---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: calico
  namespace: kube-system
---
kind: ClusterRole
apiVersion: v1
metadata:
  name: calico
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources:
      - pods
      - namespaces
    verbs:
      - list
      - get
      - watch
  - apiGroups: ["extensions"]
    resources:
      - networkpolicies
    verbs:
      - list
      - get
      - watch
---
apiVersion: v1
kind: ClusterRoleBinding
metadata:
  name: calico
roleRef:
  name: calico
subjects:
- kind: SystemUser
  name: kube-system:calico
- kind: ServiceAccount
  name: calico
  namespace: kube-system
userNames:
  - system:serviceaccount:kube-system:calico
---
# This manifest deploys the Calico policy controller on Kubernetes.
# See https://github.com/projectcalico/k8s-policy
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: calico-policy-controller
  namespace: kube-system
  labels:
    k8s-app: calico-policy
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
    scheduler.alpha.kubernetes.io/tolerations: |
      [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
       {"key":"CriticalAddonsOnly", "operator":"Exists"}]
spec:
  # The policy controller can only have a single active instance.
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      name: calico-policy-controller
      namespace: kube-system
      labels:
        k8s-app: calico-policy
    spec:
      # The policy controller must run in the host network namespace so that
      # it isn't governed by policy that would prevent it from working.
      hostNetwork: true
      serviceAccountName: calico
      containers:
        - name: calico-policy-controller
          image: {{ calico_url_policy_controller }}
          env:
            # The location of the Calico etcd cluster.
            - name: ETCD_ENDPOINTS
              value: {{ calico_etcd_endpoints }}
            # Location of the CA certificate for etcd.
            - name: ETCD_CA_CERT_FILE
              value: {{ calico_etcd_ca_cert_file }}
            # Location of the client key for etcd.
            - name: ETCD_KEY_FILE
              value: {{ calico_etcd_key_file }}
            # Location of the client certificate for etcd.
            - name: ETCD_CERT_FILE
              value: {{ calico_etcd_cert_file }}
            # Since we're running in the host namespace and might not have KubeDNS
            # access, configure the container's /etc/hosts to resolve
            # kubernetes.default to the correct service clusterIP.
            - name: CONFIGURE_ETC_HOSTS
              value: "true"
          volumeMounts:
            # Mount in the etcd TLS secrets.
            - name: certs
              mountPath: {{ calico_etcd_cert_dir }}

      volumes:
        # Mount in the etcd TLS secrets.
        - name: certs
          hostPath:
            path: {{ calico_etcd_cert_dir }}