porkadot 0.23.0 → 0.25.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/hack/metallb/crds/kustomization.yaml +5 -0
- data/hack/metallb/exclude-l2-config.yaml +8 -0
- data/hack/metallb/kustomization.yaml +10 -0
- data/hack/update-kubelet-cert-approver.sh +6 -0
- data/hack/update-metallb.sh +7 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +1 -1
- data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +17 -9
- data/lib/porkadot/assets/etcd/etcd.env.erb +4 -0
- data/lib/porkadot/assets/etcd/install.sh.erb +1 -0
- data/lib/porkadot/assets/etcd.rb +1 -0
- data/lib/porkadot/assets/kubelet/config.yaml.erb +1 -39
- data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb +1 -0
- data/lib/porkadot/assets/kubelet/kubelet.service.erb +2 -6
- data/lib/porkadot/assets/kubelet/metadata.json.erb +5 -0
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb +3 -1
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb +1 -3
- data/lib/porkadot/assets/kubelet-default/install.sh.erb +22 -7
- data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb +22 -0
- data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb +16 -0
- data/lib/porkadot/assets/kubelet.rb +14 -12
- data/lib/porkadot/assets/kubernetes/install.sh.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb +12 -51
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb +210 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml +1272 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb +1 -12
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb +507 -252
- data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +4 -1
- data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes.rb +22 -1
- data/lib/porkadot/config.rb +1 -1
- data/lib/porkadot/configs/addons.rb +4 -0
- data/lib/porkadot/configs/etcd.rb +9 -0
- data/lib/porkadot/configs/kubelet.rb +25 -7
- data/lib/porkadot/default.yaml +17 -15
- data/lib/porkadot/install/bootstrap.rb +1 -1
- data/lib/porkadot/install/kubelet.rb +24 -40
- data/lib/porkadot/version.rb +1 -1
- data/lib/porkadot.rb +1 -0
- metadata +17 -7
- data/lib/porkadot/assets/kubelet/install.sh.erb +0 -35
- data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb +0 -17
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml +0 -480
@@ -1,97 +1,189 @@
|
|
1
|
-
apiVersion:
|
2
|
-
kind:
|
1
|
+
apiVersion: v1
|
2
|
+
kind: ServiceAccount
|
3
3
|
metadata:
|
4
4
|
labels:
|
5
5
|
app: metallb
|
6
6
|
name: controller
|
7
|
-
|
8
|
-
allowPrivilegeEscalation: false
|
9
|
-
allowedCapabilities: []
|
10
|
-
allowedHostPaths: []
|
11
|
-
defaultAddCapabilities: []
|
12
|
-
defaultAllowPrivilegeEscalation: false
|
13
|
-
fsGroup:
|
14
|
-
ranges:
|
15
|
-
- max: 65535
|
16
|
-
min: 1
|
17
|
-
rule: MustRunAs
|
18
|
-
hostIPC: false
|
19
|
-
hostNetwork: false
|
20
|
-
hostPID: false
|
21
|
-
privileged: false
|
22
|
-
readOnlyRootFilesystem: true
|
23
|
-
requiredDropCapabilities:
|
24
|
-
- ALL
|
25
|
-
runAsUser:
|
26
|
-
ranges:
|
27
|
-
- max: 65535
|
28
|
-
min: 1
|
29
|
-
rule: MustRunAs
|
30
|
-
seLinux:
|
31
|
-
rule: RunAsAny
|
32
|
-
supplementalGroups:
|
33
|
-
ranges:
|
34
|
-
- max: 65535
|
35
|
-
min: 1
|
36
|
-
rule: MustRunAs
|
37
|
-
volumes:
|
38
