copied from https://gist.github.com/mark-church/976f99be295e84408f45ec434c639305

secure-overlay.yaml

######################
# Cluster role for key management jobs
######################
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ucp-secureoverlay-mgr
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - update
---
######################
# Cluster role binding for key management jobs
######################
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ucp-secureoverlay-mgr
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ucp-secureoverlay-mgr
subjects:
- kind: ServiceAccount
  name: ucp-secureoverlay-mgr
  namespace: kube-system
---
######################
# Service account for key management jobs
######################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ucp-secureoverlay-mgr
  namespace: kube-system
---
######################
# Cluster role for secure overlay per-node agent
######################
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ucp-secureoverlay-agent
rules:
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
---
######################
# Cluster role binding for secure overlay per-node agent
######################
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ucp-secureoverlay-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ucp-secureoverlay-agent
subjects:
- kind: ServiceAccount
  name: ucp-secureoverlay-agent
  namespace: kube-system
---
######################
# Service account secure overlay per-node agent
######################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ucp-secureoverlay-agent
  namespace: kube-system
---
######################
# K8s secret of current key configuration
######################
apiVersion: v1
kind: Secret
metadata:
  name: ucp-secureoverlay
  namespace: kube-system
type: Opaque
data:
  keys: ""
---
######################
# DaemonSet for secure overlay per-node agent
######################
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ucp-secureoverlay-agent
  namespace: kube-system
  labels:
    k8s-app: ucp-secureoverlay-agent
spec:
  selector:
    matchLabels:
      k8s-app: ucp-secureoverlay-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: ucp-secureoverlay-agent
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      hostNetwork: true
      priorityClassName: system-node-critical
      terminationGracePeriodSeconds: 10
      serviceAccountName: ucp-secureoverlay-agent
      containers:
      - name: ucp-secureoverlay-agent
        image: docker/ucp-secureoverlay-agent:3.1.0-beta1
        securityContext:
          capabilities:
            add: ["NET_ADMIN"]
        env:
        - name: MY_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        volumeMounts:
        - name: ucp-secureoverlay
          mountPath: /etc/secureoverlay/
          readOnly: true
      volumes:
      - name: ucp-secureoverlay
        secret:
          secretName: ucp-secureoverlay
---
######################
# Deployment for manager of the whole cluster (primarily to rotate keys)
######################
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ucp-secureoverlay-mgr
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: ucp-secureoverlay-mgr
  replicas: 1
  template:
    metadata:
      name: ucp-secureoverlay-mgr
      namespace: kube-system
      labels:
        app: ucp-secureoverlay-mgr
    spec:
      serviceAccountName: ucp-secureoverlay-mgr
      restartPolicy: Always
      containers:
      - name: ucp-secureoverlay-mgr
        image: docker/ucp-secureoverlay-mgr:3.1.0-beta1