apiVersion: v1 kind: ServiceAccount metadata: name: kubevirt-manager namespace: kubevirt --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubevirt-manager rules: - apiGroups: [""] resources: ["nodes", "namespaces", "pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list"] - apiGroups: ["kubevirt.io"] resources: ["virtualmachines", "virtualmachineinstances", "virtualmachineinstancemigrations"] verbs: ["*"] - apiGroups: ["subresources.kubevirt.io"] resources: ["*"] verbs: ["get", "list", "update", "patch"] - apiGroups: ["instancetype.kubevirt.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["cdi.kubevirt.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["pool.kubevirt.io"] resources: ["*"] verbs: ["*"] - apiGroups: [""] resources: ["persistentvolumeclaims", "persistentvolumes", "services", "secrets", "serviceaccounts", "configmaps"] verbs: ["*"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["*"] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies", "ingresses"] verbs: ["*"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list"] - apiGroups: ["snapshot.kubevirt.io"] resources: ["virtualmachinesnapshots", "virtualmachinesnapshotcontents", "virtualmachinerestores"] verbs: ["get", "list", "watch", "create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubevirt-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt-manager subjects: - kind: ServiceAccount name: kubevirt-manager namespace: kubevirt --- apiVersion: apps/v1 kind: Deployment metadata: name: kubevirt-manager namespace: kubevirt spec: replicas: 1 selector: matchLabels: app: kubevirt-manager template: metadata: labels: app: kubevirt-manager spec: serviceAccountName: kubevirt-manager containers: - name: kubevirt-manager image: kubevirtmanager/kubevirt-manager:v1.5.4 ports: - containerPort: 8080 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 10000 runAsGroup: 30000 volumeMounts: - name: cache-volume mountPath: /var/cache/nginx - name: run-volume mountPath: /var/run - name: oauth-config mountPath: /etc/nginx/oauth.d/ - name: auth-config mountPath: /etc/nginx/auth.d/ - name: auth-secret mountPath: /etc/nginx/secret.d/ - name: prometheus-config mountPath: /etc/nginx/location.d/ volumes: - name: cache-volume emptyDir: {} - name: run-volume emptyDir: {} - name: oauth-config configMap: name: oauth-config optional: true - name: auth-config configMap: name: auth-config optional: true - name: auth-secret secret: secretName: auth-secret optional: true - name: prometheus-config configMap: name: prometheus-config optional: true --- apiVersion: v1 kind: Service metadata: name: kubevirt-manager namespace: kubevirt spec: type: ClusterIP selector: app: kubevirt-manager ports: - port: 8080 targetPort: 8080 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kubevirt-manager namespace: kubevirt annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-http-version: "1.1" nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - kubevirt.apps.undercloud.dev secretName: kubevirt-manager-tls rules: - host: kubevirt.apps.undercloud.dev http: paths: - path: / pathType: Prefix backend: service: name: kubevirt-manager port: number: 8080