|
-
- configMap
|
39
|
-
- secret
|
40
|
-
- emptyDir
|
7
|
+
namespace: metallb-system
|
41
8
|
---
|
42
|
-
apiVersion:
|
43
|
-
kind:
|
9
|
+
apiVersion: v1
|
10
|
+
kind: ServiceAccount
|
44
11
|
metadata:
|
45
12
|
labels:
|
46
13
|
app: metallb
|
47
14
|
name: speaker
|
48
|
-
|
49
|
-
allowPrivilegeEscalation: false
|
50
|
-
allowedCapabilities:
|
51
|
-
- NET_RAW
|
52
|
-
allowedHostPaths: []
|
53
|
-
defaultAddCapabilities: []
|
54
|
-
defaultAllowPrivilegeEscalation: false
|
55
|
-
fsGroup:
|
56
|
-
rule: RunAsAny
|
57
|
-
hostIPC: false
|
58
|
-
hostNetwork: true
|
59
|
-
hostPID: false
|
60
|
-
hostPorts:
|
61
|
-
- max: 7472
|
62
|
-
min: 7472
|
63
|
-
- max: 7946
|
64
|
-
min: 7946
|
65
|
-
privileged: true
|
66
|
-
readOnlyRootFilesystem: true
|
67
|
-
requiredDropCapabilities:
|
68
|
-
- ALL
|
69
|
-
runAsUser:
|
70
|
-
rule: RunAsAny
|
71
|
-
seLinux:
|
72
|
-
rule: RunAsAny
|
73
|
-
supplementalGroups:
|
74
|
-
rule: RunAsAny
|
75
|
-
volumes:
|
76
|
-
- configMap
|
77
|
-
- secret
|
78
|
-
- emptyDir
|
15
|
+
namespace: metallb-system
|
79
16
|
---
|
80
|
-
apiVersion: v1
|
81
|
-
kind:
|
17
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
18
|
+
kind: Role
|
82
19
|
metadata:
|
83
20
|
labels:
|
84
21
|
app: metallb
|
85
22
|
name: controller
|
86
23
|
namespace: metallb-system
|
24
|
+
rules:
|
25
|
+
- apiGroups:
|
26
|
+
- ""
|
27
|
+
resources:
|
28
|
+
- secrets
|
29
|
+
verbs:
|
30
|
+
- create
|
31
|
+
- delete
|
32
|
+
- get
|
33
|
+
- list
|
34
|
+
- patch
|
35
|
+
- update
|
36
|
+
- watch
|
37
|
+
- apiGroups:
|
38
|
+
- ""
|
39
|
+
resourceNames:
|
40
|
+
- memberlist
|
41
|
+
resources:
|
42
|
+
- secrets
|
43
|
+
verbs:
|
44
|
+
- list
|
45
|
+
- apiGroups:
|
46
|
+
- apps
|
47
|
+
resourceNames:
|
48
|
+
- controller
|
49
|
+
resources:
|
50
|
+
- deployments
|
51
|
+
verbs:
|
52
|
+
- get
|
53
|
+
- apiGroups:
|
54
|
+
- metallb.io
|
55
|
+
resources:
|
56
|
+
- bgppeers
|
57
|
+
verbs:
|
58
|
+
- get
|
59
|
+
- list
|
60
|
+
- apiGroups:
|
61
|
+
- metallb.io
|
62
|
+
resources:
|
63
|
+
- addresspools
|
64
|
+
verbs:
|
65
|
+
- get
|
66
|
+
- list
|
67
|
+
- watch
|
68
|
+
- apiGroups:
|
69
|
+
- metallb.io
|
70
|
+
resources:
|
71
|
+
- bfdprofiles
|
72
|
+
verbs:
|
73
|
+
- get
|
74
|
+
- list
|
75
|
+
- watch
|
76
|
+
- apiGroups:
|
77
|
+
- metallb.io
|
78
|
+
resources:
|
79
|
+
- ipaddresspools
|
80
|
+
verbs:
|
81
|
+
- get
|
82
|
+
- list
|
83
|
+
- watch
|
84
|
+
- apiGroups:
|
85
|
+
- metallb.io
|
86
|
+
resources:
|
87
|
+
- bgpadvertisements
|
88
|
+
verbs:
|
89
|
+
- get
|
90
|
+
- list
|
91
|
+
- watch
|
92
|
+
- apiGroups:
|
93
|
+
- metallb.io
|
94
|
+
resources:
|
95
|
+
- l2advertisements
|
96
|
+
verbs:
|
97
|
+
- get
|
98
|
+
- list
|
99
|
+
- watch
|
100
|
+
- apiGroups:
|
101
|
+
- metallb.io
|
102
|
+
resources:
|
103
|
+
- communities
|
104
|
+
verbs:
|
105
|
+
- get
|
106
|
+
- list
|
107
|
+
- watch
|
87
108
|
---
|
88
|
-
apiVersion: v1
|
89
|
-
kind:
|
109
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
110
|
+
kind: Role
|
90
111
|
metadata:
|
91
112
|
labels:
|
92
113
|
app: metallb
|
93
|
-
name:
|
114
|
+
name: pod-lister
|
94
115
|
namespace: metallb-system
|
