porkadot 0.2.0 → 0.19.0

data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb

@@ -62,7 +62,7 @@ rules:
   verbs: ["get", "watch", "list"]
 - apiGroups: [""] # "" indicates the core API group
   resources: ["secrets", "configmaps"]
-  verbs: ["get"]
+  verbs: ["get", "watch", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb

@@ -24,7 +24,7 @@ spec:
         - name: kubelet-rubber-stamp
           # image: quay.io/kontena/kubelet-rubber-stamp-amd64:0.2
           # Use following image until issue is fixed
-          image: yuanying/kubelet-rubber-stamp:0.2.0.y01
+          image: yuanying/kubelet-rubber-stamp:0.3.0.y01
           args:
             - "--v=2"
           imagePullPolicy: Always
@@ -51,17 +51,26 @@ roleRef:
   name: kubelet-rubber-stamp
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kubelet-rubber-stamp
 rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  # legacy-unknown: support before kubernetes-1.18.0
+  resourceNames:
+  - "kubernetes.io/legacy-unknown"
+  - "kubernetes.io/kubelet-serving"
+  verbs:
+  - approve
 - apiGroups:
   - certificates.k8s.io
   resources:
   - certificatesigningrequests
   verbs:
-  - delete
   - get
   - list
   - watch

data/lib/porkadot/assets/kubernetes/manifests/metallb.secrets.yaml.erb

@@ -0,0 +1,13 @@
+<% require 'securerandom' -%>
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+stringData:
+  secretkey: <%= SecureRandom.base64(128) %>
+kind: Secret
+metadata:
+  name: memberlist
+  namespace: metallb-system
+  labels:
+    app: metallb
+type: Opaque

data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb

@@ -8,6 +8,48 @@ metadata:
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
 metadata:
   labels:
     app: metallb
@@ -19,13 +61,21 @@ spec:
   - NET_ADMIN
   - NET_RAW
   - SYS_ADMIN
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
   fsGroup:
     rule: RunAsAny
+  hostIPC: false
   hostNetwork: true
+  hostPID: false
   hostPorts:
   - max: 7472
     min: 7472
   privileged: true
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
   runAsUser:
     rule: RunAsAny
   seLinux:
@@ -33,7 +83,9 @@ spec:
   supplementalGroups:
     rule: RunAsAny
   volumes:
-  - '*'
+  - configMap
+  - secret
+  - emptyDir
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -80,6 +132,14 @@ rules:
   verbs:
   - create
   - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - controller
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -106,7 +166,7 @@ rules:
   - create
   - patch
 - apiGroups:
-  - extensions
+  - policy
   resourceNames:
   - speaker
   resources:
@@ -132,6 +192,21 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -178,6 +253,21 @@ subjects:
 - kind: ServiceAccount
   name: speaker
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-lister
+subjects:
+- kind: ServiceAccount
+  name: speaker
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -200,24 +290,6 @@ spec:
         app: metallb
         component: speaker
     spec:
-      initContainers:
-      - command:
-        - "iptables"
-        - "-P"
-        - "FORWARD"
-        - "ACCEPT"
-        image: <%= k8s.image_repository %>/hyperkube:<%= k8s.kubernetes_version %>
-        imagePullPolicy: IfNotPresent
-        name: default-iptables
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - NET_ADMIN
-            - NET_RAW
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
       containers:
       - args:
         - --port=7472
@@ -231,8 +303,26 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: status.hostIP
-        image: metallb/speaker:v0.8.2
-        imagePullPolicy: IfNotPresent
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # needed when another software is also using memberlist / port 7946
+        #- name: METALLB_ML_BIND_PORT
+        #  value: "7946"
+        - name: METALLB_ML_LABELS
+          value: "app=metallb,component=speaker"
+        - name: METALLB_ML_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: METALLB_ML_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: memberlist
+              key: secretkey
+        image: metallb/speaker:v0.9.4
+        imagePullPolicy: Always
         name: speaker
         ports:
         - containerPort: 7472
@@ -255,7 +345,7 @@ spec:
       nodeSelector:
         beta.kubernetes.io/os: linux
       serviceAccountName: speaker
-      terminationGracePeriodSeconds: 0
+      terminationGracePeriodSeconds: 2
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
@@ -287,8 +377,8 @@ spec:
       - args:
         - --port=7472
         - --config=config
-        image: metallb/controller:v0.8.2
-        imagePullPolicy: IfNotPresent
+        image: metallb/controller:v0.9.5
+        imagePullPolicy: Always
         name: controller
         ports:
         - containerPort: 7472
@@ -304,7 +394,7 @@ spec:
             - all
           readOnlyRootFilesystem: true
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534

