---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bridget
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - list
      - get
  - apiGroups:
      - ""
    resources:
      - nodes/status
    verbs:
      - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bridget
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bridget
subjects:
- kind: ServiceAccount
  name: bridget
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bridget
  namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: bridget
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: bridget
  template:
    metadata:
      labels:
        app: bridget
    spec:
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: bridget
      hostNetwork: true
      hostPID: true
      containers:
      - name: bridget
        image: docker.io/kvaps/bridget:v1.1.1
        env:
        - name: BRIDGE
          value: "cbr0"
        #- name: VLAN
        #  value: "4"
        #- name: IFACE
        #  value: "eth0"
        #- name: MTU
        #  value: "1500"
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        volumeMounts:
        - name: cni-cfg
          mountPath: /etc/cni/net.d
      volumes:
        - name: cni-cfg
          hostPath:
            path: /etc/cni/net.d