116
|
+
rules:
|
117
|
+
- apiGroups:
|
118
|
+
- ""
|
119
|
+
resources:
|
120
|
+
- pods
|
121
|
+
verbs:
|
122
|
+
- list
|
123
|
+
- apiGroups:
|
124
|
+
- ""
|
125
|
+
resources:
|
126
|
+
- secrets
|
127
|
+
verbs:
|
128
|
+
- get
|
129
|
+
- list
|
130
|
+
- watch
|
131
|
+
- apiGroups:
|
132
|
+
- metallb.io
|
133
|
+
resources:
|
134
|
+
- addresspools
|
135
|
+
verbs:
|
136
|
+
- get
|
137
|
+
- list
|
138
|
+
- watch
|
139
|
+
- apiGroups:
|
140
|
+
- metallb.io
|
141
|
+
resources:
|
142
|
+
- bfdprofiles
|
143
|
+
verbs:
|
144
|
+
- get
|
145
|
+
- list
|
146
|
+
- watch
|
147
|
+
- apiGroups:
|
148
|
+
- metallb.io
|
149
|
+
resources:
|
150
|
+
- bgppeers
|
151
|
+
verbs:
|
152
|
+
- get
|
153
|
+
- list
|
154
|
+
- watch
|
155
|
+
- apiGroups:
|
156
|
+
- metallb.io
|
157
|
+
resources:
|
158
|
+
- l2advertisements
|
159
|
+
verbs:
|
160
|
+
- get
|
161
|
+
- list
|
162
|
+
- watch
|
163
|
+
- apiGroups:
|
164
|
+
- metallb.io
|
165
|
+
resources:
|
166
|
+
- bgpadvertisements
|
167
|
+
verbs:
|
168
|
+
- get
|
169
|
+
- list
|
170
|
+
- watch
|
171
|
+
- apiGroups:
|
172
|
+
- metallb.io
|
173
|
+
resources:
|
174
|
+
- ipaddresspools
|
175
|
+
verbs:
|
176
|
+
- get
|
177
|
+
- list
|
178
|
+
- watch
|
179
|
+
- apiGroups:
|
180
|
+
- metallb.io
|
181
|
+
resources:
|
182
|
+
- communities
|
183
|
+
verbs:
|
184
|
+
- get
|
185
|
+
- list
|
186
|
+
- watch
|
95
187
|
---
|
96
188
|
apiVersion: rbac.authorization.k8s.io/v1
|
97
189
|
kind: ClusterRole
|
@@ -101,21 +193,22 @@ metadata:
|
|
101
193
|
name: metallb-system:controller
|
102
194
|
rules:
|
103
195
|
- apiGroups:
|
104
|
-
-
|
196
|
+
- ""
|
105
197
|
resources:
|
106
198
|
- services
|
199
|
+
- namespaces
|
107
200
|
verbs:
|
108
201
|
- get
|
109
202
|
- list
|
110
203
|
- watch
|
111
204
|
- apiGroups:
|
112
|
-
-
|
205
|
+
- ""
|
113
206
|
resources:
|
114
207
|
- services/status
|
115
208
|
verbs:
|
116
209
|
- update
|
117
210
|
- apiGroups:
|
118
|
-
-
|
211
|
+
- ""
|
119
212
|
resources:
|
120
213
|
- events
|
121
214
|
verbs:
|
@@ -129,6 +222,56 @@ rules:
|
|
129
222
|
- podsecuritypolicies
|
130
223
|
verbs:
|
131
224
|
- use
|
225
|
+
- apiGroups:
|
226
|
+
- admissionregistration.k8s.io
|
227
|
+
resourceNames:
|
228
|
+
- metallb-webhook-configuration
|
229
|
+
resources:
|
230
|
+
- validatingwebhookconfigurations
|
231
|
+
- mutatingwebhookconfigurations
|
232
|
+
verbs:
|
233
|
+
- create
|
234
|
+
- delete
|
235
|
+
- get
|
236
|
+
- list
|
237
|
+
- patch
|
238
|
+
- update
|
239
|
+
- watch
|
240
|
+
- apiGroups:
|
241
|
+
- admissionregistration.k8s.io
|
242
|
+
resources:
|
243
|
+
- validatingwebhookconfigurations
|
244
|
+
- mutatingwebhookconfigurations
|
245
|
+
verbs:
|
246
|
+
- list
|
247
|
+
- watch
|
248
|
+
- apiGroups:
|
249
|
+
- apiextensions.k8s.io
|
250
|
+
resourceNames:
|
251
|
+
- addresspools.metallb.io
|
252
|
+
- bfdprofiles.metallb.io
|
253
|
+
- bgpadvertisements.metallb.io
|
254
|
+
- bgppeers.metallb.io
|
255
|
+
- ipaddresspools.metallb.io
|
256
|
+
- l2advertisements.metallb.io
|
257
|
+
- communities.metallb.io
|
258
|
+
resources:
|
259
|
+
- customresourcedefinitions
|
260
|
+
verbs:
|
261
|
+
- create
|
262
|
+
