dkeightley · September 13, 2021 00:41
diff --git a/rke-calicoctl.yaml b/rke-calicoctl.yaml
 # Calico Version v3.20.0
 # https://docs.projectcalico.org/releases#v3.20.0
 # This manifest includes the following component versions:
 #   calico/ctl:v3.20.0

 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: calicoctl
  namespace: kube-system

 ---

 apiVersion: v1
 kind: Pod
 metadata:
  name: calicoctl
  namespace: kube-system
 spec:
  nodeSelector:
    kubernetes.io/os: linux
  hostNetwork: true
  serviceAccountName: calicoctl
  containers:
  - name: calicoctl
    image: calico/ctl:release-v3.17
    command:
      - /calicoctl
    args:
      - version
      - --poll=1m
    env:
    - name: DATASTORE_TYPE
      value: kubernetes

 ---

 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: calicoctl
 rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - nodes
    verbs:
      - get
      - list
      - update
  - apiGroups: [""]
    resources:
      - nodes/status
    verbs:
      - update
  - apiGroups: [""]
    resources:
      - pods
      - serviceaccounts
    verbs:
      - get
      - list
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - update
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - bgppeers
      - bgpconfigurations
      - clusterinformations
      - felixconfigurations
      - globalnetworkpolicies
      - globalnetworksets
      - ippools
      - kubecontrollersconfigurations
      - networkpolicies
      - networksets
      - hostendpoints
      - ipamblocks
      - blockaffinities
      - ipamhandles
      - ipamconfigs
    verbs:
      - create
      - get
      - list
      - update
      - delete
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list

 ---

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: calicoctl
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calicoctl
 subjects:
 - kind: ServiceAccount
  name: calicoctl
  namespace: kube-system
	# Calico Version v3.20.0
	# https://docs.projectcalico.org/releases#v3.20.0
	# This manifest includes the following component versions:
	# calico/ctl:v3.20.0

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: calicoctl
	namespace: kube-system

	---

	apiVersion: v1
	kind: Pod
	metadata:
	name: calicoctl
	namespace: kube-system
	spec:
	nodeSelector:
	kubernetes.io/os: linux
	hostNetwork: true
	serviceAccountName: calicoctl
	containers:
	- name: calicoctl
	image: calico/ctl:release-v3.17
	command:
	- /calicoctl
	args:
	- version
	- --poll=1m
	env:
	- name: DATASTORE_TYPE
	value: kubernetes

	---

	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: calicoctl
	rules:
	- apiGroups: [""]
	resources:
	- namespaces
	- nodes
	verbs:
	- get
	- list
	- update
	- apiGroups: [""]
	resources:
	- nodes/status
	verbs:
	- update
	- apiGroups: [""]
	resources:
	- pods
	- serviceaccounts
	verbs:
	- get
	- list
	- apiGroups: [""]
	resources:
	- pods/status
	verbs:
	- update
	- apiGroups: ["crd.projectcalico.org"]
	resources:
	- bgppeers
	- bgpconfigurations
	- clusterinformations
	- felixconfigurations
	- globalnetworkpolicies
	- globalnetworksets
	- ippools
	- kubecontrollersconfigurations
	- networkpolicies
	- networksets
	- hostendpoints
	- ipamblocks
	- blockaffinities
	- ipamhandles
	- ipamconfigs
	verbs:
	- create
	- get
	- list
	- update
	- delete
	- apiGroups: ["networking.k8s.io"]
	resources:
	- networkpolicies
	verbs:
	- get
	- list

	---

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: calicoctl
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: calicoctl
	subjects:
	- kind: ServiceAccount
	name: calicoctl
	namespace: kube-system