porkadot 0.23.0 → 0.25.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/hack/metallb/crds/kustomization.yaml +5 -0
- data/hack/metallb/exclude-l2-config.yaml +8 -0
- data/hack/metallb/kustomization.yaml +10 -0
- data/hack/update-kubelet-cert-approver.sh +6 -0
- data/hack/update-metallb.sh +7 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +1 -1
- data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +17 -9
- data/lib/porkadot/assets/etcd/etcd.env.erb +4 -0
- data/lib/porkadot/assets/etcd/install.sh.erb +1 -0
- data/lib/porkadot/assets/etcd.rb +1 -0
- data/lib/porkadot/assets/kubelet/config.yaml.erb +1 -39
- data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb +1 -0
- data/lib/porkadot/assets/kubelet/kubelet.service.erb +2 -6
- data/lib/porkadot/assets/kubelet/metadata.json.erb +5 -0
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb +3 -1
- data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb +1 -3
- data/lib/porkadot/assets/kubelet-default/install.sh.erb +22 -7
- data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb +22 -0
- data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb +16 -0
- data/lib/porkadot/assets/kubelet.rb +14 -12
- data/lib/porkadot/assets/kubernetes/install.sh.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb +1 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb +12 -51
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb +210 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml +1272 -0
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb +1 -12
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb +507 -252
- data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +4 -1
- data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +3 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +3 -1
- data/lib/porkadot/assets/kubernetes.rb +22 -1
- data/lib/porkadot/config.rb +1 -1
- data/lib/porkadot/configs/addons.rb +4 -0
- data/lib/porkadot/configs/etcd.rb +9 -0
- data/lib/porkadot/configs/kubelet.rb +25 -7
- data/lib/porkadot/default.yaml +17 -15
- data/lib/porkadot/install/bootstrap.rb +1 -1
- data/lib/porkadot/install/kubelet.rb +24 -40
- data/lib/porkadot/version.rb +1 -1
- data/lib/porkadot.rb +1 -0
- metadata +17 -7
- data/lib/porkadot/assets/kubelet/install.sh.erb +0 -35
- data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb +0 -17
- data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml +0 -480
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 91ee01d34fb9504cf2c2da60cc375102d212a88adfa83d5335ba07efaf1dc126
|
4
|
+
data.tar.gz: 88cc5cf3c93e0bf12d41a558a1d92e2fb62a86ea7824282e55d2eb66c9fc029b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ad4c075b775c38030b2f96a32d09a2a28a3eb10eba0c4bb96109ee997a3c26d4c3e11ef3e37dbffc41f3c63d158668242a14493002ec2bcc9b7485886eb2b62b
|
7
|
+
data.tar.gz: ae0f9beb775bea1601fc7189a5aff026592c88567bf5dc9be32a82068849d48da451c06fd0c56c7250c371a4ff4110d92187c00a6257a9df199751e1e6c1328d
|
@@ -0,0 +1,8 @@
|
|
1
|
+
apiVersion: v1
|
2
|
+
kind: ConfigMap
|
3
|
+
metadata:
|
4
|
+
name: metallb-excludel2
|
5
|
+
namespace: metallb-system
|
6
|
+
data:
|
7
|
+
excludel2.yaml: |
|
8
|
+
announcedInterfacesToExclude: ["docker.*", "cbr.*", "dummy.*", "virbr.*", "lxcbr.*", "veth.*", "lo", "^cali.*", "^tunl.*", "flannel.*", "kube-ipvs.*", "cni.*", "^nodelocaldns.*"]
|
@@ -0,0 +1,10 @@
|
|
1
|
+
apiVersion: kustomize.config.k8s.io/v1beta1
|
2
|
+
kind: Kustomization
|
3
|
+
|
4
|
+
namespace: metallb-system
|
5
|
+
|
6
|
+
resources:
|
7
|
+
- https://github.com/metallb/metallb/config/rbac/?ref=v0.13.9
|
8
|
+
- https://github.com/metallb/metallb/config/controllers/?ref=v0.13.9
|
9
|
+
- https://github.com/metallb/metallb/config/webhook/?ref=v0.13.9
|
10
|
+
- exclude-l2-config.yaml
|
@@ -0,0 +1,6 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
ROOT=$(dirname "${BASH_SOURCE}")/..
