apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  namespace: default
spec:
  initContainers:
  - name: create-secret
    image: registry.k8s.io/coredns/coredns:v1.9.3
    imagePullPolicy: IfNotPresent
    command: ["/usr/bin/bash", "-c", 'if ! /sf/bin/kubectl get secret system-registry &> /dev/null; then /sf/bin/sf-ctr tools create-secret &> /dev/null && /sf/bin/kubectl label secret system-registry create-by-privileged-pod=true; fi']
    volumeMounts:
    - mountPath: /
      name: hostrootfs
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-wshm9
      readOnly: true
  containers:
  - name: privileged-pod
    image: ske.local.cloud.scp:30011/system/goharbor-amd64/busybox:latest
    command: ["/chroot", "/hostos", '/usr/bin/bash', "-c", 'if /sf/bin/kubectl get secret system-registry -o jsonpath="{.metadata.labels.create-by-privileged-pod}" 2>/dev/null | grep -q "true"; then /sf/bin/kubectl delete secret system-registry; fi && /usr/bin/sleep 3600 && /sf/bin/kubectl delete pod privileged-pod &> /dev/null']
    imagePullPolicy: IfNotPresent
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /hostos/
      name: hostrootfs
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-wshm9
      readOnly: true
  - name: delete-privileged-pod-task
    image: ske.local.cloud.scp:30011/system/goharbor-amd64/busybox:latest
    imagePullPolicy: IfNotPresent
    # 特权容器command里面不能执行删除创建操作，这里格外开一个容器设定3600秒后清理pod
    command: ['/usr/bin/bash', "-c", '/usr/bin/sleep 3600 && /sf/bin/kubectl delete pod privileged-pod &> /dev/null']
    volumeMounts:
    - mountPath: /
      name: hostrootfs
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-wshm9
      readOnly: true
  restartPolicy: Never
  imagePullSecrets:
  - name: system-registry
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  hostNetwork: true
  hostIPC: true
  hostPID: true
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
    operator: Exists
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  volumes:
  - hostPath:
      path: /
      type: Directory
    name: hostrootfs
  - name: kube-api-access-wshm9
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace