porkadot 0.22.2 → 0.25.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/hack/metallb/crds/kustomization.yaml +5 -0
- data/hack/metallb/exclude-l2-config.yaml +8 -0
- data/hack/metallb/kustomization.yaml +10 -0
- data/hack/update-kubelet-cert-approver.sh +6 -0
- data/hack/update-metallb.sh +7 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +1 -1
- data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +17 -9
- data/lib/porkadot/assets/etcd/etcd.env.erb +4 -0
- data/lib/porkadot/assets/etcd/install.sh.erb +1 -0
- data/lib/porkadot/assets/etcd.rb +1 -0
- data/lib/porkadot/assets/kubelet/config.yaml.erb +1 -39
- data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb +1 -0
- data/lib/porkadot/assets/kubelet/kubelet.service.erb +2 -6
- data/lib/porkadot/assets/kubelet/metadata.json.erb +5 -0
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb +3 -1
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb +1 -3
- data/lib/porkadot/assets/kubelet-default/install.sh.erb +22 -7
- data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb +22 -0
- data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb +16 -0
- data/lib/porkadot/assets/kubelet.rb +14 -12
- data/lib/porkadot/assets/kubernetes/install.sh.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb +12 -51
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb +210 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml +1272 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/kustomization.yaml.erb +2 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb +1 -12
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb +520 -228
- data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +4 -1
- data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes.rb +22 -3
- data/lib/porkadot/cmd/cli.rb +11 -0
- data/lib/porkadot/cmd/etcd.rb +68 -0
- data/lib/porkadot/config.rb +1 -1
- data/lib/porkadot/configs/addons.rb +4 -0
- data/lib/porkadot/configs/certs.rb +3 -0
- data/lib/porkadot/configs/etcd.rb +44 -2
- data/lib/porkadot/configs/kubelet.rb +25 -7
- data/lib/porkadot/const.rb +3 -0
- data/lib/porkadot/default.yaml +17 -15
- data/lib/porkadot/install/bootstrap.rb +1 -1
- data/lib/porkadot/install/kubelet.rb +123 -27
- data/lib/porkadot/version.rb +1 -1
- data/lib/porkadot.rb +2 -0
- data/porkadot.gemspec +1 -0
- metadata +33 -8
- data/lib/porkadot/assets/kubelet/install.sh.erb +0 -35
- data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb +0 -17
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.secrets.yaml.erb +0 -13
@@ -1,99 +1,189 @@
|
|
1
|
-
apiVersion:
|
2
|
-
kind:
|
1
|
+
apiVersion: v1
|
2
|
+
kind: ServiceAccount
|
3
3
|
metadata:
|
4
4
|
labels:
|
5
5
|
app: metallb
|
6
6
|
name: controller
|
7
7
|
namespace: metallb-system
|
8
|
-
spec:
|
9
|
-
allowPrivilegeEscalation: false
|
10
|
-
allowedCapabilities: []
|
11
|
-
allowedHostPaths: []
|
12
|
-
defaultAddCapabilities: []
|
13
|
-
defaultAllowPrivilegeEscalation: false
|
14
|
-
fsGroup:
|
15
|
-
ranges:
|
16
|
-
- max: 65535
|
17
|
-
min: 1
|
18