|
4
|
+
ROOT=$(cd ${ROOT} && pwd)
|
5
|
+
|
6
|
+
curl -L https://github.com/alex1989hu/kubelet-serving-cert-approver/raw/main/deploy/standalone-install.yaml > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb
|
@@ -0,0 +1,7 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
ROOT=$(dirname "${BASH_SOURCE}")/..
|
4
|
+
ROOT=$(cd ${ROOT} && pwd)
|
5
|
+
|
6
|
+
kubectl kustomize ${ROOT}/hack/metallb/crds > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml
|
7
|
+
kubectl kustomize ${ROOT}/hack/metallb > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb
|
@@ -13,23 +13,27 @@ spec:
|
|
13
13
|
image: <%= etcd.image_repository %>:<%= etcd.image_tag %>
|
14
14
|
command:
|
15
15
|
- /usr/local/bin/etcd
|
16
|
-
- --name=<%= config.member_name %>
|
17
16
|
- --advertise-client-urls=<%= config.advertise_client_urls.join(',') %>
|
17
|
+
- --cert-file=/etc/etcd/pki/etcd.crt
|
18
|
+
- --client-cert-auth=true
|
19
|
+
- --data-dir=/var/lib/etcd
|
20
|
+
- --election-timeout=10000
|
21
|
+
- --experimental-initial-corrupt-check=true
|
22
|
+
- --experimental-watch-progress-notify-interval=5s
|
23
|
+
- --heartbeat-interval=1000
|
18
24
|
- --initial-advertise-peer-urls=<%= config.advertise_peer_urls.join(',') %>
|
19
25
|
- --initial-cluster=<%= config.initial_cluster.map{|k,v| "#{k}=#{v}"}.join(',') %>
|
26
|
+
- --key-file=/etc/etcd/pki/etcd.key
|
20
27
|
- --listen-client-urls=<%= config.listen_client_urls.join(',') %>
|
21
28
|
- --listen-peer-urls=<%= config.listen_peer_urls.join(',') %>
|
22
|
-
- --
|
23
|
-
- --
|
24
|
-
- --key-file=/etc/etcd/pki/etcd.key
|
25
|
-
- --trusted-ca-file=/etc/etcd/pki/ca.crt
|
26
|
-
- --peer-client-cert-auth=true
|
29
|
+
- --listen-metrics-urls=<%= config.listen_metrics_urls.join(',') %>
|
30
|
+
- --name=<%= config.member_name %>
|
27
31
|
- --peer-cert-file=/etc/etcd/pki/etcd.crt
|
32
|
+
- --peer-client-cert-auth=true
|
28
33
|
- --peer-key-file=/etc/etcd/pki/etcd.key
|
29
34
|
- --peer-trusted-ca-file=/etc/etcd/pki/ca.crt
|
30
|
-
- --
|
31
|
-
- --
|
32
|
-
- --election-timeout=10000
|
35
|
+
- --snapshot-count=10000
|
36
|
+
- --trusted-ca-file=/etc/etcd/pki/ca.crt
|
33
37
|
env:
|
34
38
|
<%= u.to_yaml(etcd.extra_env, 4) -%>
|
35
39
|
volumeMounts:
|
@@ -44,6 +48,10 @@ spec:
|
|
44
48
|
- mountPath: /etc/etcd/pki
|
45
49
|
name: etcd-certs-host
|
46
50
|
readOnly: true
|
51
|
+
priorityClassName: system-node-critical
|
52
|
+
securityContext:
|
53
|
+
seccompProfile:
|
54
|
+
type: RuntimeDefault
|
47
55
|
volumes:
|
48
56
|
- hostPath:
|
49
57
|
path: /var/lib/etcd
|
data/lib/porkadot/assets/etcd.rb
CHANGED
@@ -1,39 +1 @@
|
|
1
|
-
|
2
|
-
authentication:
|
3
|
-
anonymous:
|
4
|
-
enabled: false
|
5
|
-
webhook:
|
6
|
-
cacheTTL: 0s
|
7
|
-
enabled: true
|
8
|
-
x509:
|
9
|
-
clientCAFile: /etc/kubernetes/pki/ca.crt
|
10
|
-
authorization:
|
11
|
-
mode: Webhook
|
12
|
-
webhook:
|
13
|
-
cacheAuthorizedTTL: 0s
|
14
|
-
cacheUnauthorizedTTL: 0s
|
15
|
-
cgroupDriver: systemd
|
16
|
-
clusterDNS:
|
17
|
-
- <%= global_config.k8s.networking.dns_ip %>
|
18
|
-
clusterDomain: <%= global_config.k8s.networking.dns_domain %>
|
19
|
-
cpuManagerReconcilePeriod: 0s
|
20
|
-
evictionPressureTransitionPeriod: 0s
|
21
|
-
fileCheckFrequency: 0s
|
22
|
-
healthzBindAddress: 127.0.0.1
|
23
|
-
healthzPort: 10248
|
24
|
-
httpCheckFrequency: 0s
|
25
|
-
imageMinimumGCAge: 0s
|
26
|
-
kind: KubeletConfiguration
|
27
|
-
nodeStatusReportFrequency: 0s
|
28
|
-
nodeStatusUpdateFrequency: 0s
|
29
|
-
rotateCertificates: true
|
30
|
-
runtimeRequestTimeout: 0s
|
31
|
-
staticPodPath: /etc/kubernetes/manifests
|
32
|
-
streamingConnectionIdleTimeout: 0s
|
33
|
-
syncFrequency: 0s
|
34
|
-
volumeStatsAggPeriod: 0s
|
35
|
-
serverTLSBootstrap: true
|
36
|
-
featureGates:
|
37
|
-
CSIMigration: false
|
38
|
-
|
39
|
-
# vim:filetype=yaml
|
1
|
+
<%= config.kubelet_config.to_hash.to_yaml %>
|
@@ -0,0 +1 @@
|
|
1
|
+
InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>
|
@@ -5,18 +5,14 @@ Documentation=http://kubernetes.io/docs/
|
|
5
5
|
[Service]
|
6
6
|
EnvironmentFile=-/etc/default/kubelet
|
7
7
|
ExecStart=/opt/bin/kubelet \
|
8
|
-
--container-runtime=remote \
|
9
8
|
--container-runtime-endpoint=/run/containerd/containerd.sock \
|
10
9
|
--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
|
11
10
|
--kubeconfig=/etc/kubernetes/kubelet.conf \
|
12
11
|
--config=/var/lib/kubelet/config.yaml \
|
13
|
-
--network-plugin=cni \
|
14
|
-
--pod-infra-container-image=k8s.gcr.io/pause:3.4.1 \
|
15
12
|
--hostname-override=<%= config.hostname %> \
|
16
|
-
--node-labels=<%= config.labels_string %>
|
17
|
-
--register-with-taints=<%= config.taints_string %> \
|
18
|
-
--resolv-conf=/run/systemd/resolve/resolv.conf
|
13
|
+
--node-labels=<%= config.labels_string %>
|
19
14
|
Restart=always
|
15
|
+
|
20
16
|
StartLimitInterval=0
|
21
17
|
RestartSec=10
|
22
18
|
|
@@ -1,5 +1,7 @@
|
|
1
1
|
#!/bin/bash
|
2
2
|
|
3
|
+
set -euo pipefail
|
4
|
+
|
3
5
|
architecture="arm64"
|
4
6
|
case $(uname -m) in
|
5
7
|
x86_64) architecture="amd64" ;;
|
@@ -28,7 +30,7 @@ rm -f /opt/bin/kubelet
|
|
28
30
|
ln -s /opt/bin/kubelet-${RELEASE} /opt/bin/kubelet
|
29
31
|
|
30
32
|
ETCD_VER="<%= global_config.etcd.image_tag.gsub(/\-\w+$/, '') %>"
|
31
|
-
ETCD_URL=https://
|
33
|
+
ETCD_URL=https://github.com/etcd-io/etcd/releases/download/v${ETCD_VER}/etcd-v${ETCD_VER}-linux-${architecture}.tar.gz
|
32
34
|
ETCD_TMP=$(mktemp -d)
|
33
35
|
|
34
36
|
curl -L ${ETCD_URL} -o ${ETCD_TMP}/etcd.tar.gz
|
@@ -41,9 +41,7 @@ net.ipv4.ip_forward = 1
