apiVersion: v1
kind: Namespace
metadata:
  name: harmony-inventory-agent
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: harmony-inventory-agent
  namespace: harmony-inventory-agent
---
# Grant the built-in "privileged" SCC to the SA
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: use-privileged-scc
  namespace: harmony-inventory-agent
rules:
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames: ["privileged"]
  verbs: ["use"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: use-privileged-scc
  namespace: harmony-inventory-agent
subjects:
- kind: ServiceAccount
  name: harmony-inventory-agent
  namespace: harmony-inventory-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: use-privileged-scc
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: harmony-inventory-agent
  namespace: harmony-inventory-agent
spec:
  selector:
    matchLabels:
      app: harmony-inventory-agent
  template:
    metadata:
      labels:
        app: harmony-inventory-agent
    spec:
      serviceAccountName: harmony-inventory-agent
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      tolerations:
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"
      containers:
      - name: inventory-agent
        image: hub.nationtech.io/harmony/harmony_inventory_agent
        imagePullPolicy: Always
        env:
          - name: RUST_LOG
            value: "harmony_inventory_agent=trace,info"
        resources:
          limits:
            cpu: 200m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 128Mi
        securityContext:
          privileged: true
          # optional: leave the rest unset since privileged SCC allows it
          #
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: harmony-inventory-builder
  namespace: harmony-inventory-agent
spec:
  replicas: 1
  strategy: {}
  selector:
    matchLabels:
      app: harmony-inventory-builder
  template:
    metadata:
      labels:
        app: harmony-inventory-builder
    spec:
      serviceAccountName: harmony-inventory-agent
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      containers:
      - name: inventory-agent
        image: hub.nationtech.io/harmony/harmony_inventory_builder
        imagePullPolicy: Always
        env:
          - name: RUST_LOG
            value: "harmony_inventory_builder=trace,info"
        resources:
          limits:
            cpu: 200m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 128Mi
        securityContext:
          privileged: true
          # optional: leave the rest unset since privileged SCC allows it