generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 27
/
managedclustermodule-kmm-ci-build-sign.yaml
209 lines (208 loc) · 8.6 KB
/
managedclustermodule-kmm-ci-build-sign.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: allow-klusterlet-deploy-kmm-modules
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: klusterlet-deploy-modules
spec:
severity: high
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kmm-module-manager
rules:
- apiGroups: [kmm.sigs.x-k8s.io]
resources: [modules]
verbs: [create, delete, get, list, patch, update, watch]
- complianceType: mustonlyhave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: klusterlet-kmm
subjects:
- kind: ServiceAccount
name: klusterlet-work-sa
namespace: open-cluster-management-agent
roleRef:
kind: ClusterRole
name: kmm-module-manager
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: all-managed-clusters
spec:
clusterSelector:
matchExpressions: []
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: bind-klusterlet-kmm-all-clusters
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: all-managed-clusters
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: allow-klusterlet-deploy-kmm-modules
---
apiVersion: v1
kind: Secret
metadata:
name: fake-modprobe-signing-key-pub
namespace: kmm-operator-system
type: Opaque
stringData:
cert: |
-----BEGIN CERTIFICATE-----
MIIE8DCCAtigAwIBAgIUSRZJsM/2jzb7fm1PdqB/bjUOAtEwDQYJKoZIhvcNAQEN
BQAwEjEQMA4GA1UEAwwHTW9kdWxlczAgFw0yMzAxMjQxMDM3MzNaGA8yMTIyMTIz
MTEwMzczM1owEjEQMA4GA1UEAwwHTW9kdWxlczCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAImPO0SLpA7l3/tOv/+ZwUm+o7W8c2BtDjmoVjLfWP0nwaV1
mWJOOxPMfwPwykCUL7s84E+FMNjcd0jZ5xPZD/uYBg3H1JUTfkFhaBDFc9EG+Sbn
HJYt9BBRTeH0pF2wbII7lU2Da7/qIIW9TZ5aH31RsMoPw57DTTMoJkUfp07YKr3a
PgY4Fjjf4haaLSBxzgv+WS88af7NSPFeuSVEGNCyI6Zu56LRJ7s/BlZrD1Q7Y7tD
GlASvK5s2GuNu+i9LD34yEgYK0EqBEdz82FDbic5uKecjvu1Wg+yg32tmQJYTHK9
joaPe6lvnUmIS1jlfk3qk8Tx44L0vdLeBf+ZMSYrugxvKq/Le7N5TTaKaHxd5pNz
GyHgvh3CN5SdroLAR+36gSvcBzM1uvAzsCRAYKRPult9z7GrLu8cnU7GVXBLIthP
P8mm26aBSYQGycJsUox8/MpEi5X/v1IYTIzpwevG7gruH8cfzvnVD90dwmE4D2nT
o5a9VmDaxbgreXLjCTihguSLqbMcH8l7OGRB1g8E2NgQrYNko9tDaYxP53fQhuZM
KS9zmTcC/EAqOym8f+j20y0/uxTCX5VCBAZzgn2ZvRY6shDXs5zZcFiujRWwzlA5
6fpjqpz5eI24GDJ039VXHQ8Gs14h67HgnrLwQSqX/Ml1en+OKkQAViC9FfVXAgMB
AAGjPDA6MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQeRCk5
b8GGuuc8QWV9PmZb3o638jANBgkqhkiG9w0BAQ0FAAOCAgEATtaTgC84GB5JVaIv
bfS8I68eEk/kCr9MShW7LGUgahUMvsEKZHj4zyXXPAz9udDkx4YE8be/dnz35evG
