porkadot 0.18.0 → 0.18.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb +1 -0
- data/lib/porkadot/assets/kubernetes.rb +1 -0
- data/lib/porkadot/assets/kubernetes/manifests/metallb.secrets.yaml.erb +13 -0
- data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb +116 -26
- data/lib/porkadot/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9ee36f6490d8e4d8cfa07f29fae9b79a4a2eda35fe977f052f60ec7aa43ce802
|
4
|
+
data.tar.gz: 675c0c3679ee246844abfaaf39f0230c5b63fa2b661bcb21bb111f1ff7a0e6d5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bef9c31a3f3371702948ad4c5b18df384387a42a2d363c0820a250227659b45db3c3a3260929c3821860f8eff9800c6fd983a52211bc5885b4b65af3962ece1f
|
7
|
+
data.tar.gz: 542e8cbeb5bd220ff9b6c12c109c55a88f1d1315cc3c17bf01ce2e8af9816293117bcf8002ab32330cf257b41285b35cfe43d30820f50ff7c2230f3027c49765
|
@@ -28,6 +28,7 @@ module Porkadot; module Assets
|
|
28
28
|
render_erb 'manifests/porkadot.yaml'
|
29
29
|
render_erb 'manifests/kubelet.yaml'
|
30
30
|
render_erb "manifests/#{lb.type}.yaml"
|
31
|
+
render_secrets_erb "manifests/#{lb.type}.secrets.yaml"
|
31
32
|
render_erb "manifests/#{cni.type}.yaml"
|
32
33
|
render_erb "manifests/coredns.yaml"
|
33
34
|
render_erb "manifests/dns-horizontal-autoscaler.yaml"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
<% require 'securerandom' -%>
|
2
|
+
<% k8s = global_config.k8s -%>
|
3
|
+
---
|
4
|
+
apiVersion: v1
|
5
|
+
stringData:
|
6
|
+
secretkey: <%= SecureRandom.base64(128) %>
|
7
|
+
kind: Secret
|
8
|
+
metadata:
|
9
|
+
name: memberlist
|
10
|
+
namespace: metallb-system
|
11
|
+
labels:
|
12
|
+
app: metallb
|
13
|
+
type: Opaque
|
@@ -8,6 +8,48 @@ metadata:
|
|
8
8
|
---
|
9
9
|
apiVersion: policy/v1beta1
|
10
10
|
kind: PodSecurityPolicy
|
11
|
+
metadata:
|
12
|
+
labels:
|
13
|
+
app: metallb
|
14
|
+
name: controller
|
15
|
+
namespace: metallb-system
|
16
|
+
spec:
|
17
|
+
allowPrivilegeEscalation: false
|
18
|
+
allowedCapabilities: []
|
19
|
+
allowedHostPaths: []
|
20
|
+
defaultAddCapabilities: []
|
21
|
+
defaultAllowPrivilegeEscalation: false
|
22
|
+
fsGroup:
|
23
|
+
ranges:
|
24
|
+
- max: 65535
|
25
|
+
min: 1
|
26
|
+
rule: MustRunAs
|
27
|
+
hostIPC: false
|
28
|
+
hostNetwork: false
|
29
|
+
hostPID: false
|
30
|
+
privileged: false
|
31
|
+
readOnlyRootFilesystem: true
|
32
|
+
requiredDropCapabilities:
|
33
|
+
- ALL
|
34
|
+
runAsUser:
|
35
|
+
ranges:
|
36
|
+
- max: 65535
|
37
|
+
min: 1
|
38
|
+
rule: MustRunAs
|
39
|
+
seLinux:
|
40
|
+
rule: RunAsAny
|
41
|
+
supplementalGroups:
|
42
|
+
ranges:
|
43
|
+
- max: 65535
|
44
|
+
min: 1
|
45
|
+
rule: MustRunAs
|
46
|
+
volumes:
|
47
|
+
- configMap
|
48
|
+
- secret
|
49
|
+
- emptyDir
|
50
|
+
---
|
51
|
+
apiVersion: policy/v1beta1
|
52
|
+
kind: PodSecurityPolicy
|
11
53
|
metadata:
|
12
54
|
labels:
|
13
55
|
app: metallb
|
@@ -19,13 +61,21 @@ spec:
|