|
-
rule: MustRunAs
|
19
|
-
hostIPC: false
|
20
|
-
hostNetwork: false
|
21
|
-
hostPID: false
|
22
|
-
privileged: false
|
23
|
-
readOnlyRootFilesystem: true
|
24
|
-
requiredDropCapabilities:
|
25
|
-
- ALL
|
26
|
-
runAsUser:
|
27
|
-
ranges:
|
28
|
-
- max: 65535
|
29
|
-
min: 1
|
30
|
-
rule: MustRunAs
|
31
|
-
seLinux:
|
32
|
-
rule: RunAsAny
|
33
|
-
supplementalGroups:
|
34
|
-
ranges:
|
35
|
-
- max: 65535
|
36
|
-
min: 1
|
37
|
-
rule: MustRunAs
|
38
|
-
volumes:
|
39
|
-
- configMap
|
40
|
-
- secret
|
41
|
-
- emptyDir
|
42
8
|
---
|
43
|
-
apiVersion:
|
44
|
-
kind:
|
9
|
+
apiVersion: v1
|
10
|
+
kind: ServiceAccount
|
45
11
|
metadata:
|
46
12
|
labels:
|
47
13
|
app: metallb
|
48
14
|
name: speaker
|
49
15
|
namespace: metallb-system
|
50
|
-
spec:
|
51
|
-
allowPrivilegeEscalation: false
|
52
|
-
allowedCapabilities:
|
53
|
-
- NET_RAW
|
54
|
-
allowedHostPaths: []
|
55
|
-
defaultAddCapabilities: []
|
56
|
-
defaultAllowPrivilegeEscalation: false
|
57
|
-
fsGroup:
|
58
|
-
rule: RunAsAny
|
59
|
-
hostIPC: false
|
60
|
-
hostNetwork: true
|
61
|
-
hostPID: false
|
62
|
-
hostPorts:
|
63
|
-
- max: 7472
|
64
|
-
min: 7472
|
65
|
-
- max: 7946
|
66
|
-
min: 7946
|
67
|
-
privileged: true
|
68
|
-
readOnlyRootFilesystem: true
|
69
|
-
requiredDropCapabilities:
|
70
|
-
- ALL
|
71
|
-
runAsUser:
|
72
|
-
rule: RunAsAny
|
73
|
-
seLinux:
|
74
|
-
rule: RunAsAny
|
75
|
-
supplementalGroups:
|
76
|
-
rule: RunAsAny
|
77
|
-
volumes:
|
78
|
-
- configMap
|
79
|
-
- secret
|
80
|
-
- emptyDir
|
81
16
|
---
|
82
|
-
apiVersion: v1
|
83
|
-
kind:
|
17
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
18
|
+
kind: Role
|
84
19
|
metadata:
|
85
20
|
labels:
|
86
21
|
app: metallb
|
87
22
|
name: controller
|
88
23
|
namespace: metallb-system
|
24
|
+
rules:
|
25
|
+
- apiGroups:
|
26
|
+
- ""
|
27
|
+
resources:
|
28
|
+
- secrets
|
29
|
+
verbs:
|
30
|
+
- create
|
31
|
+
- delete
|
32
|
+
- get
|
33
|
+
- list
|
34
|
+
- patch
|
35
|
+
- update
|
36
|
+
- watch
|
37
|
+
- apiGroups:
|
38
|
+
- ""
|
39
|
+
resourceNames:
|
40
|
+
- memberlist
|
41
|
+
resources:
|
42
|
+
- secrets
|
43
|
+
verbs:
|
44
|
+
- list
|
45
|
+
- apiGroups:
|
46
|
+
- apps
|
47
|
+
resourceNames:
|
48
|
+
- controller
|
49
|
+
resources:
|
50
|
+
- deployments
|
51
|
+
verbs:
|
52
|
+
- get
|
53
|
+
- apiGroups:
|
54
|
+
- metallb.io
|
55
|
+
resources:
|
56
|
+
- bgppeers
|
57
|
+
verbs:
|
58
|
+
- get
|
59
|
+
- list
|
60
|
+
- apiGroups:
|
61
|
+
- metallb.io
|
62
|
+
resources:
|
63
|
+
- addresspools
|
64
|
+
verbs:
|
65
|
+
- get
|
66
|
+
- list
|
67
|
+
- watch
|
68
|
+
- apiGroups:
|
69
|
+
- metallb.io
|
70
|
+
resources:
|
71
|
+
- bfdprofiles
|
72
|
+
verbs:
|
73
|
+
- get
|
74
|
+
- list
|
75
|
+
- watch
|
76
|
+
- apiGroups:
|
77
|
+
- metallb.io
|
78
|
+
resources:
|
79
|
+
- ipaddresspools
|
80
|
+
verbs:
|
81
|
+
- get
|
82
|
+
- list
|
83
|
+
- watch
|
84
|
+
- apiGroups:
|
85
|
+
- metallb.io
|
86
|
+
resources:
|
87
|
+
- bgpadvertisements
|
88
|
+
verbs:
|
89
|
+
- get
|
