porkadot 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +15 -0
- data/.travis.yml +7 -0
- data/Gemfile +4 -0
- data/README.md +35 -0
- data/Rakefile +10 -0
- data/Vagrantfile +63 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/config/porkadot.yaml +25 -0
- data/config/unstable.yaml +49 -0
- data/exe/porkadot +5 -0
- data/lib/porkadot/assets/bootstrap/bootstrap/kube-proxy-bootstrap.yaml.erb +1 -0
- data/lib/porkadot/assets/bootstrap/bootstrap/kubeconfig-bootstrap.yaml.erb +18 -0
- data/lib/porkadot/assets/bootstrap/cleanup.sh.erb +12 -0
- data/lib/porkadot/assets/bootstrap/install.sh.erb +14 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +91 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-controller-manager.bootstrap.yaml.erb +69 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-proxy.bootstrap.yaml.erb +56 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-scheduler.bootstrap.yaml.erb +31 -0
- data/lib/porkadot/assets/bootstrap.rb +52 -0
- data/lib/porkadot/assets/certs/etcd.rb +21 -0
- data/lib/porkadot/assets/certs/front_proxy.rb +21 -0
- data/lib/porkadot/assets/certs/k8s.rb +90 -0
- data/lib/porkadot/assets/certs.rb +175 -0
- data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +57 -0
- data/lib/porkadot/assets/etcd/install.sh.erb +12 -0
- data/lib/porkadot/assets/etcd.rb +109 -0
- data/lib/porkadot/assets/kubelet/bootstrap-kubelet.conf.erb +21 -0
- data/lib/porkadot/assets/kubelet/config.yaml.erb +36 -0
- data/lib/porkadot/assets/kubelet/install-deps.sh.erb +21 -0
- data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb +33 -0
- data/lib/porkadot/assets/kubelet/install.sh.erb +35 -0
- data/lib/porkadot/assets/kubelet/kubelet.service.erb +22 -0
- data/lib/porkadot/assets/kubelet.rb +102 -0
- data/lib/porkadot/assets/kubernetes/install.sh.erb +7 -0
- data/lib/porkadot/assets/kubernetes/manifests/flannel.yaml.erb +602 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +129 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +173 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-proxy.yaml.erb +132 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +162 -0
- data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb +86 -0
- data/lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb +40 -0
- data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb +323 -0
- data/lib/porkadot/assets/kubernetes/manifests/pod-checkpointer.yaml.erb +130 -0
- data/lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb +69 -0
- data/lib/porkadot/assets/kubernetes.rb +39 -0
- data/lib/porkadot/assets.rb +24 -0
- data/lib/porkadot/cmd/cli.rb +45 -0
- data/lib/porkadot/cmd/install/bootstrap.rb +50 -0
- data/lib/porkadot/cmd/install.rb +36 -0
- data/lib/porkadot/cmd/render/certs.rb +68 -0
- data/lib/porkadot/cmd/render.rb +67 -0
- data/lib/porkadot/cmd.rb +4 -0
- data/lib/porkadot/config.rb +115 -0
- data/lib/porkadot/configs/bootstrap.rb +67 -0
- data/lib/porkadot/configs/certs/etcd.rb +33 -0
- data/lib/porkadot/configs/certs/front_proxy.rb +33 -0
- data/lib/porkadot/configs/certs/k8s.rb +89 -0
- data/lib/porkadot/configs/certs.rb +50 -0
- data/lib/porkadot/configs/cni.rb +22 -0
- data/lib/porkadot/configs/etcd.rb +95 -0
- data/lib/porkadot/configs/kubelet.rb +61 -0
- data/lib/porkadot/configs/kubernetes.rb +223 -0
- data/lib/porkadot/configs/loadbalancer.rb +26 -0
- data/lib/porkadot/const.rb +8 -0