MwZ5vTb0uncJ+uhBQz1uITyS33cO/GQXXb6wSNZpBNg+VwN1c7L1iQ47VzFiqUeM
rVGblHC0/V95zbL/VeooXuRP/t0VHHxdM1AaNH21+JUGBVAq9BonRH1fx+AZptFg
kkmbefdquS12C1g6phlVnPakKVvlLe8kj3hsnaF7mRQJhKBxicxkJf7gIgbiH34v
SXADqWoD/WDGwHL2u40rEuShEA0lCodRAwKB0lXTFpHMyAFw30zOyXHbOpZyQC3m
BIY69QlIyKXknpQT2bvKeIAPOCsYD7ATt/hMf0aa94INBCBswa9gg/eX8+xQQIJn
DNIFbNtjmbuaFyDt1nT9xmeB2JPKkrpOx5B/BBNJGwK0fAuJa2623fGFuM95z2ug
sCrOlEiodxmMEVPZbCW084dHb3qoy9nTKrCcDQEp/s/5UVkjFe9BHaxlZZQbEGO9
2WQEuovQEGSHGGKuGeKrxJ2l5vccHFb6h8mXZbhNCCxom68lTYK7/0DGxPYsS0Vs
C9QOeeHlnKABV9wMzXbFiUccqjBzc8W/j1QKHD9mxFfVk6V/QmgVsViGPcTGnIVJ
8Fxc2/LOrAZzIL/OFXqZHUy6hW0=
-----END CERTIFICATE-----
---
apiVersion: v1
kind: Secret
metadata:
name: fake-modprobe-signing-key
namespace: kmm-operator-system
type: Opaque
stringData:
key: |
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCJjztEi6QO5d/7
Tr//mcFJvqO1vHNgbQ45qFYy31j9J8GldZliTjsTzH8D8MpAlC+7POBPhTDY3HdI
2ecT2Q/7mAYNx9SVE35BYWgQxXPRBvkm5xyWLfQQUU3h9KRdsGyCO5VNg2u/6iCF
vU2eWh99UbDKD8Oew00zKCZFH6dO2Cq92j4GOBY43+IWmi0gcc4L/lkvPGn+zUjx
XrklRBjQsiOmbuei0Se7PwZWaw9UO2O7QxpQEryubNhrjbvovSw9+MhIGCtBKgRH
c/NhQ24nObinnI77tVoPsoN9rZkCWExyvY6Gj3upb51JiEtY5X5N6pPE8eOC9L3S
3gX/mTEmK7oMbyqvy3uzeU02imh8XeaTcxsh4L4dwjeUna6CwEft+oEr3AczNbrw
M7AkQGCkT7pbfc+xqy7vHJ1OxlVwSyLYTz/JptumgUmEBsnCbFKMfPzKRIuV/79S
GEyM6cHrxu4K7h/HH8751Q/dHcJhOA9p06OWvVZg2sW4K3ly4wk4oYLki6mzHB/J
ezhkQdYPBNjYEK2DZKPbQ2mMT+d30IbmTCkvc5k3AvxAKjspvH/o9tMtP7sUwl+V
QgQGc4J9mb0WOrIQ17Oc2XBYro0VsM5QOen6Y6qc+XiNuBgydN/VVx0PBrNeIeux
4J6y8EEql/zJdXp/jipEAFYgvRX1VwIDAQABAoICAAu8O2sqmpFmzQfsfPa6UEIR
UHgVnqYwR5Flqgzm/vmB5cRO1woK8IFM5d0ZMrf1rGjF1cES9MrbbBW7+Tm5P+LP
4lxUmu8o3ZGIVM9xeOLxPFo0Rz0MqJCnzwQi0c7oWSl3GdKmDpAt0h52uuNyftM7
H+DtHVwy/ygJGdK105knWeYec0ImkMbDWs9g0c69xr1BMqyT89r3+mwVD6h9Oby8
JcxyE7LRMxmHU+wVcBZYhraYD+ua3Zvnz0LFsa02TkrvKW71GOOTSRArdSzsCr6v
7u/lrFEO9KL4ML2NDMulasgzIbCbFwqqafm29e6cjXzqMTcRB77JUFRn+o0Grama
9o0HR2UH1L/dpob01s1BLOrQT7Z9nwjj7xcTWLeMhrvwRQZ0Gthag6fsyimnt3If
7SLs6y/4XvLepauu0wk6dVJq7gJjj3O8ZdHjYKobN04PmFHvIaKHdJCZlH9DZD3Q
Dh6qH9duet52BOIaEjRVqq2zP9Ug2rK0gjKxNpprxGkaZL4NcRNXvNSWoP5ClhO8
0XszqsKxpYu4SmAya4Yf2cdxT03YNmmy0CwM/m1k4lkLaLBtHJ4qGRqWWnZ4K+Ld
6UotTcCpufTp/9XqbGa1XS28MOhhoTz8xUCKsEKjomMlAX8D6Jpl3fTty5rN+PBv
KD5it2DatATeniyMPqihAoIBAQC7PLsJ3omdtyB1sE5g6A2FICIu+SpXi7GM+XNA
c278YhAonB47I7wbYgU4So1b5D48Ml7NafD2b2YLrHFNiFSPvVlUMUdIXDlL1wDA
zDJDuuK7rWbXsIwpEnWFM3lx6VAGvQZsmruGLBgsTS3GBw4DSCuBeXDpk+4p8GXc
ih+FZiz+5IYHQ0QuIlTRh3mKsjByJj/Tb+pwacFiE8UlVlVREPkFKhvZYItAz2xR