90
|
+
- list
|
91
|
+
- watch
|
92
|
+
- apiGroups:
|
93
|
+
- metallb.io
|
94
|
+
resources:
|
95
|
+
- l2advertisements
|
96
|
+
verbs:
|
97
|
+
- get
|
98
|
+
- list
|
99
|
+
- watch
|
100
|
+
- apiGroups:
|
101
|
+
- metallb.io
|
102
|
+
resources:
|
103
|
+
- communities
|
104
|
+
verbs:
|
105
|
+
- get
|
106
|
+
- list
|
107
|
+
- watch
|
89
108
|
---
|
90
|
-
apiVersion: v1
|
91
|
-
kind:
|
109
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
110
|
+
kind: Role
|
92
111
|
metadata:
|
93
112
|
labels:
|
94
113
|
app: metallb
|
95
|
-
name:
|
114
|
+
name: pod-lister
|
96
115
|
namespace: metallb-system
|
116
|
+
rules:
|
117
|
+
- apiGroups:
|
118
|
+
- ""
|
119
|
+
resources:
|
120
|
+
- pods
|
121
|
+
verbs:
|
122
|
+
- list
|
123
|
+
- apiGroups:
|
124
|
+
- ""
|
125
|
+
resources:
|
126
|
+
- secrets
|
127
|
+
verbs:
|
128
|
+
- get
|
129
|
+
- list
|
130
|
+
- watch
|
131
|
+
- apiGroups:
|
132
|
+
- metallb.io
|
133
|
+
resources:
|
134
|
+
- addresspools
|
135
|
+
verbs:
|
136
|
+
- get
|
137
|
+
- list
|
138
|
+
- watch
|
139
|
+
- apiGroups:
|
140
|
+
- metallb.io
|
141
|
+
resources:
|
142
|
+
- bfdprofiles
|
143
|
+
verbs:
|
144
|
+
- get
|
145
|
+
- list
|
146
|
+
- watch
|
147
|
+
- apiGroups:
|
148
|
+
- metallb.io
|
149
|
+
resources:
|
150
|
+
- bgppeers
|
151
|
+
verbs:
|
152
|
+
- get
|
153
|
+
- list
|
154
|
+
- watch
|
155
|
+
- apiGroups:
|
156
|
+
- metallb.io
|
157
|
+
resources:
|
158
|
+
- l2advertisements
|
159
|
+
verbs:
|
160
|
+
- get
|
161
|
+
- list
|
162
|
+
- watch
|
163
|
+
- apiGroups:
|
164
|
+
- metallb.io
|
165
|
+
resources:
|
166
|
+
- bgpadvertisements
|
167
|
+
verbs:
|
168
|
+
- get
|
169
|
+
- list
|
170
|
+
- watch
|
171
|
+
- apiGroups:
|
172
|
+
- metallb.io
|
173
|
+
resources:
|
174
|
+
- ipaddresspools
|
175
|
+
verbs:
|
176
|
+
- get
|
177
|
+
- list
|
178
|
+
- watch
|
179
|
+
- apiGroups:
|
180
|
+
- metallb.io
|
181
|
+
resources:
|
182
|
+
- communities
|
183
|
+
verbs:
|
184
|
+
- get
|
185
|
+
- list
|
186
|
+
- watch
|
97
187
|
---
|
98
188
|
apiVersion: rbac.authorization.k8s.io/v1
|
99
189
|
kind: ClusterRole
|
@@ -103,21 +193,22 @@ metadata:
|
|
103
193
|
name: metallb-system:controller
|
104
194
|
rules:
|
105
195
|
- apiGroups:
|
106
|
-
-
|
196
|
+
- ""
|
107
197
|
resources:
|
108
198
|
- services
|
199
|
+
- namespaces
|
109
200
|
verbs:
|
110
201
|
- get
|
111
202
|
- list
|
112
203
|
- watch
|
113
204
|
- apiGroups:
|
114
|
-
-
|
205
|
+
- ""
|
115
206
|
resources:
|
116
207
|
- services/status
|
117
208
|
verbs:
|
118
209
|
- update
|
119
210
|
- apiGroups:
|
120
|
-
-
|
211
|
+
- ""
|
121
212
|
resources:
|
122
213
|
- events
|
123
214
|
verbs:
|
@@ -131,6 +222,56 @@ rules:
|
|
131
222
|
- podsecuritypolicies
|
132
223
|
verbs:
|
133
224
|
- use
|
225
|
+
- apiGroups:
|
226
|
+
- admissionregistration.k8s.io
|
227
|
+
resourceNames:
|
228
|
+
- metallb-webhook-configuration
|
229
|
+
resources:
|
230
|
+
- validatingwebhookconfigurations
|
231
|
+
- mutatingwebhookconfigurations
|
232
|
+
verbs:
|
233