- delete
|
263
|
+
- get
|
264
|
+
- list
|
265
|
+
- patch
|
266
|
+
- update
|
267
|
+
- watch
|
268
|
+
- apiGroups:
|
269
|
+
- apiextensions.k8s.io
|
270
|
+
resources:
|
271
|
+
- customresourcedefinitions
|
272
|
+
verbs:
|
273
|
+
- list
|
274
|
+
- watch
|
132
275
|
---
|
133
276
|
apiVersion: rbac.authorization.k8s.io/v1
|
134
277
|
kind: ClusterRole
|
@@ -138,16 +281,18 @@ metadata:
|
|
138
281
|
name: metallb-system:speaker
|
139
282
|
rules:
|
140
283
|
- apiGroups:
|
141
|
-
-
|
284
|
+
- ""
|
142
285
|
resources:
|
143
286
|
- services
|
144
287
|
- endpoints
|
145
288
|
- nodes
|
289
|
+
- namespaces
|
146
290
|
verbs:
|
147
291
|
- get
|
148
292
|
- list
|
149
293
|
- watch
|
150
|
-
- apiGroups:
|
294
|
+
- apiGroups:
|
295
|
+
- discovery.k8s.io
|
151
296
|
resources:
|
152
297
|
- endpointslices
|
153
298
|
verbs:
|
@@ -155,7 +300,7 @@ rules:
|
|
155
300
|
- list
|
156
301
|
- watch
|
157
302
|
- apiGroups:
|
158
|
-
-
|
303
|
+
- ""
|
159
304
|
resources:
|
160
305
|
- events
|
161
306
|
verbs:
|
@@ -171,67 +316,36 @@ rules:
|
|
171
316
|
- use
|
172
317
|
---
|
173
318
|
apiVersion: rbac.authorization.k8s.io/v1
|
174
|
-
kind:
|
319
|
+
kind: RoleBinding
|
175
320
|
metadata:
|
176
321
|
labels:
|
177
322
|
app: metallb
|
178
|
-
name:
|
323
|
+
name: controller
|
324
|
+
namespace: metallb-system
|
325
|
+
roleRef:
|
326
|
+
apiGroup: rbac.authorization.k8s.io
|
327
|
+
kind: Role
|
328
|
+
name: controller
|
329
|
+
subjects:
|
330
|
+
- kind: ServiceAccount
|
331
|
+
name: controller
|
179
332
|
namespace: metallb-system
|
180
|
-
rules:
|
181
|
-
- apiGroups:
|
182
|
-
- ''
|
183
|
-
resources:
|
184
|
-
- configmaps
|
185
|
-
verbs:
|
186
|
-
- get
|
187
|
-
- list
|
188
|
-
- watch
|
189
333
|
---
|
190
334
|
apiVersion: rbac.authorization.k8s.io/v1
|
191
|
-
kind:
|
335
|
+
kind: RoleBinding
|
192
336
|
metadata:
|
193
337
|
labels:
|
194
338
|
app: metallb
|
195
339
|
name: pod-lister
|
196
340
|
namespace: metallb-system
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
-
|
204
|
-
---
|
205
|
-
apiVersion: rbac.authorization.k8s.io/v1
|
206
|
-
kind: Role
|
207
|
-
metadata:
|
208
|
-
labels:
|
209
|
-
app: metallb
|
210
|
-
name: controller
|
341
|
+
roleRef:
|
342
|
+
apiGroup: rbac.authorization.k8s.io
|
343
|
+
kind: Role
|
344
|
+
name: pod-lister
|
345
|
+
subjects:
|
346
|
+
- kind: ServiceAccount
|
347
|
+
name: speaker
|
211
348
|
namespace: metallb-system
|
212
|
-
rules:
|
213
|
-
- apiGroups:
|
214
|
-
- ''
|
215
|
-
resources:
|
216
|
-
- secrets
|
217
|
-
verbs:
|
218
|
-
- create
|
219
|
-
- apiGroups:
|
220
|
-
- ''
|
221
|
-
resources:
|
222
|
-
- secrets
|
223
|
-
resourceNames:
|
224
|
-
- memberlist
|
225
|
-
verbs:
|
226
|
-
- list
|
227
|
-
- apiGroups:
|
228
|
-
- apps
|
229
|
-
resources:
|
230
|
-
- deployments
|
231
|
-
resourceNames:
|
232
|
-
- controller
|
233
|
-
verbs:
|
234
|
-
- get
|
235
349
|
---
|
236
350
|
apiVersion: rbac.authorization.k8s.io/v1
|
237
351
|
kind: ClusterRoleBinding
|
@@ -263,218 +377,359 @@ subjects:
|
|
263
377
|
name: speaker
|
264
378
|
namespace: metallb-system
|
265
379
|
---
|
266
|
-
apiVersion:
|
267
|
-
|
380
|
+
apiVersion: v1
|
381
|
+
data:
|
382
|
+
excludel2.yaml: |
|
383
|
+
announcedInterfacesToExclude: ["docker.*", "cbr.*", "dummy.*", "virbr.*", "lxcbr.*", "veth.*", "lo", "^cali.*", "^tunl.*", "flannel.*", "kube-ipvs.*", "cni.*", "^nodelocaldns.*"]
|
384
|
+
kind: ConfigMap
|
268
385
|
metadata:
|
269
|
-
|
270
|
-
app: metallb
|
271
|
-
name: config-watcher
|
386
|
+
name: metallb-excludel2
|
272
387
|
namespace: metallb-system
|
273
|
-
roleRef:
|
274
|
-
apiGroup: rbac.authorization.k8s.io
|
275
|
-
kind: Role
|
276
|
-
name: config-watcher
|
277
|
-
subjects:
|
278
|
-
- kind: ServiceAccount
|
279
|
-
name: controller
|
280
|
-
- kind: ServiceAccount
|
281
|
-
name: speaker
|
282
388
|
---
|
283
|
-
apiVersion:
|
284
|
-
kind:
|
389
|
+
apiVersion: v1
|
390
|
+
kind: Secret
|
285
391
|
metadata:
|
286
|
-
|
287
|
-
app: metallb
|
288
|
-
name: pod-lister
|
392
|
+
name: webhook-server-cert
|
289
393
|
namespace: metallb-system
|
290
|
-
roleRef:
|
291
|
-
apiGroup: rbac.authorization.k8s.io
|
292
|
-
kind: Role
|
293
|
-
name: pod-lister
|
294
|
-
subjects:
|
295
|
-
- kind: ServiceAccount
|
296
|
-
name: speaker
|
297
394
|
---
|
298
|
-
apiVersion:
|
299
|
-
kind:
|
395
|
+
apiVersion: v1
|
396
|
+
kind: Service
|
300
397
|
metadata:
|
301
|
-
|
302
|
-
app: metallb
|
303
|
-
name: controller
|
398
|
+
name: webhook-service
|
304
399
|
namespace: metallb-system
|
305
|
-
|
306
|
-
|
307
|
-
|
308
|
-
|
309
|
-
|
310
|
-
|
311
|
-
name: controller
|
400
|
+
spec:
|
401
|
+
ports:
|
402
|
+
- port: 443
|
403
|
+
targetPort: 9443
|
404
|
+
selector:
|
405
|
+
component: controller
|
312
406
|
---
|
313
407
|
apiVersion: apps/v1
|
314
|
-
kind:
|
408
|
+
kind: Deployment
|
315
409
|
metadata:
|
316
410
|
labels:
|
317
411
|
app: metallb
|
318
|
-
component:
|
319
|
-
name:
|
412
|
+
component: controller
|
413
|
+
name: controller
|
320
414
|
namespace: metallb-system
|
321
415
|
spec:
|
416
|
+
revisionHistoryLimit: 3
|
322
417
|
selector:
|
323
418
|
matchLabels:
|
324
419
|
app: metallb
|
325
|
-
component:
|
420
|
+
component: controller
|
326
421
|
template:
|
327
422
|
metadata:
|
328
423
|
annotations:
|
329
|
-
prometheus.io/port:
|
330
|
-
prometheus.io/scrape:
|
424
|
+
prometheus.io/port: "7472"
|
425
|
+
prometheus.io/scrape: "true"
|
331
426
|
labels:
|
332
427
|
app: metallb
|
333
|
-
component:
|
428
|
+
component: controller
|
334
429
|
spec:
|
335
430
|
containers:
|
336
431
|
- args:
|
337
432
|
- --port=7472
|
338
|
-
- --config=config
|
339
433
|
- --log-level=info
|
340
434
|
env:
|
341
|
-
- name:
|
342
|
-
|
343
|
-
|
344
|
-
|
345
|
-
|
346
|
-
valueFrom:
|
347
|
-
fieldRef:
|
348
|
-
fieldPath: status.hostIP
|
349
|
-
- name: METALLB_ML_BIND_ADDR
|
350
|
-
valueFrom:
|
351
|
-
fieldRef:
|
352
|
-
fieldPath: status.podIP
|
353
|
-
# needed when another software is also using memberlist / port 7946
|
354
|
-
# when changing this default you also need to update the container ports definition
|
355
|
-
# and the PodSecurityPolicy hostPorts definition
|
356
|
-
#- name: METALLB_ML_BIND_PORT
|
357
|
-
# value: "7946"
|
358
|
-
- name: METALLB_ML_LABELS
|
359
|
-
value: "app=metallb,component=speaker"
|
360
|
-
- name: METALLB_ML_SECRET_KEY
|
361
|
-
