cluster-manifests/cluster-baseline-settings/kured.yaml

# Source: https://github.com/weaveworks/kured/releases/download/1.6.1/kured-1.6.1-dockerhub.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kured
rules:
# Allow kured to read spec.unschedulable
# Allow kubectl to drain/uncordon
#
# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
#
- apiGroups: [""]
  resources: ["nodes"]
  verbs:     ["get", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs:     ["list", "delete", "get"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs:     ["get"]
- apiGroups: [""]
  resources: ["pods/eviction"]
  verbs:     ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kured
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kured
subjects:
- kind: ServiceAccount
  name: kured
  namespace: cluster-baseline-settings
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: cluster-baseline-settings
  name: kured
rules:
# Allow kured to lock/unlock itself
- apiGroups:     ["apps"]
  resources:     ["daemonsets"]
  resourceNames: ["kured"]
  verbs:         ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: cluster-baseline-settings
  name: kured
subjects:
- kind: ServiceAccount
  namespace: cluster-baseline-settings
  name: kured
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kured
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kured
  namespace: cluster-baseline-settings
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kured                           # Must match `--ds-name`
  namespace: cluster-baseline-settings  # Must match `--ds-namespace`
spec:
  selector:
    matchLabels:
      name: kured
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        name: kured
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/path: "/metrics"
        prometheus.io/port: "8080"
    spec:
      serviceAccountName: kured
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
        - effect: NoSchedule
          key: CriticalAddonsOnly
          operator: Equal
          value: "true"
      hostPID: true # Facilitate entering the host mount namespace via init
      restartPolicy: Always
      nodeSelector:
        kubernetes.io/arch: amd64
        kubernetes.io/os: linux
      containers:
        - name: kured
          # PRODUCTION READINESS CHANGE REQUIRED
          # This image should be sourced from a non-public container registry, such as the
          # one deployed along side of this reference implementation.
          # az acr import --source docker.io/weaveworks/kured:1.6.1 -n <your-acr-instance-name>
          # and then set this to
          # image: <your-acr-instance-name>.azurecr.io/weaveworks/kured:1.6.1
          image: acrakspdoz3qcteloda.azurecr.io/weaveworks/kured:1.6.1
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              cpu: 500m
              memory: 48Mi
            requests:
              cpu: 200m
              memory: 16Mi
          securityContext:
            privileged: true # Give permission to nsenter /proc/1/ns/mnt
          env:
            - name: KURED_NODE_ID
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          command:
            - /usr/bin/kured
            - --ds-namespace=cluster-baseline-settings