|
+
- create
|
234
|
+
- delete
|
235
|
+
- get
|
236
|
+
- list
|
237
|
+
- patch
|
238
|
+
- update
|
239
|
+
- watch
|
240
|
+
- apiGroups:
|
241
|
+
- admissionregistration.k8s.io
|
242
|
+
resources:
|
243
|
+
- validatingwebhookconfigurations
|
244
|
+
- mutatingwebhookconfigurations
|
245
|
+
verbs:
|
246
|
+
- list
|
247
|
+
- watch
|
248
|
+
- apiGroups:
|
249
|
+
- apiextensions.k8s.io
|
250
|
+
resourceNames:
|
251
|
+
- addresspools.metallb.io
|
252
|
+
- bfdprofiles.metallb.io
|
253
|
+
- bgpadvertisements.metallb.io
|
254
|
+
- bgppeers.metallb.io
|
255
|
+
- ipaddresspools.metallb.io
|
256
|
+
- l2advertisements.metallb.io
|
257
|
+
- communities.metallb.io
|
258
|
+
resources:
|
259
|
+
- customresourcedefinitions
|
260
|
+
verbs:
|
261
|
+
- create
|
262
|
+
- delete
|
263
|
+
- get
|
264
|
+
- list
|
265
|
+
- patch
|
266
|
+
- update
|
267
|
+
- watch
|
268
|
+
- apiGroups:
|
269
|
+
- apiextensions.k8s.io
|
270
|
+
resources:
|
271
|
+
- customresourcedefinitions
|
272
|
+
verbs:
|
273
|
+
- list
|
274
|
+
- watch
|
134
275
|
---
|
135
276
|
apiVersion: rbac.authorization.k8s.io/v1
|
136
277
|
kind: ClusterRole
|
@@ -140,16 +281,18 @@ metadata:
|
|
140
281
|
name: metallb-system:speaker
|
141
282
|
rules:
|
142
283
|
- apiGroups:
|
143
|
-
-
|
284
|
+
- ""
|
144
285
|
resources:
|
145
286
|
- services
|
146
287
|
- endpoints
|
147
288
|
- nodes
|
289
|
+
- namespaces
|
148
290
|
verbs:
|
149
291
|
- get
|
150
292
|
- list
|
151
293
|
- watch
|
152
|
-
- apiGroups:
|
294
|
+
- apiGroups:
|
295
|
+
- discovery.k8s.io
|
153
296
|
resources:
|
154
297
|
- endpointslices
|
155
298
|
verbs:
|
@@ -157,7 +300,7 @@ rules:
|
|
157
300
|
- list
|
158
301
|
- watch
|
159
302
|
- apiGroups:
|
160
|
-
-
|
303
|
+
- ""
|
161
304
|
resources:
|
162
305
|
- events
|
163
306
|
verbs:
|
@@ -173,67 +316,36 @@ rules:
|
|
173
316
|
- use
|
174
317
|
---
|
175
318
|
apiVersion: rbac.authorization.k8s.io/v1
|
176
|
-
kind:
|
319
|
+
kind: RoleBinding
|
177
320
|
metadata:
|
178
321
|
labels:
|
179
322
|
app: metallb
|
180
|
-
name:
|
323
|
+
name: controller
|
324
|
+
namespace: metallb-system
|
325
|
+
roleRef:
|
326
|
+
apiGroup: rbac.authorization.k8s.io
|
327
|
+
kind: Role
|
328
|
+
name: controller
|
329
|
+
subjects:
|
330
|
+
- kind: ServiceAccount
|
331
|
+
name: controller
|
181
332
|
namespace: metallb-system
|
182
|
-
rules:
|
183
|
-
- apiGroups:
|
184
|
-
- ''
|
185
|
-
resources:
|
186
|
-
- configmaps
|
187
|
-
verbs:
|
188
|
-
- get
|
189
|
-
- list
|
190
|
-
- watch
|
191
333
|
---
|
192
334
|
apiVersion: rbac.authorization.k8s.io/v1
|
193
|
-
kind:
|
335
|
+
kind: RoleBinding
|
194
336
|
metadata:
|
195
337
|
labels:
|
196
338
|
app: metallb
|
197
339
|
name: pod-lister
|
198
340
|
namespace: metallb-system
|
199
|
-
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
-
|
204
|
-
|
205
|
-
|
206
|
-
---
|
207
|
-
apiVersion: rbac.authorization.k8s.io/v1
|
208
|
-
kind: Role
|
209
|
-
metadata:
|
210
|
-
labels:
|
211
|
-
app: metallb
|
212
|
-
name: controller
|