valueFrom:
|
362
|
-
secretKeyRef:
|
363
|
-
name: memberlist
|
364
|
-
key: secretkey
|
365
|
-
image: quay.io/metallb/speaker:v0.12.1
|
366
|
-
name: speaker
|
367
|
-
ports:
|
368
|
-
- containerPort: 7472
|
369
|
-
name: monitoring
|
370
|
-
- containerPort: 7946
|
371
|
-
name: memberlist-tcp
|
372
|
-
- containerPort: 7946
|
373
|
-
name: memberlist-udp
|
374
|
-
protocol: UDP
|
435
|
+
- name: METALLB_ML_SECRET_NAME
|
436
|
+
value: memberlist
|
437
|
+
- name: METALLB_DEPLOYMENT
|
438
|
+
value: controller
|
439
|
+
image: quay.io/metallb/controller:v0.13.9
|
375
440
|
livenessProbe:
|
441
|
+
failureThreshold: 3
|
376
442
|
httpGet:
|
377
443
|
path: /metrics
|
378
444
|
port: monitoring
|
379
445
|
initialDelaySeconds: 10
|
380
446
|
periodSeconds: 10
|
381
|
-
timeoutSeconds: 1
|
382
447
|
successThreshold: 1
|
383
|
-
|
448
|
+
timeoutSeconds: 1
|
449
|
+
name: controller
|
450
|
+
ports:
|
451
|
+
- containerPort: 7472
|
452
|
+
name: monitoring
|
453
|
+
- containerPort: 9443
|
454
|
+
name: webhook-server
|
455
|
+
protocol: TCP
|
384
456
|
readinessProbe:
|
457
|
+
failureThreshold: 3
|
385
458
|
httpGet:
|
386
459
|
path: /metrics
|
387
460
|
port: monitoring
|
388
461
|
initialDelaySeconds: 10
|
389
462
|
periodSeconds: 10
|
390
|
-
timeoutSeconds: 1
|
391
463
|
successThreshold: 1
|
392
|
-
|
464
|
+
timeoutSeconds: 1
|
393
465
|
securityContext:
|
394
466
|
allowPrivilegeEscalation: false
|
395
467
|
capabilities:
|
396
|
-
add:
|
397
|
-
- NET_RAW
|
398
468
|
drop:
|
399
|
-
-
|
469
|
+
- all
|
400
470
|
readOnlyRootFilesystem: true
|
401
|
-
|
471
|
+
volumeMounts:
|
472
|
+
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
473
|
+
name: cert
|
474
|
+
readOnly: true
|
402
475
|
nodeSelector:
|
403
476
|
kubernetes.io/os: linux
|
404
|
-
|
405
|
-
|
406
|
-
|
407
|
-
|
408
|
-
|
409
|
-
|
477
|
+
securityContext:
|
478
|
+
fsGroup: 65534
|
479
|
+
runAsNonRoot: true
|
480
|
+
runAsUser: 65534
|
481
|
+
serviceAccountName: controller
|
482
|
+
terminationGracePeriodSeconds: 0
|
483
|
+
volumes:
|
484
|
+
- name: cert
|
485
|
+
secret:
|
486
|
+
defaultMode: 420
|
487
|
+
secretName: webhook-server-cert
|
410
488
|
---
|
411
489
|
apiVersion: apps/v1
|
412
|
-
kind:
|
490
|
+
kind: DaemonSet
|
413
491
|
metadata:
|
414
492
|
labels:
|
415
493
|
app: metallb
|
416
|
-
component:
|
417
|
-
name:
|
494
|
+
component: speaker
|
495
|
+
name: speaker
|
418
496
|
namespace: metallb-system
|
419
497
|
spec:
|
420
|
-
revisionHistoryLimit: 3
|
421
498
|
selector:
|
422
499
|
matchLabels:
|
423
500
|
app: metallb
|
424
|
-
component:
|
501
|
+
component: speaker
|
425
502
|
template:
|
426
503
|
metadata:
|
427
504
|
annotations:
|
428
|
-
prometheus.io/port:
|
429
|
-
prometheus.io/scrape:
|
505
|
+
prometheus.io/port: "7472"
|
506
|
+
prometheus.io/scrape: "true"
|
430
507
|
labels:
|
431
508
|
app: metallb
|
432
|
-
component:
|
509
|
+
component: speaker
|
433
510
|
spec:
|
434
511
|
containers:
|
435
512
|
- args:
|
436
513
|
- --port=7472
|
437
|
-
- --config=config
|
438
514
|
- --log-level=info
|
439
515
|
env:
|
440
|
-
- name:
|
441
|
-
|
442
|
-
|
443
|
-
|
444
|
-
|
445
|
-
|
446
|
-
|
447
|
-
|
448
|
-
|
516
|
+