|
|
41
41
|
net.bridge.bridge-nf-call-iptables = 1
|
42
42
|
EOF
|
43
43
|
|
44
|
-
|
45
|
-
InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>
|
46
|
-
EOF
|
44
|
+
cp ${ROOT}/initiatorname.iscsi /etc/iscsi/
|
47
45
|
|
48
46
|
systemctl restart iscsid.service
|
49
47
|
|
@@ -4,11 +4,26 @@ set -eu
|
|
4
4
|
export LC_ALL=C
|
5
5
|
ROOT=$(dirname "${BASH_SOURCE}")
|
6
6
|
|
7
|
+
export KUBERNETES_PATH="/etc/kubernetes"
|
8
|
+
export KUBERNETES_PKI_PATH="${KUBERNETES_PATH}/pki"
|
9
|
+
export KUBERNETES_MANIFESTS_PATH="${KUBERNETES_PATH}/manifests"
|
10
|
+
export KUBELET_PATH="/var/lib/kubelet"
|
11
|
+
|
12
|
+
mkdir -p ${KUBERNETES_PATH}
|
13
|
+
mkdir -p ${KUBERNETES_PKI_PATH}
|
14
|
+
mkdir -p ${KUBERNETES_MANIFESTS_PATH}
|
15
|
+
mkdir -p ${KUBELET_PATH}
|
16
|
+
|
17
|
+
cp ${ROOT}/bootstrap-kubelet.conf ${KUBERNETES_PATH}/
|
18
|
+
cp ${ROOT}/bootstrap.* ${KUBERNETES_PKI_PATH}/
|
19
|
+
cp ${ROOT}/ca.crt ${KUBERNETES_PKI_PATH}/
|
20
|
+
cp ${ROOT}/config.yaml ${KUBELET_PATH}/
|
21
|
+
cp ${ROOT}/kubelet.service /etc/systemd/system/
|
22
|
+
|
7
23
|
# Install addons
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
done
|
24
|
+
bash ${ROOT}/setup-node.sh
|
25
|
+
|
26
|
+
rm -f ${KUBERNETES_PATH}/kubelet.conf
|
27
|
+
systemctl daemon-reload
|
28
|
+
systemctl enable kubelet
|
29
|
+
systemctl restart kubelet
|
@@ -0,0 +1,22 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
set -eu
|
3
|
+
export LC_ALL=C
|
4
|
+
ROOT=$(dirname "${BASH_SOURCE}")
|
5
|
+
|
6
|
+
mkdir -p /etc/containerd
|
7
|
+
|
8
|
+
if [[ -f ${ROOT}/containerd/config.toml ]]; then
|
9
|
+
cp -rp ${ROOT}/containerd/config.toml /etc/containerd/config.toml
|
10
|
+
else
|
11
|
+
containerd config default | tee /etc/containerd/config.toml
|
12
|
+
|
13
|
+
grep SystemdCgroup /etc/containerd/config.toml && :
|
14
|
+
|
15
|
+
if [[ $? == 0 ]]; then
|
16
|
+
sed -i -e "s/SystemdCgroup.*$/SystemdCgroup = true/" /etc/containerd/config.toml
|
17
|
+
else
|
18
|
+
sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
|
19
|
+
fi
|
20
|
+
fi
|
21
|
+
|
22
|
+
systemctl restart containerd
|
@@ -0,0 +1,16 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eu
|
4
|
+
export LC_ALL=C
|
5
|
+
ROOT=$(dirname "${BASH_SOURCE}")
|
6
|
+
|
7
|
+
export PORKADOT_METADATA=${ROOT}/metadata.json
|
8
|
+
|
9
|
+
# Install addons
|
10
|
+
for addon in $(ls ${ROOT}/addons/); do
|
11
|
+
install_sh="${ROOT}/addons/${addon}/install.sh"
|
12
|
+
if [[ -f ${install_sh} ]]; then
|
13
|
+
echo "Install: ${install_sh}"
|
14
|
+
bash ${install_sh}
|
15
|
+
fi
|
16
|
+
done
|
@@ -57,7 +57,19 @@ module Porkadot; module Assets
|
|
57
57
|
FileUtils.mkdir_p(config.addon_secrets_path)
|
58
58
|
end
|
59
59
|
|
60
|
+
render_ca_crt
|
61
|
+
