#
# cloned from https://github.com/nokia/danm/tree/v4.3.0/integration/manifests/netwatcher
#
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: netwatcher
  namespace: kube-system
  labels:
      kubernetes.io/cluster-service: "true"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:netwatcher
rules:
rules:
- apiGroups:
  - danm.k8s.io
  resources:
  - danmnets
  - clusternetworks
  - tenantnetworks
  verbs:
  - get
  - list
  - watch
  - update
- apiGroups:
  - k8s.cni.cncf.io
  resources:
  - network-attachment-definitions
  verbs:
  - get
  - list
  - watch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:netwatcher
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:netwatcher
subjects:
- kind: ServiceAccount
  namespace: kube-system
  name: netwatcher
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: netwatcher
  namespace: kube-system
spec:
  selector:
    matchLabels:
      danm.k8s.io: netwatcher
  template:
    metadata:
      labels:
        danm.k8s.io: netwatcher
    spec:
      serviceAccountName: netwatcher
      hostNetwork: true
      dnsPolicy: ClusterFirst
      hostIPC: true
      hostPID: true
      containers:
        - name: netwatcher
          image: netwatcher
          imagePullPolicy: IfNotPresent
          securityContext:
            capabilities:
              add:
                - SYS_PTRACE
                - SYS_ADMIN
                - NET_ADMIN
                - NET_RAW
      tolerations:
       - effect: NoSchedule
         operator: Exists
       - effect: NoExecute
         operator: Exists
      terminationGracePeriodSeconds: 0