forked from snyk/kubernetes-monitor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsnyk-monitor-deployment.yaml
136 lines (135 loc) · 3.86 KB
/
snyk-monitor-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#
# This file creates the deployment that runs the Kubernetes-Monitor
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: snyk-monitor
namespace: snyk-monitor
labels:
app.kubernetes.io/name: snyk-monitor
spec:
selector:
matchLabels:
app.kubernetes.io/name: snyk-monitor
template:
metadata:
labels:
app.kubernetes.io/name: snyk-monitor
spec:
containers:
- image: snyk/kubernetes-monitor:IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING
imagePullPolicy: Always
name: snyk-monitor
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- name: docker-config
readOnly: true
mountPath: "/srv/app/.docker"
- name: temporary-storage
mountPath: "/var/tmp"
- name: ssl-certs
mountPath: "/srv/app/certs"
- name: registries-conf
mountPath: "/srv/app/.config/containers"
- name: workload-policies
mountPath: "/tmp/policies"
readOnly: true
env:
- name: SNYK_INTEGRATION_ID
valueFrom:
secretKeyRef:
name: snyk-monitor
key: integrationId
- name: SNYK_SERVICE_ACCOUNT_API_TOKEN
valueFrom:
secretKeyRef:
name: snyk-monitor
key: serviceAccountApiToken
- name: SNYK_WATCH_NAMESPACE
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: namespace
optional: true
- name: SNYK_DEPLOYMENT_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SNYK_DEPLOYMENT_NAME
value: snyk-monitor
- name: SNYK_INTEGRATION_API
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: integrationApi
optional: true
- name: SNYK_CLUSTER_NAME
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: clusterName
optional: true
- name: SNYK_MONITOR_VERSION
value: IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING
- name: HOME
value: /srv/app
- name: HTTP_PROXY
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: http_proxy
optional: true
- name: HTTPS_PROXY
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: https_proxy
optional: true
- name: NO_PROXY
valueFrom:
configMapKeyRef:
name: snyk-monitor
key: no_proxy
optional: true
- name: LOG_LEVEL
value: 'INFO'
resources:
requests:
cpu: '250m'
memory: '400Mi'
limits:
cpu: '1'
memory: '2Gi'
securityContext:
privileged: false
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumes:
- name: docker-config
secret:
secretName: snyk-monitor
items:
- key: dockercfg.json
path: config.json
- name: temporary-storage
emptyDir:
sizeLimit: 50Gi
- name: ssl-certs
configMap:
name: snyk-monitor-certs
optional: true
- name: registries-conf
configMap:
name: snyk-monitor-registries-conf
optional: true
- name: workload-policies
configMap:
name: snyk-monitor-workload-policies
optional: true
serviceAccountName: snyk-monitor