- name: METALLB_NODE_NAME
|
517
|
+
valueFrom:
|
518
|
+
fieldRef:
|
519
|
+
fieldPath: spec.nodeName
|
520
|
+
- name: METALLB_HOST
|
521
|
+
valueFrom:
|
522
|
+
fieldRef:
|
523
|
+
fieldPath: status.hostIP
|
524
|
+
- name: METALLB_ML_BIND_ADDR
|
525
|
+
valueFrom:
|
526
|
+
fieldRef:
|
527
|
+
fieldPath: status.podIP
|
528
|
+
- name: METALLB_ML_LABELS
|
529
|
+
value: app=metallb,component=speaker
|
530
|
+
- name: METALLB_ML_SECRET_KEY_PATH
|
531
|
+
value: /etc/ml_secret_key
|
532
|
+
image: quay.io/metallb/speaker:v0.13.9
|
449
533
|
livenessProbe:
|
534
|
+
failureThreshold: 3
|
450
535
|
httpGet:
|
451
536
|
path: /metrics
|
452
537
|
port: monitoring
|
453
538
|
initialDelaySeconds: 10
|
454
539
|
periodSeconds: 10
|
455
|
-
timeoutSeconds: 1
|
456
540
|
successThreshold: 1
|
457
|
-
|
541
|
+
timeoutSeconds: 1
|
542
|
+
name: speaker
|
543
|
+
ports:
|
544
|
+
- containerPort: 7472
|
545
|
+
name: monitoring
|
546
|
+
- containerPort: 7946
|
547
|
+
name: memberlist-tcp
|
548
|
+
- containerPort: 7946
|
549
|
+
name: memberlist-udp
|
550
|
+
protocol: UDP
|
458
551
|
readinessProbe:
|
552
|
+
failureThreshold: 3
|
459
553
|
httpGet:
|
460
554
|
path: /metrics
|
461
555
|
port: monitoring
|
462
556
|
initialDelaySeconds: 10
|
463
557
|
periodSeconds: 10
|
464
|
-
timeoutSeconds: 1
|
465
558
|
successThreshold: 1
|
466
|
-
|
559
|
+
timeoutSeconds: 1
|
467
560
|
securityContext:
|
468
561
|
allowPrivilegeEscalation: false
|
469
562
|
capabilities:
|
563
|
+
add:
|
564
|
+
- NET_RAW
|
470
565
|
drop:
|
471
|
-
-
|
566
|
+
- ALL
|
472
567
|
readOnlyRootFilesystem: true
|
568
|
+
volumeMounts:
|
569
|
+
- mountPath: /etc/ml_secret_key
|
570
|
+
name: memberlist
|
571
|
+
readOnly: true
|
572
|
+
hostNetwork: true
|
473
573
|
nodeSelector:
|
474
574
|
kubernetes.io/os: linux
|
475
|
-
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
|
480
|
-
|
575
|
+
serviceAccountName: speaker
|
576
|
+
terminationGracePeriodSeconds: 2
|
577
|
+
tolerations:
|
578
|
+
- effect: NoSchedule
|
579
|
+
key: node-role.kubernetes.io/master
|
580
|
+
operator: Exists
|
581
|
+
- effect: NoSchedule
|
582
|
+
key: node-role.kubernetes.io/control-plane
|
583
|
+
operator: Exists
|
584
|
+
volumes:
|
585
|
+
- name: memberlist
|
586
|
+
secret:
|
587
|
+
defaultMode: 420
|
588
|
+
secretName: memberlist
|
589
|
+
---
|
590
|
+
apiVersion: admissionregistration.k8s.io/v1
|
591
|
+
kind: ValidatingWebhookConfiguration
|
592
|
+
metadata:
|
593
|
+
creationTimestamp: null
|
594
|
+
name: metallb-webhook-configuration
|
595
|
+
webhooks:
|
596
|
+
- admissionReviewVersions:
|
597
|
+
- v1
|
598
|
+
clientConfig:
|
599
|
+
service:
|
600
|
+
name: webhook-service
|
601
|
+
namespace: metallb-system
|
602
|
+
path: /validate-metallb-io-v1beta2-bgppeer
|
603
|
+
failurePolicy: Fail
|
604
|
+
name: bgppeersvalidationwebhook.metallb.io
|
605
|
+
rules:
|
606
|
+
- apiGroups:
|
607
|
+
- metallb.io
|
608
|
+
apiVersions:
|
609
|
+
- v1beta2
|
610
|
+
operations:
|
611
|
+
- CREATE
|
612
|
+
- UPDATE
|
613
|
+
resources:
|
614
|
+
- bgppeers
|
615
|
+
sideEffects: None
|
616
|
+
- admissionReviewVersions:
|
617
|
+
- v1
|
618
|
+
clientConfig:
|
619
|
+
service:
|
620
|