ehTW2EDqalpOo29AJ9/2309nFWlCsJsASImZpqi2rKniZFyG2Yyuhh3AmUBD61cC
rDRGgKyy0bxJpP9XK1H0MvwRL1ZcUbPoPtvSq8lcNJb1YjXnAoIBAQC8FAGYYJom
LVnOhtrpo4CRVpVKbWN9CgOs+pfAarONw4EZasQ5fGAxSWAttrSF1niDA0E7ISro
iblA5t5F/VIPQTEhOWXc7ORPVno+gHLQYttkzRj/zwMDFc4NnzImr9kMEKiNfjKN
B+RpX9LI3At2ZEdvoKzetffVGgo4Ki4IHOSWTwtP6956OvrM4BVc9+XzHeuoboc3
KGkCV//QsrfXPYxukZc4ClZyAafh+0Kf+kLSl3GPYQgmFIL/XLjCaqakPWyvrZ3L
O2YmTTALeB0JugNyiyrdJO5cKagVCTakdRntBZZZQYwN/2NedDQTJGZ5olBYW9ke
CQ1/3XGtLncRAoIBAQCkyMgb4XzgDyFEMoxogRIVDbjH+oYnUkxKs+eY237cJDnw
Y6W/iq2ss9HAPuy16ORU+kexJQHrAROgRn3ZLJivgIezr0L7Dh9m/awuAghiz4Fo
hy2xujFAnHxNZIYHmLzTkVysDGnppbkIlEwqsl7EyKlxY73Z9FVxF5+uPumK7+e9
1MWYcrz4lUJsvXxccoJsk/ksTpzXnluRw7CIMbkYhYWD5BFqeKtVuLet5XGdu+k1
5a/g8bmhjvZvQQ2SvadMCD4CO9TOI3zseH1zP7ym+aP0nRhmPvnuTJrhQUkom2pi
XnAFqG8I+pk///cT8MNisI1TYq74dDPdMHODNpIVAoIBAQCWjjVQs1PyZ69SYiVv
jhDnRzYu5C4V9CRJHjjIMSIWw3/extbZZbTi/2fccDtGQA8sYTigisZ8a3M+fxFD
WauMxpT7kaT3GzMQR5uH2O8P3XLe2EfAzwgMOjI+OUe+LFpFDDjBO1pgBwdTSv/D
BlKurUt6ElcP2P7ROg0gNLOwjuB1akUV7yyjD/+gbWjsiQ0sdrEknYXkI5cb5zHC
8K21wXFfOXChzbSxgp3PioEk6wL+7XhcXEJXqWfL33+PMiy/oOQWJZcBD0WQN43U
QIyOMrd7w+fGK0AbysTgQgXZ1FuynxxhytTAh8YV4FOnVyYpDEPg13WQU5LY3n2X
MnDhAoIBAQChbx/vHwgNP8yfKDmIRmN94DuXnYXj+7peKJJm7xr1laf1kTDOne2T
x1BOHctLhwHlEXt2YjU0nkJ3ownpPNiCuGmt+IoDapwyksCMziiZvuom4+jINU3z
btS7MEKsjJO6OmTXyLNVaGWp1AOIdyyO6yQ4iSnXv7/ndi+Rdrdh6USeUgV9oxmi
5qc2Peh7SXRkE5uof9SxVSoR8ieHkHAjHXacddjhccGQOQ7j098fX6tWjPuD52pQ
EeGNdPWeKdxrQp2VjCkownXnU+lW4v/yo0oJNRdc+DDdvd5ERK3jGFNrpyo3YksF
HAjEMoifkadfTUWDzUaCKwUMCUdBvyb8
-----END PRIVATE KEY-----
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mod-example
namespace: kmm-operator-system
data:
dockerfile: |
FROM busybox
RUN unlink /bin/modprobe
RUN printf "#!/usr/bin/env sh\nbusybox true" > /bin/modprobe
RUN chmod +x /bin/modprobe
---
apiVersion: hub.kmm.sigs.x-k8s.io/v1beta1
kind: ManagedClusterModule
metadata:
name: mod-example
spec:
spokeNamespace: kmm-operator-system
selector:
name: minikube
moduleSpec:
moduleLoader:
container:
modprobe:
moduleName: mod-example
imagePullPolicy: Always
kernelMappings:
- regexp: '^.+$'
containerImage: host.minikube.internal:5000/$MOD_NAMESPACE/$MOD_NAME:$KERNEL_FULL_VERSION
registryTLS:
insecure: true
build:
baseImageRegistryTLS:
insecure: true
dockerfileConfigMap:
name: mod-example
sign:
keySecret:
name: fake-modprobe-signing-key
certSecret:
name: fake-modprobe-signing-key-pub
unsignedImageRegistryTLS:
insecure: true
filesToSign:
- /bin/getconf
selector:
node-role.kubernetes.io/worker: ""