# infrastructure/core/ntp-sync-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: ntp-sync
  namespace: kube-system
  labels:
    app: ntp-sync
spec:
  selector:
    matchLabels:
      app: ntp-sync
  template:
    metadata:
      labels:
        app: ntp-sync
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/control-plane
                    operator: DoesNotExist
                  - key: node-role.kubernetes.io/master
                    operator: DoesNotExist
      containers:
        - name: ntp-sync
          image: public.ecr.aws/docker/library/busybox:1.36.1
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu
              while true; do
                ntpd -q -p pool.ntp.org || true
                sleep 300
              done
          securityContext:
            capabilities:
              add: ["SYS_TIME"]
            runAsUser: 0
            runAsGroup: 0
          resources:
            requests:
              cpu: 10m
              memory: 16Mi
            limits:
              cpu: 50m
              memory: 64Mi