|
19
61
|
- NET_ADMIN
|
20
62
|
- NET_RAW
|
21
63
|
- SYS_ADMIN
|
64
|
+
allowedHostPaths: []
|
65
|
+
defaultAddCapabilities: []
|
66
|
+
defaultAllowPrivilegeEscalation: false
|
22
67
|
fsGroup:
|
23
68
|
rule: RunAsAny
|
69
|
+
hostIPC: false
|
24
70
|
hostNetwork: true
|
71
|
+
hostPID: false
|
25
72
|
hostPorts:
|
26
73
|
- max: 7472
|
27
74
|
min: 7472
|
28
75
|
privileged: true
|
76
|
+
readOnlyRootFilesystem: true
|
77
|
+
requiredDropCapabilities:
|
78
|
+
- ALL
|
29
79
|
runAsUser:
|
30
80
|
rule: RunAsAny
|
31
81
|
seLinux:
|
@@ -33,7 +83,9 @@ spec:
|
|
33
83
|
supplementalGroups:
|
34
84
|
rule: RunAsAny
|
35
85
|
volumes:
|
36
|
-
-
|
86
|
+
- configMap
|
87
|
+
- secret
|
88
|
+
- emptyDir
|
37
89
|
---
|
38
90
|
apiVersion: v1
|
39
91
|
kind: ServiceAccount
|
@@ -80,6 +132,14 @@ rules:
|
|
80
132
|
verbs:
|
81
133
|
- create
|
82
134
|
- patch
|
135
|
+
- apiGroups:
|
136
|
+
- policy
|
137
|
+
resourceNames:
|
138
|
+
- controller
|
139
|
+
resources:
|
140
|
+
- podsecuritypolicies
|
141
|
+
verbs:
|
142
|
+
- use
|
83
143
|
---
|
84
144
|
apiVersion: rbac.authorization.k8s.io/v1
|
85
145
|
kind: ClusterRole
|
@@ -106,7 +166,7 @@ rules:
|
|
106
166
|
- create
|
107
167
|
- patch
|
108
168
|
- apiGroups:
|
109
|
-
-
|
169
|
+
- policy
|
110
170
|
resourceNames:
|
111
171
|
- speaker
|
112
172
|
resources:
|
@@ -132,6 +192,21 @@ rules:
|
|
132
192
|
- watch
|
133
193
|
---
|
134
194
|
apiVersion: rbac.authorization.k8s.io/v1
|
195
|
+
kind: Role
|
196
|
+
metadata:
|
197
|
+
labels:
|
198
|
+
app: metallb
|
199
|
+
name: pod-lister
|
200
|
+
namespace: metallb-system
|
201
|
+
rules:
|
202
|
+
- apiGroups:
|
203
|
+
- ''
|
204
|
+
resources:
|
205
|
+
- pods
|
206
|
+
verbs:
|
207
|
+
- list
|
208
|
+
---
|
209
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
135
210
|
kind: ClusterRoleBinding
|
136
211
|
metadata:
|
137
212
|
labels:
|
@@ -178,6 +253,21 @@ subjects:
|
|
178
253
|
- kind: ServiceAccount
|
179
254
|
name: speaker
|
180
255
|
---
|
256
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
257
|
+
kind: RoleBinding
|
258
|
+
metadata:
|
259
|
+
labels:
|
260
|
+
app: metallb
|
261
|
+
name: pod-lister
|
262
|
+
namespace: metallb-system
|
263
|
+
roleRef:
|
264
|
+
apiGroup: rbac.authorization.k8s.io
|
265
|
+
kind: Role
|
266
|
+
name: pod-lister
|
267
|
+
subjects:
|
268
|
+
- kind: ServiceAccount
|
269
|
+
name: speaker
|
270
|
+
---
|
181
271
|
apiVersion: apps/v1
|
182
272
|
kind: DaemonSet
|
183
273
|
metadata:
|
@@ -200,24 +290,6 @@ spec:
|
|
200
290
|
app: metallb
|
201
291
|
component: speaker
|
202
292
|
spec:
|
203
|
-
initContainers:
|
204
|
-
- command:
|
205
|
-
- "iptables"
|
206
|
-
- "-P"
|
207
|
-
- "FORWARD"
|
208
|
-
- "ACCEPT"
|
209
|
-
image: <%= k8s.image_repository %>/kube-proxy:<%= k8s.kubernetes_version %>
|
210
|
-
imagePullPolicy: IfNotPresent
|
211
|
-
