-
Notifications
You must be signed in to change notification settings - Fork 8
/
daemonset.yaml
110 lines (110 loc) · 3.38 KB
/
daemonset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ssm-agent
labels:
k8s-app: ssm-agent
namespace: kube-system
spec:
selector:
matchLabels:
name: ssm-agent
template:
metadata:
labels:
name: ssm-agent
spec:
# use IAM role associated with K8s service
serviceAccountName: ssm-sa
# join host network namespace
hostNetwork: true
# join host process namespace
hostPID: true
# join host IPC namespace
hostIPC: true
# tolerations
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
containers:
- image: alexeiled/aws-ssm-agent
imagePullPolicy: Always
name: ssm-agent
securityContext:
runAsUser: 0
privileged: true
volumeMounts:
# Allows systemctl to communicate with the systemd running on the host
- name: dbus
mountPath: /var/run/dbus
- name: run-systemd
mountPath: /run/systemd
# Allows to peek into systemd units that are baked into the official EKS AMI
- name: etc-systemd
mountPath: /etc/systemd
# This is needed in order to fetch logs NOT managed by journald
# journallog is stored only in memory by default, so we need
#
# If all you need is access to persistent journals, /var/log/journal/* would be enough
# FYI, the volatile log store /var/run/journal was empty on my nodes. Perhaps it isn't used in Amazon Linux 2 / EKS AMI?
# See https://askubuntu.com/a/1082910 for more background
- name: var-log
mountPath: /var/log
- name: var-run
mountPath: /var/run
- name: run
mountPath: /run
- name: usr-lib-systemd
mountPath: /usr/lib/systemd
- name: etc-machine-id
mountPath: /etc/machine-id
- name: etc-sudoers
mountPath: /etc/sudoers.d
volumes:
# for systemctl to systemd access
- name: dbus
hostPath:
path: /var/run/dbus
type: Directory
- name: run-systemd
hostPath:
path: /run/systemd
type: Directory
- name: etc-systemd
hostPath:
path: /etc/systemd
type: Directory
- name: var-log
hostPath:
path: /var/log
type: Directory
# mainly for dockerd access via /var/run/docker.sock
- name: var-run
hostPath:
path: /var/run
type: Directory
# var-run implies you also need this, because
# /var/run is a synmlink to /run
# sh-4.2$ ls -lah /var/run
# lrwxrwxrwx 1 root root 6 Nov 14 07:22 /var/run -> ../run
- name: run
hostPath:
path: /run
type: Directory
- name: usr-lib-systemd
hostPath:
path: /usr/lib/systemd
type: Directory
# Required by journalctl to locate the current boot.
# If omitted, journalctl is unable to locate host's current boot journal
- name: etc-machine-id
hostPath:
path: /etc/machine-id
type: File
# Avoid this error > ERROR [MessageGatewayService] Failed to add ssm-user to sudoers file: open /etc/sudoers.d/ssm-agent-users: no such file or directory
- name: etc-sudoers
hostPath:
path: /etc/sudoers.d
type: Directory