render_erb 'setup-node.sh'
|
62
|
+
render_erb 'setup-containerd.sh'
|
60
63
|
render_erb 'install.sh'
|
64
|
+
render_erb 'install-deps.sh'
|
65
|
+
render_erb 'install-pkgs.sh'
|
66
|
+
end
|
67
|
+
|
68
|
+
def render_ca_crt
|
69
|
+
logger.info "----> ca.crt"
|
70
|
+
open(config.ca_crt_path, 'w') do |out|
|
71
|
+
out.write self.certs.ca_cert(false).to_pem
|
72
|
+
end
|
61
73
|
end
|
62
74
|
end
|
63
75
|
|
@@ -92,11 +104,8 @@ module Porkadot; module Assets
|
|
92
104
|
render_bootstrap_certs
|
93
105
|
render_erb 'config.yaml'
|
94
106
|
render_erb 'kubelet.service'
|
95
|
-
|
96
|
-
render_erb '
|
97
|
-
render_erb 'install-deps.sh'
|
98
|
-
render_erb 'install-pkgs.sh'
|
99
|
-
render_erb 'setup-containerd.sh'
|
107
|
+
render_erb 'initiatorname.iscsi'
|
108
|
+
render_erb 'metadata.json'
|
100
109
|
end
|
101
110
|
|
102
111
|
def render_bootstrap_certs
|
@@ -105,13 +114,6 @@ module Porkadot; module Assets
|
|
105
114
|
self.bootstrap_cert(true)
|
106
115
|
end
|
107
116
|
|
108
|
-
def render_ca_crt
|
109
|
-
logger.info "----> ca.crt"
|
110
|
-
open(config.ca_crt_path, 'w') do |out|
|
111
|
-
out.write self.certs.ca_cert(false).to_pem
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
117
|
def bootstrap_key
|
116
118
|
@bootstrap_key ||= certs.private_key(config.bootstrap_key_path)
|
117
119
|
return @bootstrap_key
|
@@ -5,10 +5,12 @@ export LC_ALL=C
|
|
5
5
|
ROOT=$(dirname "${BASH_SOURCE}")
|
6
6
|
KUBECTL_OPTS=${KUBECTL_OPTS:-""}
|
7
7
|
|
8
|
-
KUBECTL_OPTS="${KUBECTL_OPTS} --
|
8
|
+
KUBECTL_OPTS="${KUBECTL_OPTS} --prune"
|
9
9
|
KUBECTL_OPTS="${KUBECTL_OPTS} -l kubernetes.unstable.cloud/installed-by=porkadot"
|
10
10
|
<%- prune_allowlist.each do |a| -%>
|
11
11
|
KUBECTL_OPTS="${KUBECTL_OPTS} --prune-whitelist=<%= a %>"
|
12
12
|
<%- end -%>
|
13
13
|
|
14
|
+
/opt/bin/kubectl apply --force-conflicts --server-side -R -f ${ROOT}/manifests/crds
|
15
|
+
/opt/bin/kubectl wait --for condition=established --timeout=60s crd --all
|
14
16
|
/opt/bin/kubectl apply ${KUBECTL_OPTS} -k ${ROOT}
|
@@ -1,62 +1,13 @@
|
|
1
1
|
<% cni = config.flannel -%>
|
2
2
|
<% k8s = global_config.k8s -%>
|
3
3
|
---
|
4
|
-
apiVersion: policy/v1beta1
|
5
|
-
kind: PodSecurityPolicy
|
6
|
-
metadata:
|
7
|
-
name: psp.flannel.unprivileged
|
8
|
-
annotations:
|
9
|
-
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
10
|
-
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
11
|
-
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
12
|
-
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
13
|
-
spec:
|
14
|
-
privileged: false
|
15
|
-
volumes:
|
16
|
-
- configMap
|
17
|
-
- secret
|
18
|
-
- emptyDir
|
19
|
-
- hostPath
|
20
|
-
allowedHostPaths:
|
21
|
-
- pathPrefix: "/etc/cni/net.d"
|
22
|
-
- pathPrefix: "/etc/kube-flannel"
