apiVersion: v1
kind: Namespace
metadata:
  name: ssm-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ssm-agent-installer
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - ssm-agent-installer
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ssm-agent-installer
  namespace: ssm-agent
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ssm-agent-installer
  namespace: ssm-agent 
roleRef:
  kind: ClusterRole
  name: ssm-agent-installer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: ssm-agent-installer 
  namespace: ssm-agent
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ssm-agent-installer
spec:
  privileged: true
  hostPID: true 
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ssm-installer-script
  namespace: ssm-agent
data:
  install.sh: |
    #!/bin/sh
    podman run -d --name ssm-agent \
      --device=/dev/ttyS0 \
      -v /var/run/dbus:/var/run/dbus \
      -v /run/systemd:/run/systemd \
      -v /etc/sudoers.d:/etc/sudoers.d \
      scouturier/ssm-agent:latest
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ssm-agent-installer
  namespace: ssm-agent
spec:
  selector:
    matchLabels:
      job: ssm-agent-installer
  template:
    metadata:
      labels:
        job: ssm-agent-installer
    spec:
      hostPID: true
      restartPolicy: Always
      initContainers:
      - image: jicowan/ssm-agent-installer:1.2
        name: ssm-agent-installer
        securityContext:
          privileged: true
        volumeMounts:
        - name: install-script
          mountPath: /tmp
        - name: host-mount
          mountPath: /host
      volumes:
      - name: install-script
        configMap:
          name: ssm-installer-script
      - name: host-mount
        hostPath:
          path: /tmp/install
      serviceAccount: ssm-agent-installer
      containers:
      - image: "gcr.io/google-containers/pause:2.0"
        name: pause
        securityContext:  
          allowPrivilegeEscalation: false  
          runAsUser: 1000  
          readOnlyRootFilesystem: true
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      - key: node-role.kubernetes.io/infra
        effect: NoSchedule