- data/lib/porkadot/default.yaml +123 -0
- data/lib/porkadot/install/base.rb +5 -0
- data/lib/porkadot/install/bootstrap.rb +76 -0
- data/lib/porkadot/install/kubelet.rb +63 -0
- data/lib/porkadot/install/kubernetes.rb +33 -0
- data/lib/porkadot/utils/hash_recursive_merge.rb +73 -0
- data/lib/porkadot/utils.rb +25 -0
- data/lib/porkadot/version.rb +3 -0
- data/lib/porkadot.rb +41 -0
- data/porkadot.gemspec +42 -0
- metadata +205 -0
@@ -0,0 +1,129 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: v1
|
4
|
+
data:
|
5
|
+
apiserver.crt: <%= certs.kubernetes.to_base64(:apiserver_cert) %>
|
6
|
+
apiserver.key: <%= certs.kubernetes.to_base64(:apiserver_key) %>
|
7
|
+
ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
|
8
|
+
front-proxy-ca.crt: <%= certs.front_proxy.to_base64(:ca_cert) %>
|
9
|
+
front-proxy-client.crt: <%= certs.front_proxy.to_base64(:client_cert) %>
|
10
|
+
front-proxy-client.key: <%= certs.front_proxy.to_base64(:client_key) %>
|
11
|
+
kubelet-client.crt: <%= certs.kubernetes.to_base64(:kubelet_client_cert) %>
|
12
|
+
kubelet-client.key: <%= certs.kubernetes.to_base64(:kubelet_client_key) %>
|
13
|
+
sa.pub: <%= certs.kubernetes.to_base64(:sa_public_key) %>
|
14
|
+
kind: Secret
|
15
|
+
metadata:
|
16
|
+
name: kube-apiserver
|
17
|
+
namespace: kube-system
|
18
|
+
labels:
|
19
|
+
<%- k8s.apiserver.labels.each do |k, v| -%>
|
20
|
+
<%= k.to_s %>: <%= v %>
|
21
|
+
<%- end -%>
|
22
|
+
type: Opaque
|
23
|
+
---
|
24
|
+
apiVersion: v1
|
25
|
+
data:
|
26
|
+
ca.crt: <%= certs.etcd.to_base64(:ca_cert) %>
|
27
|
+
etcd-client.crt: <%= certs.etcd.to_base64(:client_cert) %>
|
28
|
+
etcd-client.key: <%= certs.etcd.to_base64(:client_key) %>
|
29
|
+
kind: Secret
|
30
|
+
metadata:
|
31
|
+
name: etcd-tls
|
32
|
+
namespace: kube-system
|
33
|
+
labels:
|
34
|
+
<%- k8s.apiserver.labels.each do |k, v| -%>
|
35
|
+
<%= k.to_s %>: <%= v %>
|
36
|
+
<%- end -%>
|
37
|
+
type: Opaque
|
38
|
+
---
|
39
|
+
apiVersion: "apps/v1"
|
40
|
+
kind: DaemonSet
|
41
|
+
metadata:
|
42
|
+
name: kube-apiserver
|
43
|
+
namespace: kube-system
|
44
|
+
labels:
|
45
|
+
<%- k8s.apiserver.labels.each do |k, v| -%>
|
46
|
+
<%= k.to_s %>: <%= v %>
|
47
|
+
<%- end -%>
|
48
|
+
spec:
|
49
|
+
selector:
|
50
|
+
matchLabels:
|
51
|
+
<%- k8s.apiserver.instance_labels.each do |k, v| -%>
|
52
|
+
<%= k.to_s %>: <%= v %>
|
53
|
+
<%- end -%>
|
54
|
+
template:
|
55
|
+
metadata:
|
56
|
+
labels:
|
57
|
+
<%- k8s.apiserver.labels.each do |k, v| -%>
|
58
|
+
<%= k.to_s %>: <%= v %>
|
59
|
+
<%- end -%>
|
60
|
+
annotations:
|
61
|
+
checkpointer.alpha.coreos.com/checkpoint: "true"
|
62
|
+
spec:
|
63
|
+
containers:
|
64
|
+
- name: kube-apiserver
|
65
|
+
resources:
|
66
|
+
requests:
|
67
|
+
cpu: 250m
|
68
|
+
image: <%= k8s.image_repository %>/kube-apiserver:<%= k8s.kubernetes_version %>
|
69
|
+
command:
|
70
|
+
- kube-apiserver
|
71
|
+
<%- k8s.apiserver.args.each do |k, v| -%>
|
72
|
+
- <%= k %><% if v ;%>=<%= v %><%; end %>
|
73
|
+
<%- end -%>
|
74
|
+
env:
|
75
|
+
- name: POD_IP
|
76
|
+
valueFrom:
|
77
|
+
fieldRef:
|
78
|
+
fieldPath: status.podIP
|
79
|
+
volumeMounts:
|
80
|
+
- mountPath: /etc/ca-certificates
|
81
|
+
name: etc-ca-certificates
|
82
|
+
readOnly: true
|
83
|
+
- mountPath: /etc/ssl/certs
|
84
|
+
name: ca-certs
|
85
|
+
readOnly: true
|
86
|
+
- mountPath: /usr/share/ca-certificates
|
87
|
+
name: usr-share-ca-certificates