341
|
+
roleRef:
|
342
|
+
apiGroup: rbac.authorization.k8s.io
|
343
|
+
kind: Role
|
344
|
+
name: pod-lister
|
345
|
+
subjects:
|
346
|
+
- kind: ServiceAccount
|
347
|
+
name: speaker
|
213
348
|
namespace: metallb-system
|
214
|
-
rules:
|
215
|
-
- apiGroups:
|
216
|
-
- ''
|
217
|
-
resources:
|
218
|
-
- secrets
|
219
|
-
verbs:
|
220
|
-
- create
|
221
|
-
- apiGroups:
|
222
|
-
- ''
|
223
|
-
resources:
|
224
|
-
- secrets
|
225
|
-
resourceNames:
|
226
|
-
- memberlist
|
227
|
-
verbs:
|
228
|
-
- list
|
229
|
-
- apiGroups:
|
230
|
-
- apps
|
231
|
-
resources:
|
232
|
-
- deployments
|
233
|
-
resourceNames:
|
234
|
-
- controller
|
235
|
-
verbs:
|
236
|
-
- get
|
237
349
|
---
|
238
350
|
apiVersion: rbac.authorization.k8s.io/v1
|
239
351
|
kind: ClusterRoleBinding
|
@@ -265,52 +377,114 @@ subjects:
|
|
265
377
|
name: speaker
|
266
378
|
namespace: metallb-system
|
267
379
|
---
|
268
|
-
apiVersion:
|
269
|
-
|
380
|
+
apiVersion: v1
|
381
|
+
data:
|
382
|
+
excludel2.yaml: |
|
383
|
+
announcedInterfacesToExclude: ["docker.*", "cbr.*", "dummy.*", "virbr.*", "lxcbr.*", "veth.*", "lo", "^cali.*", "^tunl.*", "flannel.*", "kube-ipvs.*", "cni.*", "^nodelocaldns.*"]
|
384
|
+
kind: ConfigMap
|
270
385
|
metadata:
|
271
|
-
|
272
|
-
app: metallb
|
273
|
-
name: config-watcher
|
386
|
+
name: metallb-excludel2
|
274
387
|
namespace: metallb-system
|
275
|
-
roleRef:
|
276
|
-
apiGroup: rbac.authorization.k8s.io
|
277
|
-
kind: Role
|
278
|
-
name: config-watcher
|
279
|
-
subjects:
|
280
|
-
- kind: ServiceAccount
|
281
|
-
name: controller
|
282
|
-
- kind: ServiceAccount
|
283
|
-
name: speaker
|
284
388
|
---
|
285
|
-
apiVersion:
|
286
|
-
kind:
|
389
|
+
apiVersion: v1
|
390
|
+
kind: Secret
|
287
391
|
metadata:
|
288
|
-
|
289
|
-
app: metallb
|
290
|
-
name: pod-lister
|
392
|
+
name: webhook-server-cert
|
291
393
|
namespace: metallb-system
|
292
|
-
roleRef:
|
293
|
-
apiGroup: rbac.authorization.k8s.io
|
294
|
-
kind: Role
|
295
|
-
name: pod-lister
|
296
|
-
subjects:
|
297
|
-
- kind: ServiceAccount
|
298
|
-
name: speaker
|
299
394
|
---
|
300
|
-
apiVersion:
|
301
|
-
kind:
|
395
|
+
apiVersion: v1
|
396
|
+
kind: Service
|
397
|
+
metadata:
|
398
|
+
name: webhook-service
|
399
|
+
namespace: metallb-system
|
400
|
+
spec:
|
401
|
+
ports:
|
402
|
+
- port: 443
|
403
|
+
targetPort: 9443
|
404
|
+
selector:
|
405
|
+
component: controller
|
406
|
+
---
|
407
|
+
apiVersion: apps/v1
|
408
|
+
kind: Deployment
|
302
409
|
metadata:
|
303
410
|
labels:
|
304
411
|
app: metallb
|
412
|
+
component: controller
|
305
413
|
name: controller
|
306
414
|
namespace: metallb-system
|
307
|
-
|
308
|
-
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
415
|
+
spec:
|
416
|
+
revisionHistoryLimit: 3
|
417
|
+
selector:
|
418
|
+
matchLabels:
|
419
|
+
app: metallb
|
420
|
+
component: controller
|
421
|
+
template:
|
422
|
+
metadata:
|
423
|
+
annotations:
|
424
|
+
prometheus.io/port: "7472"
|
425
|
+
prometheus.io/scrape: "true"
|
426
|
+
labels:
|
427
|
+
