mirrors/node-feature-discovery
mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-05 16:27:05 +00:00
Code Activity
node-feature-discovery/nfd-worker-job.yaml.template
Markus Lehtonen 3cd2d34ea7 Add container security context to the sample deployment specs 
Run under strict rules. We shouldn't need any special privileges.
2020-05-28 15:49:00 +03:00

75 lines
2.2 KiB
Text
Raw Blame History

apiVersion: batch/v1
kind: Job
metadata:
labels:
app: node-feature-discovery
name: nfd-worker
namespace: node-feature-discovery
spec:
completions: COMPLETION_COUNT
parallelism: PARALLELISM_COUNT
template:
metadata:
labels:
app: node-feature-discovery
spec:
dnsPolicy: ClusterFirstWithHostNet
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- node-feature-discovery
containers:
- env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
name: nfd-worker
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
command:
- "nfd-worker"
args:
- "--oneshot"
- "--server=nfd-master:8080"
volumeMounts:
- name: host-boot
mountPath: "/host-boot"
readOnly: true
- name: host-os-release
mountPath: "/host-etc/os-release"
readOnly: true
- name: host-sys
mountPath: "/host-sys"
- name: source-d
mountPath: "/etc/kubernetes/node-feature-discovery/source.d/"
- name: features-d
mountPath: "/etc/kubernetes/node-feature-discovery/features.d/"
restartPolicy: Never
volumes:
- name: host-boot
hostPath:
path: "/boot"
- name: host-os-release
hostPath:
path: "/etc/os-release"
- name: host-sys
hostPath:
path: "/sys"
- name: source-d
hostPath:
path: "/etc/kubernetes/node-feature-discovery/source.d/"
- name: features-d
hostPath:
path: "/etc/kubernetes/node-feature-discovery/features.d/"
View git blame Copy permalink