|
88
|
+
readOnly: true
|
89
|
+
- mountPath: /etc/kubernetes/pki/kubernetes
|
90
|
+
name: k8s-tls
|
91
|
+
readOnly: true
|
92
|
+
- mountPath: /etc/kubernetes/pki/etcd
|
93
|
+
name: etcd-tls
|
94
|
+
readOnly: true
|
95
|
+
- mountPath: /var/lock
|
96
|
+
name: var-lock
|
97
|
+
readOnly: false
|
98
|
+
hostNetwork: true
|
99
|
+
priorityClassName: system-cluster-critical
|
100
|
+
nodeSelector:
|
101
|
+
k8s.unstable.cloud/master: ""
|
102
|
+
tolerations:
|
103
|
+
- key: CriticalAddonsOnly
|
104
|
+
operator: Exists
|
105
|
+
- key: node-role.kubernetes.io/master
|
106
|
+
operator: Exists
|
107
|
+
effect: NoSchedule
|
108
|
+
volumes:
|
109
|
+
- hostPath:
|
110
|
+
path: /etc/ssl/certs
|
111
|
+
type: DirectoryOrCreate
|
112
|
+
name: ca-certs
|
113
|
+
- hostPath:
|
114
|
+
path: /usr/share/ca-certificates
|
115
|
+
type: DirectoryOrCreate
|
116
|
+
name: usr-share-ca-certificates
|
117
|
+
- hostPath:
|
118
|
+
path: /etc/ca-certificates
|
119
|
+
type: DirectoryOrCreate
|
120
|
+
name: etc-ca-certificates
|
121
|
+
- name: k8s-tls
|
122
|
+
secret:
|
123
|
+
secretName: kube-apiserver
|
124
|
+
- name: etcd-tls
|
125
|
+
secret:
|
126
|
+
secretName: etcd-tls
|
127
|
+
- name: var-lock
|
128
|
+
hostPath:
|
129
|
+
path: /var/lock
|
@@ -0,0 +1,173 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: policy/v1beta1
|
4
|
+
kind: PodDisruptionBudget
|
5
|
+
metadata:
|
6
|
+
name: kube-controller-manager
|
7
|
+
namespace: kube-system
|
8
|
+
labels:
|
9
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
10
|
+
<%= k.to_s %>: <%= v %>
|
11
|
+
<%- end -%>
|
12
|
+
spec:
|
13
|
+
minAvailable: 1
|
14
|
+
selector:
|
15
|
+
matchLabels:
|
16
|
+
<%- k8s.controller_manager.instance_labels.each do |k, v| -%>
|
17
|
+
<%= k.to_s %>: <%= v %>
|
18
|
+
<%- end -%>
|
19
|
+
---
|
20
|
+
kind: ClusterRoleBinding
|
21
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
22
|
+
metadata:
|
23
|
+
name: porkadot:kube-controller-manager
|
24
|
+
labels:
|
25
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
26
|
+
<%= k.to_s %>: <%= v %>
|
27
|
+
<%- end -%>
|
28
|
+
roleRef:
|
29
|
+
apiGroup: rbac.authorization.k8s.io
|
30
|
+
kind: ClusterRole
|
31
|
+
name: system:kube-controller-manager
|
32
|
+
subjects:
|
33
|
+
- kind: ServiceAccount
|
34
|
+
name: kube-controller-manager
|
35
|
+
namespace: kube-system
|
36
|
+
---
|
37
|
+
apiVersion: v1
|
38
|
+
kind: ServiceAccount
|
39
|
+
metadata:
|
40
|
+
name: kube-controller-manager
|
41
|
+
namespace: kube-system
|
42
|
+
labels:
|
43
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
44
|
+
<%= k.to_s %>: <%= v %>
|
45
|
+
<%- end -%>
|
46
|
+
---
|
47
|
+
apiVersion: v1
|
48
|
+
data:
|
49
|
+
ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
|
50
|
+
ca.key: <%= certs.kubernetes.to_base64(:ca_key) %>
|
51
|
+
sa.key: <%= certs.kubernetes.to_base64(:sa_private_key) %>
|
52
|
+
kind: Secret
|
53
|
+
metadata:
|
54
|
+
name: kube-controller-manager
|
55
|
+
namespace: kube-system
|
56
|
+
labels:
|
57
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
58
|
+
<%= k.to_s %>: <%= v %>
|
59
|
+
<%- end -%>
|
60
|
+
type: Opaque
|
61
|
+
---
|
62
|
+
apiVersion: apps/v1
|
63
|
+
kind: Deployment
|
64
|
+
metadata:
|
65
|
+
name: kube-controller-manager
|
66
|
+
namespace: kube-system
|
67
|
+
labels:
|
68
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
69
|
+
