apiVersion: v1
kind: Namespace
metadata:
  name: cattle-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: rancher
  namespace: cattle-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: rancher
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
kind: ClusterRoleBinding
metadata:
  name: rancher
subjects:
- kind: ServiceAccount
  name: rancher
  namespace: cattle-system
  apiGroup: ""
roleRef:
  kind: ClusterRole #this must be Role or ClusterRole
  name: rancher
  apiGroup: ""
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: rancher
  namespace: cattle-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: rancher
  template:
    metadata:
      labels:
        app: rancher
    spec:
      serviceAccountName: rancher
      containers:
      - name: name
        image: rancher/rancher
        args:
        - --features
        - fleet=false
        env:
        - name: CATTLE_FEATURES
          value: "fleet=false"
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
        ports:
        - containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
  name: rancher
  namespace: cattle-system
spec:
  type: LoadBalancer
  ports:
  - port: 8443
    targetPort: 443
  selector:
    app: rancher