custom-kube-scheduler/kubernetes-v1.15.4/cluster/addons/ip-masq-agent/ip-masq-agent.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    k8s-app: ip-masq-agent
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
# https://github.com/kubernetes-incubator/ip-masq-agent/blob/v2.4.1/README.md
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ip-masq-agent
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      k8s-app: ip-masq-agent
  template:
    metadata:
      labels:
        k8s-app: ip-masq-agent
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: ip-masq-agent
      hostNetwork: true
      containers:
      - name: ip-masq-agent
        image: k8s.gcr.io/ip-masq-agent-amd64:v2.4.1
        args:
          - --masq-chain=IP-MASQ
          - --nomasq-all-reserved-ranges
        resources:
          requests:
            cpu: 10m
            memory: 16Mi
        securityContext:
          privileged: true
        volumeMounts:
          - name: config
            mountPath: /etc/config
      nodeSelector:
        # TODO(liggitt): switch to node.kubernetes.io/masq-agent-ds-ready in 1.16
        beta.kubernetes.io/masq-agent-ds-ready: "true"
      volumes:
        - name: config
          configMap:
            # Note this ConfigMap must be created in the same namespace as the daemon pods - this spec uses kube-system
            name: ip-masq-agent
            optional: true
            items:
              # The daemon looks for its config in a YAML file at /etc/config/ip-masq-agent
              - key: config
                path: ip-masq-agent
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - effect: NoExecute
        operator: Exists
      - key: "CriticalAddonsOnly"
        operator: "Exists"