<%= k.to_s %>: <%= v %>
|
70
|
+
<%- end -%>
|
71
|
+
spec:
|
72
|
+
replicas: 2
|
73
|
+
selector:
|
74
|
+
matchLabels:
|
75
|
+
<%- k8s.controller_manager.instance_labels.each do |k, v| -%>
|
76
|
+
<%= k.to_s %>: <%= v %>
|
77
|
+
<%- end -%>
|
78
|
+
template:
|
79
|
+
metadata:
|
80
|
+
labels:
|
81
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
82
|
+
<%= k.to_s %>: <%= v %>
|
83
|
+
<%- end -%>
|
84
|
+
annotations:
|
85
|
+
scheduler.alpha.kubernetes.io/critical-pod: ''
|
86
|
+
spec:
|
87
|
+
affinity:
|
88
|
+
podAntiAffinity:
|
89
|
+
preferredDuringSchedulingIgnoredDuringExecution:
|
90
|
+
- weight: 100
|
91
|
+
podAffinityTerm:
|
92
|
+
labelSelector:
|
93
|
+
matchExpressions:
|
94
|
+
- key: 'app.kubernetes.io/component'
|
95
|
+
operator: In
|
96
|
+
values:
|
97
|
+
- kube-controller-manager
|
98
|
+
- key: 'app.kubernetes.io/managed-by'
|
99
|
+
operator: In
|
100
|
+
values:
|
101
|
+
- porkadot
|
102
|
+
topologyKey: kubernetes.io/hostname
|
103
|
+
containers:
|
104
|
+
- name: kube-controller-manager
|
105
|
+
resources:
|
106
|
+
requests:
|
107
|
+
cpu: 200m
|
108
|
+
image: <%= k8s.image_repository %>/kube-controller-manager:<%= k8s.kubernetes_version %>
|
109
|
+
command:
|
110
|
+
- kube-controller-manager
|
111
|
+
<%- k8s.controller_manager.args.each do |k, v| -%>
|
112
|
+
- <%= k %><% if v ;%>=<%= v %><%; end %>
|
113
|
+
<%- end -%>
|
114
|
+
livenessProbe:
|
115
|
+
httpGet:
|
116
|
+
path: /healthz
|
117
|
+
port: 10252 # Note: Using default port. Update if --port option is set differently.
|
118
|
+
initialDelaySeconds: 15
|
119
|
+
timeoutSeconds: 15
|
120
|
+
volumeMounts:
|
121
|
+
- name: var-run-kubernetes
|
122
|
+
mountPath: /var/run/kubernetes
|
123
|
+
- name: secrets
|
124
|
+
mountPath: /etc/kubernetes/pki/kubernetes
|
125
|
+
readOnly: true
|
126
|
+
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
|
127
|
+
name: flexvolume-dir
|
128
|
+
- mountPath: /usr/share/ca-certificates
|
129
|
+
name: usr-share-ca-certificates
|
130
|
+
readOnly: true
|
131
|
+
- mountPath: /etc/ca-certificates
|
132
|
+
name: etc-ca-certificates
|
133
|
+
readOnly: true
|
134
|
+
- mountPath: /etc/ssl/certs
|
135
|
+
name: ca-certs
|
136
|
+
readOnly: true
|
137
|
+
priorityClassName: system-cluster-critical
|
138
|
+
nodeSelector:
|
139
|
+
k8s.unstable.cloud/master: ""
|
140
|
+
securityContext:
|
141
|
+
runAsNonRoot: true
|
142
|
+
runAsUser: 65534
|
143
|
+
serviceAccountName: kube-controller-manager
|
144
|
+
tolerations:
|
145
|
+
- key: CriticalAddonsOnly
|
146
|
+
operator: Exists
|
147
|
+
- key: node-role.kubernetes.io/master
|
148
|
+
operator: Exists
|
149
|
+
effect: NoSchedule
|
150
|
+
volumes:
|
151
|
+
- name: var-run-kubernetes
|
152
|
+
emptyDir: {}
|
153
|
+
- name: secrets
|
154
|
+
secret:
|
155
|
+
secretName: kube-controller-manager
|
156
|
+
- hostPath:
|
157
|
+
path: /etc/ssl/certs
|
158
|
+
type: DirectoryOrCreate
|
159
|
+
name: ca-certs
|
160
|
+
- hostPath:
|
161
|
+
path: /var/lib/kubelet/volumeplugins
|
162
|
+
type: DirectoryOrCreate
|
163
|
+
name: flexvolume-dir
|
164
|
+
- hostPath:
|
165
|
+
path: /usr/share/ca-certificates
|
166
|
+
type: DirectoryOrCreate
|
167
|
+
name: usr-share-ca-certificates
|
168
|
+
- hostPath:
|
169
|
+
path: /etc/ca-certificates
|
170
|
+
type: DirectoryOrCreate
|
171
|
+
name: etc-ca-certificates
|
172
|
+
dnsPolicy: Default # Don't use cluster DNS.