|
23
|
-
- pathPrefix: "/run/flannel"
|
24
|
-
readOnlyRootFilesystem: false
|
25
|
-
# Users and groups
|
26
|
-
runAsUser:
|
27
|
-
rule: RunAsAny
|
28
|
-
supplementalGroups:
|
29
|
-
rule: RunAsAny
|
30
|
-
fsGroup:
|
31
|
-
rule: RunAsAny
|
32
|
-
# Privilege Escalation
|
33
|
-
allowPrivilegeEscalation: false
|
34
|
-
defaultAllowPrivilegeEscalation: false
|
35
|
-
# Capabilities
|
36
|
-
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
|
37
|
-
defaultAddCapabilities: []
|
38
|
-
requiredDropCapabilities: []
|
39
|
-
# Host namespaces
|
40
|
-
hostPID: false
|
41
|
-
hostIPC: false
|
42
|
-
hostNetwork: true
|
43
|
-
hostPorts:
|
44
|
-
- min: 0
|
45
|
-
max: 65535
|
46
|
-
# SELinux
|
47
|
-
seLinux:
|
48
|
-
# SELinux is unused in CaaSP
|
49
|
-
rule: 'RunAsAny'
|
50
|
-
---
|
51
4
|
kind: ClusterRole
|
52
5
|
apiVersion: rbac.authorization.k8s.io/v1
|
53
6
|
metadata:
|
7
|
+
labels:
|
8
|
+
k8s-app: flannel
|
54
9
|
name: flannel
|
55
10
|
rules:
|
56
|
-
- apiGroups: ['extensions']
|
57
|
-
resources: ['podsecuritypolicies']
|
58
|
-
verbs: ['use']
|
59
|
-
resourceNames: ['psp.flannel.unprivileged']
|
60
11
|
- apiGroups:
|
61
12
|
- ""
|
62
13
|
resources:
|
@@ -68,6 +19,7 @@ rules:
|
|
68
19
|
resources:
|
69
20
|
- nodes
|
70
21
|
verbs:
|
22
|
+
- get
|
71
23
|
- list
|
72
24
|
- watch
|
73
25
|
- apiGroups:
|
@@ -80,6 +32,8 @@ rules:
|
|
80
32
|
kind: ClusterRoleBinding
|
81
33
|
apiVersion: rbac.authorization.k8s.io/v1
|
82
34
|
metadata:
|
35
|
+
labels:
|
36
|
+
k8s-app: flannel
|
83
37
|
name: flannel
|
84
38
|
roleRef:
|
85
39
|
apiGroup: rbac.authorization.k8s.io
|
@@ -93,6 +47,8 @@ subjects:
|
|
93
47
|
apiVersion: v1
|
94
48
|
kind: ServiceAccount
|
95
49
|
metadata:
|
50
|
+
labels:
|
51
|
+
k8s-app: flannel
|
96
52
|
name: flannel
|
97
53
|
namespace: kube-system
|
98
54
|
---
|
@@ -103,6 +59,7 @@ metadata:
|
|
103
59
|
namespace: kube-system
|
104
60
|
labels:
|
105
61
|
tier: node
|
62
|
+
k8s-app: flannel
|
106
63
|
app: flannel
|
107
64
|
data:
|
108
65
|
cni-conf.json: |
|
@@ -134,6 +91,7 @@ data:
|
|
134
91
|
"EnableIPv6": true,
|
135
92
|
"IPv6Network": "<%= k8s.networking.pod_v6subnet %>",
|
136
93
|
<%- end -%>
|
94
|
+
"EnableNFTables": false,
|
137
95
|
"Backend": {
|
138
96
|
"Type": "<%= cni.backend %>"
|
139
97
|
}
|
@@ -147,6 +105,7 @@ metadata:
|
|
147
105
|
labels:
|
148
106
|
tier: node
|
149
107
|
app: flannel
|
108
|
+
k8s-app: flannel
|
150
109
|
spec:
|
151
110
|
selector:
|
152
111
|
matchLabels:
|
@@ -221,6 +180,8 @@ spec:
|
|
221
180
|
valueFrom:
|
222
181
|
fieldRef:
|
223
182
|
fieldPath: metadata.namespace
|
183
|
+
- name: EVENT_QUEUE_DEPTH
|
184
|
+
value: "5000"
|
224
185
|
volumeMounts:
|
225
186
|
- name: run
|
226
187
|
mountPath: /run/flannel
|