k8s manifests

NiklasBeierl · NiklasBeierl · commit 4b95eed316aa · 2026-01-22T14:47:31.000+01:00
diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nodecryptor
+  namespace: kube-system
+  labels:
+    app: nodecryptor
+spec:
+  selector:
+    matchLabels:
+      app: nodecryptor
+  template:
+    metadata:
+      labels:
+        app: nodecryptor
+    spec:
+      serviceAccountName: nodecryptor
+      hostNetwork: true
+      containers:
+        - name: nodecryptor
+          image: ghcr.io/niklasbeierl/nodecryptor:latest
+          imagePullPolicy: Always
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          args:
+            - --noop-route
+            - 10.0.0.255/32
diff --git a/k8s/netshoot-daemonset.yaml b/k8s/netshoot-daemonset.yaml
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nettest
+  namespace: kube-system
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 100%
+  selector:
+    matchLabels:
+      app: nettest
+  template:
+    metadata:
+      labels:
+        app: nettest
+    spec:
+      containers:
+      - name: nettest
+        image: nicolaka/netshoot
+        command: ["sleep", "infinity"]
+        securityContext:
+          capabilities:
+            add:
+            - NET_RAW
diff --git a/k8s/rbac.yaml b/k8s/rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nodecryptor
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nodecryptor
+rules:
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nodecryptor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nodecryptor
+subjects:
+- kind: ServiceAccount
+  name: nodecryptor
+  namespace: kube-system