app: metallb
|
428
|
+
component: controller
|
429
|
+
spec:
|
430
|
+
containers:
|
431
|
+
- args:
|
432
|
+
- --port=7472
|
433
|
+
- --log-level=info
|
434
|
+
env:
|
435
|
+
- name: METALLB_ML_SECRET_NAME
|
436
|
+
value: memberlist
|
437
|
+
- name: METALLB_DEPLOYMENT
|
438
|
+
value: controller
|
439
|
+
image: quay.io/metallb/controller:v0.13.9
|
440
|
+
livenessProbe:
|
441
|
+
failureThreshold: 3
|
442
|
+
httpGet:
|
443
|
+
path: /metrics
|
444
|
+
port: monitoring
|
445
|
+
initialDelaySeconds: 10
|
446
|
+
periodSeconds: 10
|
447
|
+
successThreshold: 1
|
448
|
+
timeoutSeconds: 1
|
449
|
+
name: controller
|
450
|
+
ports:
|
451
|
+
- containerPort: 7472
|
452
|
+
name: monitoring
|
453
|
+
- containerPort: 9443
|
454
|
+
name: webhook-server
|
455
|
+
protocol: TCP
|
456
|
+
readinessProbe:
|
457
|
+
failureThreshold: 3
|
458
|
+
httpGet:
|
459
|
+
path: /metrics
|
460
|
+
port: monitoring
|
461
|
+
initialDelaySeconds: 10
|
462
|
+
periodSeconds: 10
|
463
|
+
successThreshold: 1
|
464
|
+
timeoutSeconds: 1
|
465
|
+
securityContext:
|
466
|
+
allowPrivilegeEscalation: false
|
467
|
+
capabilities:
|
468
|
+
drop:
|
469
|
+
- all
|
470
|
+
readOnlyRootFilesystem: true
|
471
|
+
volumeMounts:
|
472
|
+
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
473
|
+
name: cert
|
474
|
+
readOnly: true
|
475
|
+
nodeSelector:
|
476
|
+
kubernetes.io/os: linux
|
477
|
+
securityContext:
|
478
|
+
fsGroup: 65534
|
479
|
+
runAsNonRoot: true
|
480
|
+
runAsUser: 65534
|
481
|
+
serviceAccountName: controller
|
482
|
+
terminationGracePeriodSeconds: 0
|
483
|
+
volumes:
|
484
|
+
- name: cert
|
485
|
+
secret:
|
486
|
+
defaultMode: 420
|
487
|
+
secretName: webhook-server-cert
|
314
488
|
---
|
315
489
|
apiVersion: apps/v1
|
316
490
|
kind: DaemonSet
|
@@ -328,8 +502,8 @@ spec:
|
|
328
502
|
template:
|
329
503
|
metadata:
|
330
504
|
annotations:
|
331
|
-
prometheus.io/port:
|
332
|
-
prometheus.io/scrape:
|
505
|
+
prometheus.io/port: "7472"
|
506
|
+
prometheus.io/scrape: "true"
|
333
507
|
labels:
|
334
508
|
app: metallb
|
335
509
|
component: speaker
|
@@ -337,7 +511,7 @@ spec:
|
|
337
511
|
containers:
|
338
512
|
- args:
|
339
513
|
- --port=7472
|
340
|
-
- --
|
514
|
+
- --log-level=info
|
341
515
|
env:
|
342
516
|
- name: METALLB_NODE_NAME
|
343
517
|
valueFrom:
|
@@ -351,19 +525,20 @@ spec:
|
|
351
525
|
valueFrom:
|
352
526
|
fieldRef:
|
353
527
|
fieldPath: status.podIP
|
354
|
-
# needed when another software is also using memberlist / port 7946
|
355
|
-
# when changing this default you also need to update the container ports definition
|
356
|
-
# and the PodSecurityPolicy hostPorts definition
|
357
|
-
#- name: METALLB_ML_BIND_PORT
|
358
|
-
# value: "7946"
|
359
528
|
- name: METALLB_ML_LABELS
|
360
|
-
value:
|
361
|
-
- name:
|
362
|
-
|
363
|
-
|
364
|
-
|
365
|
-
|
366
|
-
|
529
|
+
value: app=metallb,component=speaker
|
530
|
+
- name: METALLB_ML_SECRET_KEY_PATH
|
531
|
+
value: /etc/ml_secret_key
|
532
|
+
image: quay.io/metallb/speaker:v0.13.9
|
533
