apiVersion: v1
kind: Namespace
metadata:
  name: node-labeler
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: worker-node-labeler
  namespace: node-labeler
spec:
  selector:
    matchLabels:
      role: worker-node-labeler
  template:
    metadata:
      labels:
        role: worker-node-labeler
    spec:
      tolerations:
        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: NoSchedule
      containers:
        - name: labeler
          image: bitnami/kubectl
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          command: ["/bin/sh", "-c", "while true; do kubectl get node $(NODE_NAME) -o=jsonpath='{.metadata.labels}' | grep -q node-role.kubernetes.io/worker || kubectl label node $(NODE_NAME) node-role.kubernetes.io/worker=; sleep 60; done"]
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: worker-node-labeler-role
  namespace: node-labeler
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: worker-node-labeler-binding
  namespace: node-labeler
subjects:
  - kind: ServiceAccount
    name: default
    namespace: node-labeler
roleRef:
  kind: ClusterRole
  name: worker-node-labeler-role
  apiGroup: rbac.authorization.k8s.io