|
173
|
+
|
@@ -0,0 +1,132 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
kind: ClusterRoleBinding
|
4
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
5
|
+
metadata:
|
6
|
+
name: porkadot:node-proxier
|
7
|
+
labels:
|
8
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
9
|
+
<%= k.to_s %>: <%= v %>
|
10
|
+
<%- end -%>
|
11
|
+
roleRef:
|
12
|
+
apiGroup: rbac.authorization.k8s.io
|
13
|
+
kind: ClusterRole
|
14
|
+
name: system:node-proxier
|
15
|
+
subjects:
|
16
|
+
- kind: ServiceAccount
|
17
|
+
name: kube-proxy
|
18
|
+
namespace: kube-system
|
19
|
+
---
|
20
|
+
apiVersion: v1
|
21
|
+
kind: ServiceAccount
|
22
|
+
metadata:
|
23
|
+
name: kube-proxy
|
24
|
+
namespace: kube-system
|
25
|
+
labels:
|
26
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
27
|
+
<%= k.to_s %>: <%= v %>
|
28
|
+
<%- end -%>
|
29
|
+
---
|
30
|
+
kind: ConfigMap
|
31
|
+
apiVersion: v1
|
32
|
+
metadata:
|
33
|
+
name: kube-proxy
|
34
|
+
namespace: kube-system
|
35
|
+
labels:
|
36
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
37
|
+
<%= k.to_s %>: <%= v %>
|
38
|
+
<%- end -%>
|
39
|
+
data:
|
40
|
+
config.conf: |-
|
41
|
+
<%= u.indent(k8s.proxy.proxy_config, 4) %>
|
42
|
+
kubeconfig.conf: |
|
43
|
+
apiVersion: v1
|
44
|
+
kind: Config
|
45
|
+
clusters:
|
46
|
+
- cluster:
|
47
|
+
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
48
|
+
server: https://<%= k8s.control_plane_endpoint %>
|
49
|
+
name: default
|
50
|
+
contexts:
|
51
|
+
- context:
|
52
|
+
cluster: default
|
53
|
+
namespace: default
|
54
|
+
user: default
|
55
|
+
name: default
|
56
|
+
current-context: default
|
57
|
+
users:
|
58
|
+
- name: default
|
59
|
+
user:
|
60
|
+
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
61
|
+
---
|
62
|
+
apiVersion: apps/v1
|
63
|
+
kind: DaemonSet
|
64
|
+
metadata:
|
65
|
+
labels:
|
66
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
67
|
+
<%= k.to_s %>: <%= v %>
|
68
|
+
<%- end -%>
|
69
|
+
name: kube-proxy
|
70
|
+
namespace: kube-system
|
71
|
+
spec:
|
72
|
+
selector:
|
73
|
+
matchLabels:
|
74
|
+
<%- k8s.proxy.instance_labels.each do |k, v| -%>
|
75
|
+
<%= k.to_s %>: <%= v %>
|
76
|
+
<%- end -%>
|
77
|
+
template:
|
78
|
+
metadata:
|
79
|
+
labels:
|
80
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
81
|
+
<%= k.to_s %>: <%= v %>
|
82
|
+
<%- end -%>
|
83
|
+
annotations:
|
84
|
+
scheduler.alpha.kubernetes.io/critical-pod: ''
|
85
|
+
spec:
|
86
|
+
containers:
|
87
|
+
- name: kube-proxy
|
88
|
+
image: <%= k8s.image_repository %>/kube-proxy:<%= k8s.kubernetes_version %>
|
89
|
+
imagePullPolicy: IfNotPresent
|
90
|
+
command:
|
91
|
+
- kube-proxy
|
92
|
+
<%- k8s.proxy.args.each do |k, v| -%>
|
93
|
+
- <%= k %><% if v ;%>=<%= v %><%; end %>
|
94
|
+
<%- end -%>
|
