67 lines
1.3 KiB
YAML
67 lines
1.3 KiB
YAML
deployment:
|
|
kind: DaemonSet
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
|
|
hostNetwork: true
|
|
|
|
# Bind directly to host ports 80 and 443
|
|
ports:
|
|
web:
|
|
port: 80
|
|
hostPort: 80
|
|
expose:
|
|
default: true
|
|
exposedPort: 80
|
|
websecure:
|
|
port: 443
|
|
hostPort: 443
|
|
expose:
|
|
default: true
|
|
exposedPort: 443
|
|
# Avoid port collision with node-exporter on host network (9100)
|
|
metrics:
|
|
port: 9101
|
|
hostPort: 9101
|
|
exposedPort: 9101
|
|
|
|
# Configure Traefik to watch for standard Kubernetes Ingress resources
|
|
providers:
|
|
kubernetesIngress:
|
|
enabled: true
|
|
publishedService:
|
|
enabled: false
|
|
|
|
# We will define IngressClass resources manually to achieve dual-class mapping
|
|
ingressClass:
|
|
enabled: false
|
|
|
|
# Resource limits to ensure stable execution on a single node
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
# Run as root (UID/GID 0) to bind to host network ports 80/443
|
|
podSecurityContext:
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: true
|
|
capabilities:
|
|
drop: []
|
|
add:
|
|
- NET_BIND_SERVICE
|
|
readOnlyRootFilesystem: false
|
|
|
|
# Required for hostNetwork DaemonSets to allow rolling updates
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
maxSurge: 0
|