porkadot 0.1.0 → 0.18.1

data/lib/porkadot/assets/kubernetes/manifests/flannel.yaml.erb

@@ -154,11 +154,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                  - key: beta.kubernetes.io/os
+                  - key: kubernetes.io/os
                     operator: In
                     values:
                       - linux
-                  - key: beta.kubernetes.io/arch
+                  - key: kubernetes.io/arch
                     operator: In
                     values:
                       - amd64
@@ -248,11 +248,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                  - key: beta.kubernetes.io/os
+                  - key: kubernetes.io/os
                     operator: In
                     values:
                       - linux
-                  - key: beta.kubernetes.io/arch
+                  - key: kubernetes.io/arch
                     operator: In
                     values:
                       - arm64
@@ -342,11 +342,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                  - key: beta.kubernetes.io/os
+                  - key: kubernetes.io/os
                     operator: In
                     values:
                       - linux
-                  - key: beta.kubernetes.io/arch
+                  - key: kubernetes.io/arch
                     operator: In
                     values:
                       - arm
@@ -436,11 +436,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                  - key: beta.kubernetes.io/os
+                  - key: kubernetes.io/os
                     operator: In
                     values:
                       - linux
-                  - key: beta.kubernetes.io/arch
+                  - key: kubernetes.io/arch
                     operator: In
                     values:
                       - ppc64le
@@ -530,11 +530,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
-                  - key: beta.kubernetes.io/os
+                  - key: kubernetes.io/os
                     operator: In
                     values:
                       - linux
-                  - key: beta.kubernetes.io/arch
+                  - key: kubernetes.io/arch
                     operator: In
                     values:
                       - s390x

data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.secrets.yaml.erb

@@ -0,0 +1,37 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+data:
+  apiserver.crt: <%= certs.kubernetes.to_base64(:apiserver_cert) %>
+  apiserver.key: <%= certs.kubernetes.to_base64(:apiserver_key) %>
+  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
+  front-proxy-ca.crt: <%= certs.front_proxy.to_base64(:ca_cert) %>
+  front-proxy-client.crt: <%= certs.front_proxy.to_base64(:client_cert) %>
+  front-proxy-client.key: <%= certs.front_proxy.to_base64(:client_key) %>
+  kubelet-client.crt: <%= certs.kubernetes.to_base64(:kubelet_client_cert) %>
+  kubelet-client.key: <%= certs.kubernetes.to_base64(:kubelet_client_key) %>
+  sa.pub: <%= certs.kubernetes.to_base64(:sa_public_key) %>
+kind: Secret
+metadata:
+  name: kube-apiserver
+  namespace: kube-system
+  labels:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque
+---
+apiVersion: v1
+data:
+  ca.crt: <%= certs.etcd.to_base64(:ca_cert) %>
+  etcd-client.crt:  <%= certs.etcd.to_base64(:client_cert) %>
+  etcd-client.key:  <%= certs.etcd.to_base64(:client_key) %>
+kind: Secret
+metadata:
+  name: etcd-tls
+  namespace: kube-system
+  labels:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque

data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb

@@ -1,41 +1,5 @@
 <% k8s = global_config.k8s -%>
 ---
-apiVersion: v1
-data:
-  apiserver.crt: <%= certs.kubernetes.to_base64(:apiserver_cert) %>
-  apiserver.key: <%= certs.kubernetes.to_base64(:apiserver_key) %>
-  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
-  front-proxy-ca.crt: <%= certs.front_proxy.to_base64(:ca_cert) %>
-  front-proxy-client.crt: <%= certs.front_proxy.to_base64(:client_cert) %>
-  front-proxy-client.key: <%= certs.front_proxy.to_base64(:client_key) %>
-  kubelet-client.crt: <%= certs.kubernetes.to_base64(:kubelet_client_cert) %>
-  kubelet-client.key: <%= certs.kubernetes.to_base64(:kubelet_client_key) %>
-  sa.pub: <%= certs.kubernetes.to_base64(:sa_public_key) %>
-kind: Secret
-metadata:
-  name: kube-apiserver
-  namespace: kube-system
-  labels:
-    <%- k8s.apiserver.labels.each do |k, v| -%>
-    <%= k.to_s %>: <%= v %>
-    <%- end -%>
-type: Opaque
----
-apiVersion: v1
-data:
-  ca.crt: <%= certs.etcd.to_base64(:ca_cert) %>
-  etcd-client.crt:  <%= certs.etcd.to_base64(:client_cert) %>
-  etcd-client.key:  <%= certs.etcd.to_base64(:client_key) %>
-kind: Secret
-metadata:
-  name: etcd-tls
-  namespace: kube-system
-  labels:
-    <%- k8s.apiserver.labels.each do |k, v| -%>
-    <%= k.to_s %>: <%= v %>
-    <%- end -%>
-type: Opaque
----
 apiVersion: "apps/v1"
 kind: DaemonSet
 metadata:

data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.secrets.yaml.erb

@@ -0,0 +1,16 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+data:
+  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
+  ca.key: <%= certs.kubernetes.to_base64(:ca_key) %>
+  sa.key: <%= certs.kubernetes.to_base64(:sa_private_key) %>
+kind: Secret
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque

data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb

@@ -44,21 +44,6 @@ metadata:
     <%= k.to_s %>: <%= v %>
     <%- end -%>
 ---
-apiVersion: v1
-data:
-  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
-  ca.key: <%= certs.kubernetes.to_base64(:ca_key) %>
-  sa.key: <%= certs.kubernetes.to_base64(:sa_private_key) %>
-kind: Secret
-metadata:
-  name: kube-controller-manager
-  namespace: kube-system
-  labels:
-    <%- k8s.controller_manager.labels.each do |k, v| -%>
-    <%= k.to_s %>: <%= v %>
-    <%- end -%>
-type: Opaque
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb

@@ -62,7 +62,7 @@ rules:
   verbs: ["get", "watch", "list"]
 - apiGroups: [""] # "" indicates the core API group
   resources: ["secrets", "configmaps"]
-  verbs: ["get"]
+  verbs: ["get", "watch", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb

@@ -24,7 +24,7 @@ spec:
         - name: kubelet-rubber-stamp
           # image: quay.io/kontena/kubelet-rubber-stamp-amd64:0.2
           # Use following image until issue is fixed
-          image: yuanying/kubelet-rubber-stamp:0.2.0.y01
+          image: yuanying/kubelet-rubber-stamp:0.3.0.y01
           args:
             - "--v=2"
           imagePullPolicy: Always
@@ -56,12 +56,21 @@ kind: ClusterRole
 metadata:
   name: kubelet-rubber-stamp
 rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  # legacy-unknown: support before kubernetes-1.18.0
+  resourceNames:
+  - "kubernetes.io/legacy-unknown"
+  - "kubernetes.io/kubelet-serving"
+  verbs:
+  - approve
 - apiGroups:
   - certificates.k8s.io
   resources:
   - certificatesigningrequests
   verbs:
-  - delete
   - get
   - list
   - watch

data/lib/porkadot/assets/kubernetes/manifests/metallb.secrets.yaml.erb

@@ -0,0 +1,13 @@
+<% require 'securerandom' -%>
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+stringData:
+  secretkey: <%= SecureRandom.base64(128) %>
+kind: Secret
+metadata:
+  name: memberlist
+  namespace: metallb-system
+  labels:
+    app: metallb
+type: Opaque

data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb

@@ -8,6 +8,48 @@ metadata:
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
 metadata:
   labels:
     app: metallb
@@ -19,13 +61,21 @@ spec:
   - NET_ADMIN
   - NET_RAW
   - SYS_ADMIN
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
   fsGroup:
     rule: RunAsAny
+  hostIPC: false
   hostNetwork: true
+  hostPID: false
   hostPorts:
   - max: 7472
     min: 7472
   privileged: true
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
   runAsUser:
     rule: RunAsAny
   seLinux:
@@ -33,7 +83,9 @@ spec:
   supplementalGroups:
     rule: RunAsAny
   volumes:
-  - '*'
+  - configMap
+  - secret
+  - emptyDir
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -80,6 +132,14 @@ rules:
   verbs:
   - create
   - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - controller
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -106,7 +166,7 @@ rules:
   - create
   - patch
 - apiGroups:
-  - extensions
+  - policy
   resourceNames:
   - speaker
   resources:
@@ -132,6 +192,21 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -178,6 +253,21 @@ subjects:
 - kind: ServiceAccount
   name: speaker
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-lister
+subjects:
+- kind: ServiceAccount
+  name: speaker
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -200,24 +290,6 @@ spec:
         app: metallb
         component: speaker
     spec:
-      initContainers:
-      - command:
-        - "iptables"
-        - "-P"
-        - "FORWARD"
-        - "ACCEPT"
-        image: <%= k8s.image_repository %>/hyperkube:<%= k8s.kubernetes_version %>
-        imagePullPolicy: IfNotPresent
-        name: default-iptables
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - NET_ADMIN
-            - NET_RAW
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
       containers:
       - args:
         - --port=7472
@@ -231,8 +303,26 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: status.hostIP
-        image: metallb/speaker:v0.8.2
-        imagePullPolicy: IfNotPresent
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # needed when another software is also using memberlist / port 7946
+        #- name: METALLB_ML_BIND_PORT
+        #  value: "7946"
+        - name: METALLB_ML_LABELS
+          value: "app=metallb,component=speaker"
+        - name: METALLB_ML_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: METALLB_ML_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: memberlist
+              key: secretkey
+        image: metallb/speaker:v0.9.4
+        imagePullPolicy: Always
         name: speaker
         ports:
         - containerPort: 7472
@@ -255,7 +345,7 @@ spec:
       nodeSelector:
         beta.kubernetes.io/os: linux
       serviceAccountName: speaker
-      terminationGracePeriodSeconds: 0
+      terminationGracePeriodSeconds: 2
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
@@ -287,8 +377,8 @@ spec:
       - args:
         - --port=7472
         - --config=config
-        image: metallb/controller:v0.8.2
-        imagePullPolicy: IfNotPresent
+        image: metallb/controller:v0.9.4
+        imagePullPolicy: Always
         name: controller
         ports:
         - containerPort: 7472
@@ -304,7 +394,7 @@ spec:
             - all
           readOnlyRootFilesystem: true
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534