data/lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb

@@ -36,7 +36,6 @@ spec:
     <%= k.to_s %>: <%= v %>
     <%- end -%>
   <%- _, port = global_config.k8s.control_plane_endpoint_host_and_port -%>
-  loadBalancerIP: <%= host %>
   ports:
   - name: https
     port: <%= port %>
@@ -67,3 +66,26 @@ data:
     - context:
         cluster: local
         user: service-account
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeconfig-in-cluster-latest
+  namespace: kube-system
+data:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - name: local
+      cluster:
+        server: https://porkadot-kubernetes-latest:<%= port %>
+        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    users:
+    - name: service-account
+      user:
+        # Use service account token
+        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    contexts:
+    - context:
+        cluster: local
+        user: service-account

data/lib/porkadot/assets/kubernetes/manifests/storage-version-migrator.yaml.erb

@@ -0,0 +1,354 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes/enhancements/pull/747
+  name: storagestates.migration.k8s.io
+spec:
+  group: migration.k8s.io
+  names:
+    kind: StorageState
+    listKind: StorageStateList
+    plural: storagestates
+    singular: storagestate
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: The state of the storage of a specific resource.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                description: name must be "<.spec.resource.resouce>.<.spec.resource.group>".
+                type: string
+            type: object
+          spec:
+            description: Specification of the storage state.
+            properties:
+              resource:
+                description: The resource this storageState is about.
+                properties:
+                  group:
+                    description: The name of the group.
+                    type: string
+                  resource:
+                    description: The name of the resource.
+                    type: string
+                type: object
+            type: object
+          status:
+            description: Status of the storage state.
+            properties:
+              currentStorageVersionHash:
+                description: The hash value of the current storage version, as shown
+                  in the discovery document served by the API server. Storage Version
+                  is the version to which objects are converted to before persisted.
+                type: string
+              lastHeartbeatTime:
+                description: LastHeartbeatTime is the last time the storage migration
+                  triggering controller checks the storage version hash of this resource
+                  in the discovery document and updates this field.
+                format: date-time
+                type: string
+              persistedStorageVersionHashes:
+                description: The hash values of storage versions that persisted instances
+                  of spec.resource might still be encoded in. "Unknown" is a valid
+                  value in the list, and is the default value. It is not safe to upgrade
+                  or downgrade to an apiserver binary that does not support all versions
+                  listed in this field, or if "Unknown" is listed. Once the storage
+                  version migration for this resource has completed, the value of
+                  this field is refined to only contain the currentStorageVersionHash.
+                  Once the apiserver has changed the storage version, the new storage
+                  version is appended to the list.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes/community/pull/2524
+  name: storageversionmigrations.migration.k8s.io
+spec:
+  group: migration.k8s.io
+  names:
+    kind: StorageVersionMigration
+    listKind: StorageVersionMigrationList
+    plural: storageversionmigrations
+    singular: storageversionmigration
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: StorageVersionMigration represents a migration of stored data
+          to the latest storage version.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the migration.
+            properties:
+              continueToken:
+                description: The token used in the list options to get the next chunk
+                  of objects to migrate. When the .status.conditions indicates the
+                  migration is "Running", users can use this token to check the progress
+                  of the migration.
+                type: string
+              resource:
+                description: The resource that is being migrated. The migrator sends
+                  requests to the endpoint serving the resource. Immutable.
+                properties:
+                  group:
+                    description: The name of the group.
+                    type: string
+                  resource:
+                    description: The name of the resource.
+                    type: string
+                  version:
+                    description: The name of the version.
+                    type: string
+                type: object
+            required:
+            - resource
+            type: object
+          status:
+            description: Status of the migration.
+            properties:
+              conditions:
+                description: The latest available observations of the migration's
+                  current state.
+                items:
+                  description: Describes the state of a migration at a certain point.
+                  properties:
+                    lastUpdateTime:
+                      description: The last time this condition was updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of the condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: storage-version-migration-crd-creator
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: storage-version-migration-initializer
+rules:
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storageversionmigrations
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: storage-version-migration-trigger
+rules:
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storagestates
+  verbs:
+  - watch
+  - get
+  - list
+  - delete
+  - create
+  - update
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storageversionmigrations
+  verbs:
+  - watch
+  - get
+  - list
+  - delete
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: storage-version-migration-crd-creator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-crd-creator
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: storage-version-migration-initializer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-initializer
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: storage-version-migration-migrator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: storage-version-migration-trigger
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-trigger
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: migrator
+  name: migrator
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: migrator
+  template:
+    metadata:
+      labels:
+        app: migrator
+    spec:
+      containers:
+      - command:
+        - /migrator
+        - --v=2
+        - --alsologtostderr
+        - --kube-api-qps=40
+        - --kube-api-burst=1000
+        image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-migrator:v0.0.3
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 2112
+            scheme: HTTP
+          initialDelaySeconds: 10
+          timeoutSeconds: 60
+        name: migrator
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: trigger
+  name: trigger
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: trigger
+  template:
+    metadata:
+      labels:
+        app: trigger
+    spec:
+      containers:
+      - image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-trigger:v0.0.3
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 2113
+            scheme: HTTP
+          initialDelaySeconds: 10
+          timeoutSeconds: 60
+        name: trigger