+
name: webhook-service
|
621
|
+
namespace: metallb-system
|
622
|
+
path: /validate-metallb-io-v1beta1-addresspool
|
623
|
+
failurePolicy: Fail
|
624
|
+
name: addresspoolvalidationwebhook.metallb.io
|
625
|
+
rules:
|
626
|
+
- apiGroups:
|
627
|
+
- metallb.io
|
628
|
+
apiVersions:
|
629
|
+
- v1beta1
|
630
|
+
operations:
|
631
|
+
- CREATE
|
632
|
+
- UPDATE
|
633
|
+
resources:
|
634
|
+
- addresspools
|
635
|
+
sideEffects: None
|
636
|
+
- admissionReviewVersions:
|
637
|
+
- v1
|
638
|
+
clientConfig:
|
639
|
+
service:
|
640
|
+
name: webhook-service
|
641
|
+
namespace: metallb-system
|
642
|
+
path: /validate-metallb-io-v1beta1-bfdprofile
|
643
|
+
failurePolicy: Fail
|
644
|
+
name: bfdprofilevalidationwebhook.metallb.io
|
645
|
+
rules:
|
646
|
+
- apiGroups:
|
647
|
+
- metallb.io
|
648
|
+
apiVersions:
|
649
|
+
- v1beta1
|
650
|
+
operations:
|
651
|
+
- CREATE
|
652
|
+
- DELETE
|
653
|
+
resources:
|
654
|
+
- bfdprofiles
|
655
|
+
sideEffects: None
|
656
|
+
- admissionReviewVersions:
|
657
|
+
- v1
|
658
|
+
clientConfig:
|
659
|
+
service:
|
660
|
+
name: webhook-service
|
661
|
+
namespace: metallb-system
|
662
|
+
path: /validate-metallb-io-v1beta1-bgpadvertisement
|
663
|
+
failurePolicy: Fail
|
664
|
+
name: bgpadvertisementvalidationwebhook.metallb.io
|
665
|
+
rules:
|
666
|
+
- apiGroups:
|
667
|
+
- metallb.io
|
668
|
+
apiVersions:
|
669
|
+
- v1beta1
|
670
|
+
operations:
|
671
|
+
- CREATE
|
672
|
+
- UPDATE
|
673
|
+
resources:
|
674
|
+
- bgpadvertisements
|
675
|
+
sideEffects: None
|
676
|
+
- admissionReviewVersions:
|
677
|
+
- v1
|
678
|
+
clientConfig:
|
679
|
+
service:
|
680
|
+
name: webhook-service
|
681
|
+
namespace: metallb-system
|
682
|
+
path: /validate-metallb-io-v1beta1-community
|
683
|
+
failurePolicy: Fail
|
684
|
+
name: communityvalidationwebhook.metallb.io
|
685
|
+
rules:
|
686
|
+
- apiGroups:
|
687
|
+
- metallb.io
|
688
|
+
apiVersions:
|
689
|
+
- v1beta1
|
690
|
+
operations:
|
691
|
+
- CREATE
|
692
|
+
- UPDATE
|
693
|
+
resources:
|
694
|
+
- communities
|
695
|
+
sideEffects: None
|
696
|
+
- admissionReviewVersions:
|
697
|
+
- v1
|
698
|
+
clientConfig:
|
699
|
+
service:
|
700
|
+
name: webhook-service
|
701
|
+
namespace: metallb-system
|
702
|
+
path: /validate-metallb-io-v1beta1-ipaddresspool
|
703
|
+
failurePolicy: Fail
|
704
|
+
name: ipaddresspoolvalidationwebhook.metallb.io
|
705
|
+
rules:
|
706
|
+
- apiGroups:
|
707
|
+
- metallb.io
|
708
|
+
apiVersions:
|
709
|
+
- v1beta1
|
710
|
+
operations:
|
711
|
+
- CREATE
|
712
|
+
- UPDATE
|
713
|
+
resources:
|
714
|
+
- ipaddresspools
|
715
|
+
sideEffects: None
|
716
|
+
- admissionReviewVersions:
|
717
|
+
- v1
|
718
|
+
clientConfig:
|
719
|
+
service:
|
720
|
+
name: webhook-service
|
721
|
+
namespace: metallb-system
|
722
|
+
path: /validate-metallb-io-v1beta1-l2advertisement
|
723
|
+
failurePolicy: Fail
|
724
|
+
name: l2advertisementvalidationwebhook.metallb.io
|
725
|
+
rules:
|
726
|
+
- apiGroups:
|
727
|
+
- metallb.io
|
728
|
+
apiVersions:
|
729
|
+
- v1beta1
|
730
|
+
operations:
|
731
|
+
- CREATE
|
732
|
+
- UPDATE
|
733
|
+
resources:
|
734
|
+
- l2advertisements
|
735
|
+
sideEffects: None
|