnly: true - mountPath: /etc/ca-certificates name: etc-ca-certificates readOnly: true - mountPath: /tmp name: tmp serviceAccountName: system-upgrade tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/controlplane operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists - effect: NoExecute key: node-role.kubernetes.io/etcd operator: Exists volumes: - hostPath: path: /etc/ssl type: DirectoryOrCreate name: etc-ssl - hostPath: path: /etc/pki type: DirectoryOrCreate name: etc-pki - hostPath: path: /etc/ca-certificates type: DirectoryOrCreate name: etc-ca-certificates - emptyDir: {} name: tmp