name: default-iptables
|
212
|
-
securityContext:
|
213
|
-
allowPrivilegeEscalation: false
|
214
|
-
capabilities:
|
215
|
-
add:
|
216
|
-
- NET_ADMIN
|
217
|
-
- NET_RAW
|
218
|
-
drop:
|
219
|
-
- ALL
|
220
|
-
readOnlyRootFilesystem: true
|
221
293
|
containers:
|
222
294
|
- args:
|
223
295
|
- --port=7472
|
@@ -231,8 +303,26 @@ spec:
|
|
231
303
|
valueFrom:
|
232
304
|
fieldRef:
|
233
305
|
fieldPath: status.hostIP
|
234
|
-
|
235
|
-
|
306
|
+
- name: METALLB_ML_BIND_ADDR
|
307
|
+
valueFrom:
|
308
|
+
fieldRef:
|
309
|
+
fieldPath: status.podIP
|
310
|
+
# needed when another software is also using memberlist / port 7946
|
311
|
+
#- name: METALLB_ML_BIND_PORT
|
312
|
+
# value: "7946"
|
313
|
+
- name: METALLB_ML_LABELS
|
314
|
+
value: "app=metallb,component=speaker"
|
315
|
+
- name: METALLB_ML_NAMESPACE
|
316
|
+
valueFrom:
|
317
|
+
fieldRef:
|
318
|
+
fieldPath: metadata.namespace
|
319
|
+
- name: METALLB_ML_SECRET_KEY
|
320
|
+
valueFrom:
|
321
|
+
secretKeyRef:
|
322
|
+
name: memberlist
|
323
|
+
key: secretkey
|
324
|
+
image: metallb/speaker:v0.9.4
|
325
|
+
imagePullPolicy: Always
|
236
326
|
name: speaker
|
237
327
|
ports:
|
238
328
|
- containerPort: 7472
|
@@ -253,9 +343,9 @@ spec:
|
|
253
343
|
readOnlyRootFilesystem: true
|
254
344
|
hostNetwork: true
|
255
345
|
nodeSelector:
|
256
|
-
kubernetes.io/os: linux
|
346
|
+
beta.kubernetes.io/os: linux
|
257
347
|
serviceAccountName: speaker
|
258
|
-
terminationGracePeriodSeconds:
|
348
|
+
terminationGracePeriodSeconds: 2
|
259
349
|
tolerations:
|
260
350
|
- effect: NoSchedule
|
261
351
|
key: node-role.kubernetes.io/master
|
@@ -287,8 +377,8 @@ spec:
|
|
287
377
|
- args:
|
288
378
|
- --port=7472
|
289
379
|
- --config=config
|
290
|
-
image: metallb/controller:v0.
|
291
|
-
imagePullPolicy:
|
380
|
+
image: metallb/controller:v0.9.4
|
381
|
+
imagePullPolicy: Always
|
292
382
|
name: controller
|
293
383
|
ports:
|
294
384
|
- containerPort: 7472
|
data/lib/porkadot/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: porkadot
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.18.
|
4
|
+
version: 0.18.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OTSUKA, Yuanying
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-10-
|
11
|
+
date: 2020-10-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -151,6 +151,7 @@ files:
|
|
151
151
|
- lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb
|
152
152
|
- lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb
|
153
153
|
- lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb
|
154
|
+
- lib/porkadot/assets/kubernetes/manifests/metallb.secrets.yaml.erb
|
154
155
|
- lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb
|
155
156
|
- lib/porkadot/assets/kubernetes/manifests/pod-checkpointer.yaml.erb
|
156
157
|
- lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb
|