diff --git a/istio/operator/manifests.yaml b/istio/operator/manifests.yaml index 1dabc04..492f01f 100644 --- a/istio/operator/manifests.yaml +++ b/istio/operator/manifests.yaml @@ -15,52 +15,6 @@ metadata: namespace: istio-operator name: istio-operator --- -# Source: istio-operator/templates/crd.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- # Source: istio-operator/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -93,12 +47,6 @@ rules: - '*' verbs: - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - security.istio.io resources: @@ -145,6 +93,7 @@ rules: verbs: - get - create + - update - apiGroups: - policy resources: @@ -168,6 +117,7 @@ rules: - events - namespaces - pods + - pods/proxy - persistentvolumeclaims - secrets - services @@ -224,10 +174,20 @@ spec: serviceAccountName: istio-operator containers: - name: istio-operator - image: docker.io/istio/operator:1.5.3 + image: docker.io/istio/operator:1.7.4 command: - operator - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true imagePullPolicy: IfNotPresent resources: limits: @@ -238,12 +198,16 @@ spec: memory: 128Mi env: - name: WATCH_NAMESPACE - value: istio-system + value: "istio-system" - name: LEADER_ELECTION_NAMESPACE - value: istio-operator + value: "istio-operator" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: istio-operator + value: "istio-operator" + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: "300s" + - name: REVISION + value: ""