apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager name: platform-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: platform-system/platform-serving-cert controller-gen.kubebuilder.io/version: v0.2.4 creationTimestamp: null name: clusterresourcequotas.platform.flanksource.com spec: group: platform.flanksource.com names: kind: ClusterResourceQuota listKind: ClusterResourceQuotaList plural: clusterresourcequotas singular: clusterresourcequota scope: Cluster validation: openAPIV3Schema: description: ClusterResourceQuota is the Schema for the clusterresourcequotas API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec defines the desired quota properties: quota: description: Quota sets aggregate quota restrictions enforced across all namespaces properties: hard: additionalProperties: type: string description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object scopeSelector: description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. properties: matchExpressions: description: A list of scope selector requirements by scope of the resources. items: description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values. properties: operator: description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. type: string scopeName: description: The name of the scope that the selector applies to. type: string values: description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - operator - scopeName type: object type: array type: object scopes: description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects. items: description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota type: string type: array type: object type: object status: description: Status defines the actual enforced quota and its current usage properties: namespaces: description: Slices the quota used per namespace items: description: ResourceQuotaStatusByNamespace gives status for a particular name properties: namespace: description: Namespace the project this status applies to type: string status: description: Status indicates how many resources have been consumed by this project properties: hard: additionalProperties: type: string description: 'Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object used: additionalProperties: type: string description: Used is the current observed total usage of the resource in the namespace. type: object type: object required: - namespace - status type: object type: array total: description: Total defines the actual enforced quota and its current usage across all namespaces properties: hard: additionalProperties: type: string description: 'Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object used: additionalProperties: type: string description: Used is the current observed total usage of the resource in the namespace. type: object type: object required: - namespaces type: object type: object version: v1 versions: - name: v1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: platform-system/platform-serving-cert creationTimestamp: null name: platform-mutating-webhook-configuration namespace: platform-system webhooks: - clientConfig: caBundle: Cg== service: name: platform-webhook-service namespace: platform-system path: /mutate-v1-ingress failurePolicy: Ignore name: annotate-ingress-v1.platform.flanksource.com rules: - apiGroups: - extensions apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - ingresses - clientConfig: caBundle: Cg== service: name: platform-webhook-service namespace: platform-system path: /mutate-v1-pod failurePolicy: Ignore name: annotate-pods-v1.platform.flanksource.com rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - pods --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: platform-system/platform-serving-cert creationTimestamp: null name: platform-validating-webhook-configuration namespace: platform-system webhooks: - clientConfig: caBundle: Cg== service: name: platform-webhook-service namespace: platform-system path: /validate-clusterresourcequota-platform-flanksource-com-v1 failurePolicy: Fail name: clusterresourcequotas-validation-v1.platform.flanksource.com rules: - apiGroups: - platform.flanksource.com apiVersions: - v1 operations: - CREATE - UPDATE resources: - clusterresourcequotas - clientConfig: caBundle: Cg== service: name: platform-webhook-service namespace: platform-system path: /validate-resourcequota-v1 failurePolicy: Fail name: resourcequotas-validation-v1.platform.flanksource.com rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE - UPDATE resources: - resourcequotas --- apiVersion: v1 kind: ServiceAccount metadata: name: platform-operator namespace: platform-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: platform-leader-election namespace: platform-system rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - configmaps/status verbs: - get - update - patch - apiGroups: - "" resources: - events verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: platform-clusterresourcequota-editor rules: - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas verbs: - create - delete - get - list - patch - update - watch - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: platform-clusterresourcequota-viewer rules: - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas verbs: - get - list - watch - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas/status verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: platform-manager rules: - apiGroups: - "" resources: - namespaces verbs: - delete - get - list - watch - apiGroups: - "" resources: - pods verbs: - get - list - update - watch - apiGroups: - "" resources: - resourcequotas verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - update - watch - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas verbs: - create - delete - get - list - patch - update - watch - apiGroups: - platform.flanksource.com resources: - clusterresourcequotas/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: platform-leader-election namespace: platform-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: platform-leader-election subjects: - kind: ServiceAccount name: platform-operator namespace: platform-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: platform-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: platform-manager subjects: - kind: ServiceAccount name: platform-operator namespace: platform-system --- apiVersion: v1 kind: Service metadata: name: platform-webhook-service namespace: platform-system spec: ports: - port: 443 targetPort: 9443 selector: control-plane: controller-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: control-plane: controller-manager name: platform-operator namespace: platform-system spec: replicas: 1 selector: matchLabels: control-plane: controller-manager template: metadata: labels: control-plane: controller-manager spec: containers: - args: - --enable-leader-election - --annotations=foo.flanksource.com/bar,foo.flanksource.com/baz command: - /manager image: docker.io/flanksource/platform-operator:latest imagePullPolicy: Always name: manager ports: - containerPort: 9443 name: webhook-server protocol: TCP resources: limits: cpu: 100m memory: 30Mi requests: cpu: 100m memory: 20Mi volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true serviceAccountName: platform-operator terminationGracePeriodSeconds: 10 volumes: - name: cert secret: defaultMode: 420 secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: platform-serving-cert namespace: platform-system spec: dnsNames: - platform-webhook-service.platform-system.svc - platform-webhook-service.platform-system.svc.cluster.local issuerRef: kind: Issuer name: platform-selfsigned-issuer secretName: webhook-server-cert --- apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: platform-selfsigned-issuer namespace: platform-system spec: selfSigned: {}