--- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: virtlet namespace: kube-system spec: template: metadata: name: virtlet labels: runtime: virtlet spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet # hostPID is true to (1) enable VMs to survive virtlet container restart # (to be checked) and (2) to enable the use of nsenter in init container hostPID: true # bootstrap procedure needs to create a configmap in kube-system namespace serviceAccountName: virtlet # only run Virtlet pods on the nodes with extraRuntime=virtlet label affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: extraRuntime operator: In values: - virtlet initContainers: # The init container first copies virtlet's flexvolume driver # to the default kubelet plugin dir to have it in the proper place by the # time kubelet is restarted by CRI proxy bootstrap procedure. # After that it checks if there's already saved kubelet config # and considers that CRI proxy bootstrap is already done if it exists. # If it doesn't, it drops criproxy binary into /opt/criproxy/bin # if it's not already there and then starts criproxy installation. # The possibility to put criproxy binary in advance into # /opt/criproxy/bin may be helpful for the purpose of # debugging criproxy # At the end it ensures that /var/lib/libvirt/images exists on node. - name: prepare-node image: openretriever/virtlet imagePullPolicy: IfNotPresent command: - /prepare-node.sh volumeMounts: - name: k8s-flexvolume-plugins-dir mountPath: /kubelet-volume-plugins - name: criproxybin mountPath: /opt/criproxy/bin - name: run mountPath: /run - name: dockersock mountPath: /var/run/docker.sock - name: criproxyconf mountPath: /etc/criproxy - name: log mountPath: /hostlog # for ensuring that /var/lib/libvirt/images exists on node - name: var-lib mountPath: /host-var-lib securityContext: privileged: true containers: - name: libvirt image: openretriever/virtlet # In case we inject local virtlet image we want to use it not officially available one imagePullPolicy: IfNotPresent command: - /libvirt.sh volumeMounts: - mountPath: /sys/fs/cgroup name: cgroup - mountPath: /lib/modules name: modules readOnly: true - mountPath: /boot name: boot readOnly: true - mountPath: /run name: run - mountPath: /var/lib/virtlet name: virtlet - mountPath: /var/lib/libvirt name: libvirt - mountPath: /var/run/libvirt name: libvirt-sockets # the log dir is needed here because otherwise libvirt will produce errors # like this: # Unable to pre-create chardev file '/var/log/vms/afd75bbb-8e97-11e7-9561-02420ac00002/cirros-vm_0.log': No such file or directory - name: vms-log mountPath: /var/log/vms - name: dev mountPath: /dev securityContext: privileged: true env: - name: VIRTLET_DISABLE_KVM valueFrom: configMapKeyRef: name: virtlet-config key: disable_kvm optional: true - name: virtlet image: openretriever/virtlet # In case we inject local virtlet image we want to use it not officially available one imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /run name: run # /boot and /lib/modules are required by supermin - mountPath: /lib/modules name: modules readOnly: true - mountPath: /boot name: boot readOnly: true - mountPath: /var/lib/virtlet name: virtlet - mountPath: /var/lib/libvirt name: libvirt - mountPath: /etc/cni name: cniconf - mountPath: /opt/cni/bin name: cnibin - mountPath: /var/run/libvirt name: libvirt-sockets - mountPath: /var/lib/cni name: cnidata - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec name: k8s-flexvolume-plugins-dir # below `:shared` is unofficial way to pass this option docker # which then will allow virtlet to see what kubelet mounts in # underlaying directories, after virtlet container is created - mountPath: /var/lib/kubelet/pods:shared name: k8s-pods-dir - name: vms-log mountPath: /var/log/vms - mountPath: /etc/virtlet/images name: image-name-translations - name: pods-log mountPath: /kubernetes-log securityContext: privileged: true env: - name: VIRTLET_DISABLE_KVM valueFrom: configMapKeyRef: name: virtlet-config key: disable_kvm optional: true - name: VIRTLET_DOWNLOAD_PROTOCOL valueFrom: configMapKeyRef: name: virtlet-config key: download_protocol optional: true - name: VIRTLET_LOGLEVEL valueFrom: configMapKeyRef: name: virtlet-config key: loglevel optional: true - name: VIRTLET_CALICO_SUBNET valueFrom: configMapKeyRef: name: virtlet-config key: calico-subnet optional: true - name: IMAGE_REGEXP_TRANSLATION valueFrom: configMapKeyRef: name: virtlet-config key: image_regexp_translation optional: true - name: IMAGE_TRANSLATIONS_DIR value: /etc/virtlet/images - name: KUBERNETES_POD_LOGS value: "/kubernetes-log" # TODO: should we rename it? - name: VIRTLET_VM_LOG_LOCATION value: "1" - name: vms image: openretriever/virtlet imagePullPolicy: IfNotPresent command: - /vms.sh volumeMounts: - mountPath: /var/lib/virtlet name: virtlet - mountPath: /var/lib/libvirt name: libvirt - name: vms-log mountPath: /var/log/vms - name: dev mountPath: /dev volumes: # /dev is needed for host raw device access - hostPath: path: /dev name: dev - hostPath: path: /sys/fs/cgroup name: cgroup - hostPath: path: /lib/modules name: modules - hostPath: path: /boot name: boot - hostPath: path: /run name: run # TODO: don't hardcode docker socket location here # This will require CRI proxy installation to run # in host mount namespace. - hostPath: path: /var/run/docker.sock name: dockersock - hostPath: path: /var/lib/virtlet name: virtlet - hostPath: path: /var/lib/libvirt name: libvirt - hostPath: path: /etc/cni name: cniconf - hostPath: path: /opt/cni/bin name: cnibin - hostPath: path: /var/lib/cni name: cnidata - hostPath: path: /opt/criproxy/bin name: criproxybin - hostPath: path: /etc/criproxy name: criproxyconf - hostPath: path: /var/log name: log - hostPath: path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec name: k8s-flexvolume-plugins-dir - hostPath: path: /var/lib/kubelet/pods name: k8s-pods-dir - hostPath: path: /var/lib name: var-lib - hostPath: path: /var/log/virtlet/vms name: vms-log - hostPath: path: /var/run/libvirt name: libvirt-sockets - hostPath: path: /var/log/pods name: pods-log - configMap: name: virtlet-image-translations name: image-name-translations --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: virtlet roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: virtlet subjects: - kind: ServiceAccount name: virtlet namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: virtlet namespace: kube-system rules: - apiGroups: - "" resources: - configmaps verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: configmap-reader rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubelet-node-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: configmap-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: virtlet-crd rules: - apiGroups: - "apiextensions.k8s.io" resources: - customresourcedefinitions verbs: - create - apiGroups: - "virtlet.k8s" resources: - virtletimagemappings verbs: - list - get --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: virtlet-crd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: virtlet-crd subjects: - kind: ServiceAccount name: virtlet namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: virtlet namespace: kube-system