apiVersion: v1 kind: Namespace metadata: name: cloudflare-dns --- apiVersion: apps/v1 kind: Deployment metadata: name: cloudflare-dns-operator namespace: cloudflare-dns spec: replicas: 1 selector: matchLabels: app: cloudflare-dns-operator template: metadata: labels: app: cloudflare-dns-operator spec: serviceAccountName: cloudflare-dns-operator containers: - name: cloudflare-dns-operator image: robertkrahn/cloudflare-dns-operator:latest imagePullPolicy: Always env: - name: RUST_LOG value: "debug" - name: RUST_BACKTRACE value: "1" - name: CLOUDFLARE_API_TOKEN valueFrom: secretKeyRef: name: cloudflare-api-token key: api-token # optional - name: CHECK_DNS_RESOLUTION value: "5m" - name: NAMESERVER_FOR_DNS_CHECK value: "1.1.1.1:53" --- apiVersion: v1 kind: ServiceAccount metadata: name: cloudflare-dns-operator namespace: cloudflare-dns --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudflare-dns-operator-role rules: - apiGroups: ["dns.cloudflare.com"] resources: - cloudflarednsrecords - cloudflarednsrecords/status verbs: - get - list - watch - create - delete - patch - update # Access to services to resolve ips. If you don't use dynamic content via # referencing services, you can remove this. - apiGroups: [""] resources: ["services"] verbs: - get - list - watch # Access to configmaps and secrets to read zone names or ids. Remove this if you # specify the zone id/name directly. - apiGroups: [""] resources: - configmaps - secrets verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cloudflare-dns-operator-rolebinding subjects: - kind: ServiceAccount name: cloudflare-dns-operator roleRef: kind: ClusterRole name: cloudflare-dns-operator-role apiGroup: rbac.authorization.k8s.io ---