|
+
livenessProbe:
|
534
|
+
failureThreshold: 3
|
535
|
+
httpGet:
|
536
|
+
path: /metrics
|
537
|
+
port: monitoring
|
538
|
+
initialDelaySeconds: 10
|
539
|
+
periodSeconds: 10
|
540
|
+
successThreshold: 1
|
541
|
+
timeoutSeconds: 1
|
367
542
|
name: speaker
|
368
543
|
ports:
|
369
544
|
- containerPort: 7472
|
@@ -373,6 +548,15 @@ spec:
|
|
373
548
|
- containerPort: 7946
|
374
549
|
name: memberlist-udp
|
375
550
|
protocol: UDP
|
551
|
+
readinessProbe:
|
552
|
+
failureThreshold: 3
|
553
|
+
httpGet:
|
554
|
+
path: /metrics
|
555
|
+
port: monitoring
|
556
|
+
initialDelaySeconds: 10
|
557
|
+
periodSeconds: 10
|
558
|
+
successThreshold: 1
|
559
|
+
timeoutSeconds: 1
|
376
560
|
securityContext:
|
377
561
|
allowPrivilegeEscalation: false
|
378
562
|
capabilities:
|
@@ -381,6 +565,10 @@ spec:
|
|
381
565
|
drop:
|
382
566
|
- ALL
|
383
567
|
readOnlyRootFilesystem: true
|
568
|
+
volumeMounts:
|
569
|
+
- mountPath: /etc/ml_secret_key
|
570
|
+
name: memberlist
|
571
|
+
readOnly: true
|
384
572
|
hostNetwork: true
|
385
573
|
nodeSelector:
|
386
574
|
kubernetes.io/os: linux
|
@@ -390,54 +578,158 @@ spec:
|
|
390
578
|
- effect: NoSchedule
|
391
579
|
key: node-role.kubernetes.io/master
|
392
580
|
operator: Exists
|
581
|
+
- effect: NoSchedule
|
582
|
+
key: node-role.kubernetes.io/control-plane
|
583
|
+
operator: Exists
|
584
|
+
volumes:
|
585
|
+
- name: memberlist
|
586
|
+
secret:
|
587
|
+
defaultMode: 420
|
588
|
+
secretName: memberlist
|
393
589
|
---
|
394
|
-
apiVersion:
|
395
|
-
kind:
|
590
|
+
apiVersion: admissionregistration.k8s.io/v1
|
591
|
+
kind: ValidatingWebhookConfiguration
|
396
592
|
metadata:
|
397
|
-
|
398
|
-
|
399
|
-
|
400
|
-
|
401
|
-
|
402
|
-
|
403
|
-
|
404
|
-
|
405
|
-
|
406
|
-
|
407
|
-
|
408
|
-
|
409
|
-
|
410
|
-
|
411
|
-
|
412
|
-
|
413
|
-
|
414
|
-
|
415
|
-
|
416
|
-
|
417
|
-
|
418
|
-
|
419
|
-
|
420
|
-
|
421
|
-
|
422
|
-
|
423
|
-
|
424
|
-
|
425
|
-
|
426
|
-
|
427
|
-
|
428
|
-
|
429
|
-
|
430
|
-
|
431
|
-
|
432
|
-
|
433
|
-
|
434
|
-
|
435
|
-
|
436
|
-
|
437
|
-
|
438
|
-
|
439
|
-
|
440
|
-
|
441
|
-
|
442
|
-
|
443
|
-
|
593
|
+
creationTimestamp: null
|
594
|
+
name: metallb-webhook-configuration
|
595
|
+
webhooks:
|
596
|
+
- admissionReviewVersions:
|
597
|
+
- v1
|
598
|
+
clientConfig:
|
599
|
+
service:
|
600
|
+
name: webhook-service
|
601
|
+
namespace: metallb-system
|
602
|
+
path: /validate-metallb-io-v1beta2-bgppeer
|
603
|
+
failurePolicy: Fail
|
604
|
+
name: bgppeersvalidationwebhook.metallb.io
|
605
|
+
rules:
|
606
|
+
- apiGroups:
|
607
|
+
- metallb.io
|
608
|
+
apiVersions:
|
609
|
+
- v1beta2
|
610
|
+
operations:
|
611
|
+
- CREATE
|
612
|
+
- UPDATE
|
613
|
+
resources:
|
614
|
+
- bgppeers
|
615
|
+
sideEffects: None
|
616
|
+
- admissionReviewVersions:
|
617
|
+
- v1
|
618
|
+
clientConfig:
|
619
|
+
service:
|
620
|
+
name: webhook-service
|
621
|
+
namespace: metallb-system
|
622
|
+
path: /validate-metallb-io-v1beta1-addresspool
|
623
|
+
failurePolicy: Fail
|
624
|
+
