# Based on bitnami/metallb helm chart 4.1.12 for metallb 0.13.7 --- kind: DaemonSet apiVersion: apps/v1 metadata: namespace: metallb name: metallb-speaker spec: updateStrategy: type: RollingUpdate selector: matchLabels: app: metallb-speaker template: metadata: labels: app: metallb-speaker spec: serviceAccountName: metallb-speaker hostNetwork: true securityContext: fsGroup: 0 terminationGracePeriodSeconds: 2 containers: - name: metallb-speaker image: "docker.io/bitnami/metallb-speaker:0.13.7-debian-11-r8" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW - SYS_ADMIN drop: - ALL readOnlyRootFilesystem: true runAsUser: 0 args: - "--port=7472" env: - name: METALLB_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: METALLB_HOST valueFrom: fieldRef: fieldPath: status.hostIP - name: METALLB_ML_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP - name: METALLB_ML_LABELS value: app=metallb-speaker - name: METALLB_ML_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: METALLB_ML_SECRET_KEY valueFrom: secretKeyRef: name: metallb-memberlist key: secretkey ports: - name: metrics containerPort: 7472 livenessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 httpGet: path: /metrics port: metrics readinessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 httpGet: path: /metrics port: metrics resources: {} --- kind: Secret apiVersion: v1 metadata: namespace: metallb name: webhook-server-cert --- kind: Deployment apiVersion: apps/v1 metadata: namespace: metallb name: metallb-controller labels: app.kubernetes.io/name: metallb spec: replicas: 1 strategy: type: RollingUpdate revisionHistoryLimit: 3 selector: matchLabels: app: metallb-controller template: metadata: labels: app: metallb-controller spec: serviceAccountName: metallb-controller securityContext: fsGroup: 1001 volumes: - name: cert secret: defaultMode: 420 secretName: webhook-server-cert containers: - name: metallb-controller image: "docker.io/bitnami/metallb-controller:0.13.7-debian-11-r9" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 args: - --port=7472 - --cert-service-name=metallb-webhook-service ports: - name: webhook-server containerPort: 9443 - name: metrics containerPort: 7472 volumeMounts: - name: cert mountPath: /tmp/k8s-webhook-server/serving-certs readOnly: true livenessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 httpGet: path: /metrics port: metrics readinessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 httpGet: path: /metrics port: metrics resources: {} --- kind: Service apiVersion: v1 metadata: namespace: metallb name: metallb-webhook-service spec: ports: - port: 443 targetPort: 9443 selector: app: metallb-controller --- kind: ValidatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 metadata: name: metallb-webhook-configuration webhooks: - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-addresspool failurePolicy: Fail name: addresspoolvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - addresspools sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta2-bgppeer failurePolicy: Fail name: bgppeervalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta2 operations: - CREATE - UPDATE resources: - bgppeers sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-ipaddresspool failurePolicy: Fail name: ipaddresspoolvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - ipaddresspools sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-bgpadvertisement failurePolicy: Fail name: bgpadvertisementvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - bgpadvertisements sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-community failurePolicy: Fail name: communityvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - communities sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-bfdprofile failurePolicy: Fail name: bfdprofileyvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - DELETE resources: - bfdprofiles sideEffects: None - admissionReviewVersions: - v1 clientConfig: service: namespace: metallb name: metallb-webhook-service path: /validate-metallb-io-v1beta1-l2advertisement failurePolicy: Fail name: l2advertisementvalidationwebhook.metallb.io rules: - apiGroups: - metallb.io apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - l2advertisements sideEffects: None