95
|
+
env:
|
96
|
+
- name: NODE_NAME
|
97
|
+
valueFrom:
|
98
|
+
fieldRef:
|
99
|
+
fieldPath: spec.nodeName
|
100
|
+
securityContext:
|
101
|
+
privileged: true
|
102
|
+
volumeMounts:
|
103
|
+
- mountPath: /var/lib/kube-proxy
|
104
|
+
name: kube-proxy
|
105
|
+
- mountPath: /run/xtables.lock
|
106
|
+
name: xtables-lock
|
107
|
+
- mountPath: /lib/modules
|
108
|
+
name: lib-modules
|
109
|
+
readOnly: true
|
110
|
+
hostNetwork: true
|
111
|
+
priorityClassName: system-node-critical
|
112
|
+
serviceAccountName: kube-proxy
|
113
|
+
tolerations:
|
114
|
+
- operator: Exists
|
115
|
+
effect: NoSchedule
|
116
|
+
volumes:
|
117
|
+
- configMap:
|
118
|
+
defaultMode: 420
|
119
|
+
name: kube-proxy
|
120
|
+
name: kube-proxy
|
121
|
+
- hostPath:
|
122
|
+
path: /run/xtables.lock
|
123
|
+
type: FileOrCreate
|
124
|
+
name: xtables-lock
|
125
|
+
- hostPath:
|
126
|
+
path: /lib/modules
|
127
|
+
type: ""
|
128
|
+
name: lib-modules
|
129
|
+
updateStrategy:
|
130
|
+
rollingUpdate:
|
131
|
+
maxUnavailable: 1
|
132
|
+
type: RollingUpdate
|
@@ -0,0 +1,162 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: policy/v1beta1
|
4
|
+
kind: PodDisruptionBudget
|
5
|
+
metadata:
|
6
|
+
name: kube-scheduler
|
7
|
+
namespace: kube-system
|
8
|
+
labels:
|
9
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
10
|
+
<%= k.to_s %>: <%= v %>
|
11
|
+
<%- end -%>
|
12
|
+
spec:
|
13
|
+
minAvailable: 1
|
14
|
+
selector:
|
15
|
+
matchLabels:
|
16
|
+
<%- k8s.scheduler.instance_labels.each do |k, v| -%>
|
17
|
+
<%= k.to_s %>: <%= v %>
|
18
|
+
<%- end -%>
|
19
|
+
---
|
20
|
+
kind: ClusterRoleBinding
|
21
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
22
|
+
metadata:
|
23
|
+
name: porkadot:kube-scheduler
|
24
|
+
labels:
|
25
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
26
|
+
<%= k.to_s %>: <%= v %>
|
27
|
+
<%- end -%>
|
28
|
+
roleRef:
|
29
|
+
apiGroup: rbac.authorization.k8s.io
|
30
|
+
kind: ClusterRole
|
31
|
+
name: system:kube-scheduler
|
32
|
+
subjects:
|
33
|
+
- kind: ServiceAccount
|
34
|
+
name: kube-scheduler
|
35
|
+
namespace: kube-system
|
36
|
+
---
|
37
|
+
kind: ClusterRoleBinding
|
38
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
39
|
+
metadata:
|
40
|
+
name: porkadot:volume-scheduler
|
41
|
+
labels:
|
42
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
43
|
+
<%= k.to_s %>: <%= v %>
|
44
|
+
<%- end -%>
|
45
|
+
roleRef:
|
46
|
+
apiGroup: rbac.authorization.k8s.io
|
47
|
+
kind: ClusterRole
|
48
|
+
name: system:volume-scheduler
|
49
|
+
subjects:
|
50
|
+
- kind: ServiceAccount
|
51
|
+
name: kube-scheduler
|
52
|
+
namespace: kube-system
|
53
|
+
---
|
54
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
55
|
+
kind: Role
|
56
|
+
metadata:
|
57
|
+
name: porkadot:kube-scheduler
