# Policy to ensure the API server isn't cut off. Can be modified, but ensure # that the main API server is always able to reach the Calico API server. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-apiserver namespace: calico-apiserver spec: podSelector: matchLabels: apiserver: "true" ingress: - ports: - protocol: TCP port: 5443 --- apiVersion: v1 kind: Service metadata: name: calico-api namespace: calico-apiserver spec: ports: - name: apiserver port: 443 protocol: TCP targetPort: 5443 selector: apiserver: "true" type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: apiserver: "true" k8s-app: calico-apiserver name: calico-apiserver namespace: calico-apiserver spec: replicas: 1 selector: matchLabels: apiserver: "true" strategy: type: Recreate template: metadata: labels: apiserver: "true" k8s-app: calico-apiserver name: calico-apiserver namespace: calico-apiserver spec: containers: - args: - --secure-port=5443 env: - name: DATASTORE_TYPE value: kubernetes image: {{ calico_apiserver_image_repo }}:{{ calico_apiserver_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} livenessProbe: httpGet: path: /version port: 5443 scheme: HTTPS initialDelaySeconds: 90 periodSeconds: 10 name: calico-apiserver {% if calico_version is version('v3.28.0', '>=') %} readinessProbe: httpGet: path: /readyz port: 5443 scheme: HTTPS timeoutSeconds: 5 periodSeconds: 60 {% else %} readinessProbe: exec: command: - /code/filecheck failureThreshold: 5 initialDelaySeconds: 5 periodSeconds: 10 {% endif %} securityContext: privileged: false runAsUser: 0 volumeMounts: - mountPath: /code/apiserver.local.config/certificates name: calico-apiserver-certs dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux restartPolicy: Always serviceAccount: calico-apiserver serviceAccountName: calico-apiserver tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane volumes: - name: calico-apiserver-certs secret: secretName: calico-apiserver-certs --- apiVersion: v1 kind: ServiceAccount metadata: name: calico-apiserver namespace: calico-apiserver --- # Cluster-scoped resources below here. apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v3.projectcalico.org spec: group: projectcalico.org groupPriorityMinimum: 1500 caBundle: {{ calico_apiserver_cabundle }} service: name: calico-api namespace: calico-apiserver port: 443 version: v3 versionPriority: 200 --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-crds rules: - apiGroups: - extensions - networking.k8s.io - "" resources: - networkpolicies - nodes - namespaces - pods - serviceaccounts verbs: - get - list - watch - apiGroups: - crd.projectcalico.org resources: - globalnetworkpolicies - networkpolicies - clusterinformations - hostendpoints - globalnetworksets - networksets - bgpconfigurations - bgppeers - bgpfilters - felixconfigurations - kubecontrollersconfigurations - ippools - ipamconfigs - ipreservations - ipamblocks - blockaffinities - caliconodestatuses verbs: - get - list - watch - create - update - delete {% if calico_version is version('v3.28.0', '>=') %} - apiGroups: - policy resourceNames: - calico-apiserver resources: - podsecuritypolicies verbs: - use {% endif %} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-extension-apiserver-auth-access rules: - apiGroups: - "" resourceNames: - extension-apiserver-authentication resources: - configmaps verbs: - list - watch - get - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: calico-webhook-reader rules: - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-access-crds roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-crds subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-delegate-auth roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-apiserver-webhook-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-webhook-reader subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: calico-extension-apiserver-auth-access roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-extension-apiserver-auth-access subjects: - kind: ServiceAccount name: calico-apiserver namespace: calico-apiserver