name: addresspoolvalidationwebhook.metallb.io
|
625
|
+
rules:
|
626
|
+
- apiGroups:
|
627
|
+
- metallb.io
|
628
|
+
apiVersions:
|
629
|
+
- v1beta1
|
630
|
+
operations:
|
631
|
+
- CREATE
|
632
|
+
- UPDATE
|
633
|
+
resources:
|
634
|
+
- addresspools
|
635
|
+
sideEffects: None
|
636
|
+
- admissionReviewVersions:
|
637
|
+
- v1
|
638
|
+
clientConfig:
|
639
|
+
service:
|
640
|
+
name: webhook-service
|
641
|
+
namespace: metallb-system
|
642
|
+
path: /validate-metallb-io-v1beta1-bfdprofile
|
643
|
+
failurePolicy: Fail
|
644
|
+
name: bfdprofilevalidationwebhook.metallb.io
|
645
|
+
rules:
|
646
|
+
- apiGroups:
|
647
|
+
- metallb.io
|
648
|
+
apiVersions:
|
649
|
+
- v1beta1
|
650
|
+
operations:
|
651
|
+
- CREATE
|
652
|
+
- DELETE
|
653
|
+
resources:
|
654
|
+
- bfdprofiles
|
655
|
+
sideEffects: None
|
656
|
+
- admissionReviewVersions:
|
657
|
+
- v1
|
658
|
+
clientConfig:
|
659
|
+
service:
|
660
|
+
name: webhook-service
|
661
|
+
namespace: metallb-system
|
662
|
+
path: /validate-metallb-io-v1beta1-bgpadvertisement
|
663
|
+
failurePolicy: Fail
|
664
|
+
name: bgpadvertisementvalidationwebhook.metallb.io
|
665
|
+
rules:
|
666
|
+
- apiGroups:
|
667
|
+
- metallb.io
|
668
|
+
apiVersions:
|
669
|
+
- v1beta1
|
670
|
+
operations:
|
671
|
+
- CREATE
|
672
|
+
- UPDATE
|
673
|
+
resources:
|
674
|
+
- bgpadvertisements
|
675
|
+
sideEffects: None
|
676
|
+
- admissionReviewVersions:
|
677
|
+
- v1
|
678
|
+
clientConfig:
|
679
|
+
service:
|
680
|
+
name: webhook-service
|
681
|
+
namespace: metallb-system
|
682
|
+
path: /validate-metallb-io-v1beta1-community
|
683
|
+
failurePolicy: Fail
|
684
|
+
name: communityvalidationwebhook.metallb.io
|
685
|
+
rules:
|
686
|
+
- apiGroups:
|
687
|
+
- metallb.io
|
688
|
+
apiVersions:
|
689
|
+
- v1beta1
|
690
|
+
operations:
|
691
|
+
- CREATE
|
692
|
+
- UPDATE
|
693
|
+
resources:
|
694
|
+
- communities
|
695
|
+
sideEffects: None
|
696
|
+
- admissionReviewVersions:
|
697
|
+
- v1
|
698
|
+
clientConfig:
|
699
|
+
service:
|
700
|
+
name: webhook-service
|
701
|
+
namespace: metallb-system
|
702
|
+
path: /validate-metallb-io-v1beta1-ipaddresspool
|
703
|
+
failurePolicy: Fail
|
704
|
+
name: ipaddresspoolvalidationwebhook.metallb.io
|
705
|
+
rules:
|
706
|
+
- apiGroups:
|
707
|
+
- metallb.io
|
708
|
+
apiVersions:
|
709
|
+
- v1beta1
|
710
|
+
operations:
|
711
|
+
- CREATE
|
712
|
+
- UPDATE
|
713
|
+
resources:
|
714
|
+
- ipaddresspools
|
715
|
+
sideEffects: None
|
716
|
+
- admissionReviewVersions:
|
717
|
+
- v1
|
718
|
+
clientConfig:
|
719
|
+
service:
|
720
|
+
name: webhook-service
|
721
|
+
namespace: metallb-system
|
722
|
+
path: /validate-metallb-io-v1beta1-l2advertisement
|
723
|
+
failurePolicy: Fail
|
724
|
+
name: l2advertisementvalidationwebhook.metallb.io
|
725
|
+
rules:
|
726
|
+
- apiGroups:
|
727
|
+
- metallb.io
|
728
|
+
apiVersions:
|
729
|
+
- v1beta1
|
730
|
+
operations:
|
731
|
+
- CREATE
|
732
|
+
- UPDATE
|
733
|
+
resources:
|
734
|
+
- l2advertisements
|
735
|
+
sideEffects: None
|