|
58
|
+
namespace: kube-system
|
59
|
+
rules:
|
60
|
+
- apiGroups: [""] # "" indicates the core API group
|
61
|
+
resources: ["pods"]
|
62
|
+
verbs: ["get", "watch", "list"]
|
63
|
+
- apiGroups: [""] # "" indicates the core API group
|
64
|
+
resources: ["secrets", "configmaps"]
|
65
|
+
verbs: ["get"]
|
66
|
+
---
|
67
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
68
|
+
kind: RoleBinding
|
69
|
+
metadata:
|
70
|
+
name: porkadot:kube-scheduler
|
71
|
+
namespace: kube-system
|
72
|
+
roleRef:
|
73
|
+
apiGroup: rbac.authorization.k8s.io
|
74
|
+
kind: Role
|
75
|
+
name: porkadot:kube-scheduler
|
76
|
+
subjects:
|
77
|
+
- kind: ServiceAccount
|
78
|
+
name: kube-scheduler
|
79
|
+
namespace: kube-system
|
80
|
+
---
|
81
|
+
apiVersion: v1
|
82
|
+
kind: ServiceAccount
|
83
|
+
metadata:
|
84
|
+
name: kube-scheduler
|
85
|
+
namespace: kube-system
|
86
|
+
labels:
|
87
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
88
|
+
<%= k.to_s %>: <%= v %>
|
89
|
+
<%- end -%>
|
90
|
+
---
|
91
|
+
apiVersion: apps/v1
|
92
|
+
kind: Deployment
|
93
|
+
metadata:
|
94
|
+
name: kube-scheduler
|
95
|
+
namespace: kube-system
|
96
|
+
labels:
|
97
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
98
|
+
<%= k.to_s %>: <%= v %>
|
99
|
+
<%- end -%>
|
100
|
+
spec:
|
101
|
+
replicas: 2
|
102
|
+
selector:
|
103
|
+
matchLabels:
|
104
|
+
<%- k8s.scheduler.instance_labels.each do |k, v| -%>
|
105
|
+
<%= k.to_s %>: <%= v %>
|
106
|
+
<%- end -%>
|
107
|
+
template:
|
108
|
+
metadata:
|
109
|
+
labels:
|
110
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
111
|
+
<%= k.to_s %>: <%= v %>
|
112
|
+
<%- end -%>
|
113
|
+
annotations:
|
114
|
+
scheduler.alpha.kubernetes.io/critical-pod: ''
|
115
|
+
spec:
|
116
|
+
affinity:
|
117
|
+
podAntiAffinity:
|
118
|
+
preferredDuringSchedulingIgnoredDuringExecution:
|
119
|
+
- weight: 100
|
120
|
+
podAffinityTerm:
|
121
|
+
labelSelector:
|
122
|
+
matchExpressions:
|
123
|
+
- key: 'app.kubernetes.io/component'
|
124
|
+
operator: In
|
125
|
+
values:
|
126
|
+
- kube-scheduler
|
127
|
+
- key: 'app.kubernetes.io/managed-by'
|
128
|
+
operator: In
|
129
|
+
values:
|
130
|
+
- porkadot
|
131
|
+
topologyKey: kubernetes.io/hostname
|
132
|
+
containers:
|
133
|
+
- name: kube-scheduler
|
134
|
+
resources:
|
135
|
+
requests:
|
136
|
+
cpu: 100m
|
137
|
+
image: <%= k8s.image_repository %>/kube-scheduler:<%= k8s.kubernetes_version %>
|
138
|
+
command:
|
139
|
+
- kube-scheduler
|
140
|
+
<%- k8s.scheduler.args.each do |k, v| -%>
|
141
|
+
- <%= k %><% if v ;%>=<%= v %><%; end %>
|
142
|
+
<%- end -%>
|
143
|
+
livenessProbe:
|
144
|
+
httpGet:
|
145
|
+
path: /healthz
|
146
|
+
port: 10251 # Note: Using default port. Update if --port option is set differently.
|
147
|
+
initialDelaySeconds: 15
|
148
|
+
timeoutSeconds: 15
|
149
|
+
priorityClassName: system-cluster-critical
|
150
|
+
nodeSelector:
|
151
|
+
k8s.unstable.cloud/master: ""
|
152
|
+
securityContext:
|
153
|
+
runAsNonRoot: true
|
154
|
+
runAsUser: 65534
|
155
|
+
serviceAccountName: kube-scheduler
|
156
|
+
tolerations:
|
157
|
+
- key: CriticalAddonsOnly
|
158
|
+
operator: Exists
|
159
|
+
- key: node-role.kubernetes.io/master
|
160
|
+
operator: Exists
|
161
|
+
effect: NoSchedule
|
162
|
+
|
@@ -0,0 +1,86 @@
|
|
1
|
+
apiVersion: apps/v1
|
2
|
+
kind: Deployment
|
3
|
+
metadata:
|
4
|
+
name: kubelet-rubber-stamp
|
5
|
+
namespace: kube-system
|
6
|
+
spec:
|
7
|
+
replicas: 1
|
8
|
+
selector:
|
9
|
+
matchLabels:
|
10
|
+
name: kubelet-rubber-stamp
|
11
|
+
template:
|
12
|
+
metadata:
|
13
|
+
labels:
|
14
|
+
name: kubelet-rubber-stamp
|
15
|
+
spec:
|
16
|
+
serviceAccountName: kubelet-rubber-stamp
|
17
|
+
tolerations:
|
18
|
+
- effect: NoSchedule
|
19
|
+
operator: Exists
|
20
|
+
nodeSelector:
|
21
|
+
k8s.unstable.cloud/master: ""
|
22
|
+
priorityClassName: system-cluster-critical
|
23
|
+
containers:
|
24
|
+
- name: kubelet-rubber-stamp
|
25
|
+
# image: quay.io/kontena/kubelet-rubber-stamp-amd64:0.2
|
26
|
+
# Use following image until issue is fixed
|
27
|
+
image: yuanying/kubelet-rubber-stamp:0.2.0.y01
|
28
|
+
args:
|
29
|
+
- "--v=2"
|
30
|
+
imagePullPolicy: Always
|
31
|
+
env:
|
32
|
+
- name: WATCH_NAMESPACE
|
33
|
+
value: ""
|
34
|
+
- name: POD_NAME
|
35
|
+
valueFrom:
|
36
|
+
fieldRef:
|
37
|
+
fieldPath: metadata.name
|
38
|
+
- name: OPERATOR_NAME
|
39
|
+
value: "kubelet-rubber-stamp"
|
40
|
+
---
|
41
|
+
kind: ClusterRoleBinding
|
42
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
43
|
+
metadata:
|
44
|
+
name: kubelet-rubber-stamp
|
45
|
+
subjects:
|
46
|
+
- kind: ServiceAccount
|
47
|
+
namespace: kube-system
|
48
|
+
name: kubelet-rubber-stamp
|
49
|
+
roleRef:
|
50
|
+
kind: ClusterRole
|
51
|
+
name: kubelet-rubber-stamp
|
52
|
+
apiGroup: rbac.authorization.k8s.io
|
53
|
+
---
|
54
|
+
apiVersion: rbac.authorization.k8s.io/v1beta1
|
55
|
+
kind: ClusterRole
|
56
|
+
metadata:
|
57
|
+
name: kubelet-rubber-stamp
|
58
|
+
rules:
|
59
|
+
- apiGroups:
|
60
|
+
- certificates.k8s.io
|
61
|
+
resources:
|
62
|
+
- certificatesigningrequests
|
63
|
+
verbs:
|
64
|
+
- delete
|
65
|
+
- get
|
66
|
+
- list
|
67
|
+
- watch
|
68
|
+
- apiGroups:
|
69
|
+
- certificates.k8s.io
|
70
|
+
resources:
|
71
|
+
- certificatesigningrequests/approval
|
72
|
+
verbs:
|
73
|
+
- create
|
74
|
+
- update
|
75
|
+
- apiGroups:
|
76
|
+
- authorization.k8s.io
|
77
|
+
resources:
|
78
|
+
- subjectaccessreviews
|
79
|
+
verbs:
|
80
|
+
- create
|
81
|
+
---
|
82
|
+
apiVersion: v1
|
83
|
+
kind: ServiceAccount
|
84
|
+
metadata:
|
85
|
+
name: kubelet-rubber-stamp
|
86
|
+
namespace: kube-system
|