aboutsummaryrefslogtreecommitdiffstats
path: root/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files
diff options
context:
space:
mode:
Diffstat (limited to 'tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files')
-rw-r--r--tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml36
-rw-r--r--tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml94
-rwxr-xr-xtools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh121
-rw-r--r--tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml486
4 files changed, 304 insertions, 433 deletions
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml
new file mode 100644
index 00000000..1fe77cd6
--- /dev/null
+++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml
@@ -0,0 +1,36 @@
+#
+# cloned from https://github.com/nokia/danm/blob/v4.3.0/integration/manifests/cni_plugins/cni_plugins_ds.yaml
+#
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: danm-cni
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ danm.k8s.io: danm-cni
+ template:
+ metadata:
+ labels:
+ danm.k8s.io: danm-cni
+ spec:
+ containers:
+ - name: danm-cni
+ image: danm-cni-plugins
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: host-cni
+ mountPath: /host/cni
+ - name: host-net-d
+ mountPath: /host/net.d
+ hostNetwork: true
+ terminationGracePeriodSeconds: 0
+ volumes:
+ - name: host-cni
+ hostPath:
+ path: /opt/cni/bin
+ - name: host-net-d
+ hostPath:
+ path: /etc/cni/net.d
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml
new file mode 100644
index 00000000..1b61a04a
--- /dev/null
+++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml
@@ -0,0 +1,94 @@
+#
+# cloned from https://github.com/nokia/danm/tree/v4.3.0/integration/manifests/netwatcher
+#
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: netwatcher
+ namespace: kube-system
+ labels:
+ kubernetes.io/cluster-service: "true"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ name: system:netwatcher
+rules:
+rules:
+- apiGroups:
+ - danm.k8s.io
+ resources:
+ - danmnets
+ - clusternetworks
+ - tenantnetworks
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+- apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ annotations:
+ rbac.authorization.kubernetes.io/autoupdate: "true"
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ name: system:netwatcher
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:netwatcher
+subjects:
+- kind: ServiceAccount
+ namespace: kube-system
+ name: netwatcher
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: netwatcher
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ danm.k8s.io: netwatcher
+ template:
+ metadata:
+ labels:
+ danm.k8s.io: netwatcher
+ spec:
+ serviceAccountName: netwatcher
+ hostNetwork: true
+ dnsPolicy: ClusterFirst
+ hostIPC: true
+ hostPID: true
+ containers:
+ - name: netwatcher
+ image: netwatcher
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ capabilities:
+ add:
+ - SYS_PTRACE
+ - SYS_ADMIN
+ - NET_ADMIN
+ - NET_RAW
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ terminationGracePeriodSeconds: 0
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh
new file mode 100755
index 00000000..d1486f62
--- /dev/null
+++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+
+set -e
+
+usage() {
+ cat <<EOF
+Generate certificate suitable for use with an sidecar-injector webhook service.
+This script uses k8s' CertificateSigningRequest API to a generate a
+certificate signed by k8s CA suitable for use with sidecar-injector webhook
+services. This requires permissions to create and approve CSR. See
+https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
+detailed explantion and additional instructions.
+The server key/cert k8s CA cert are stored in a k8s secret.
+usage: ${0} [OPTIONS]
+The following flags are required.
+ --service Service name of webhook.
+ --namespace Namespace where webhook service and secret reside.
+ --secret Secret name for CA certificate and server certificate/key pair.
+EOF
+ exit 1
+}
+
+while [ $# -gt 0 ]; do
+ case ${1} in
+ --service)
+ service="$2"
+ shift
+ ;;
+ --secret)
+ secret="$2"
+ shift
+ ;;
+ --namespace)
+ namespace="$2"
+ shift
+ ;;
+ *)
+ usage
+ ;;
+ esac
+ shift
+done
+
+[ -z ${service} ] && service=danm-webhook-svc
+[ -z ${secret} ] && secret=danm-webhook-certs
+[ -z ${namespace} ] && namespace=kube-system
+
+if [ ! -x "$(command -v openssl)" ]; then
+ echo "openssl not found"
+ exit 1
+fi
+
+csrName=${service}.${namespace}
+tmpdir=$(mktemp -d)
+echo "creating certs in tmpdir ${tmpdir} "
+
+cat <<EOF >> ${tmpdir}/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${service}
+DNS.2 = ${service}.${namespace}
+DNS.3 = ${service}.${namespace}.svc
+EOF
+
+openssl genrsa -out ${tmpdir}/server-key.pem 2048
+openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+
+# clean-up any previously created CSR for our service. Ignore errors if not present.
+kubectl delete csr ${csrName} 2>/dev/null || true
+
+# create server cert/key CSR and send to k8s API
+cat <<EOF | kubectl create -f -
+apiVersion: certificates.k8s.io/v1beta1
+kind: CertificateSigningRequest
+metadata:
+ name: ${csrName}
+spec:
+ groups:
+ - system:authenticated
+ request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+EOF
+
+# verify CSR has been created
+while true; do
+ kubectl get csr ${csrName}
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+done
+
+# approve and fetch the signed certificate
+kubectl certificate approve ${csrName}
+# verify certificate has been signed
+for x in $(seq 10); do
+ serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
+ if [ -n ${serverCert} ]; then
+ break
+ fi
+ sleep 1
+done
+echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem
+
+
+# create the secret with CA cert and server cert/key
+kubectl create secret generic ${secret} \
+ --from-file=key.pem=${tmpdir}/server-key.pem \
+ --from-file=cert.pem=${tmpdir}/server-cert.pem \
+ --dry-run -o yaml |
+ kubectl -n ${namespace} apply -f -
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml
index 00110ad6..1233ead4 100644
--- a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml
+++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml
@@ -1,5 +1,5 @@
#
-# cloned from https://github.com/coreos/flannel/blob/v0.12.0/Documentation/kube-flannel.yml
+# cloned from https://github.com/flannel-io/flannel/blob/v0.14.0/Documentation/kube-flannel.yml
#
---
apiVersion: policy/v1beta1
@@ -14,14 +14,14 @@ metadata:
spec:
privileged: false
volumes:
- - configMap
- - secret
- - emptyDir
- - hostPath
+ - configMap
+ - secret
+ - emptyDir
+ - hostPath
allowedHostPaths:
- - pathPrefix: "/etc/cni/net.d"
- - pathPrefix: "/etc/kube-flannel"
- - pathPrefix: "/run/flannel"
+ - pathPrefix: "/etc/cni/net.d"
+ - pathPrefix: "/etc/kube-flannel"
+ - pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
@@ -34,7 +34,7 @@ spec:
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
- allowedCapabilities: ['NET_ADMIN']
+ allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
@@ -50,36 +50,36 @@ spec:
rule: 'RunAsAny'
---
kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- - apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: ['psp.flannel.unprivileged']
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes/status
- verbs:
- - patch
+- apiGroups: ['extensions']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames: ['psp.flannel.unprivileged']
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
---
kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
@@ -137,7 +137,7 @@ data:
apiVersion: apps/v1
kind: DaemonSet
metadata:
- name: kube-flannel-ds-amd64
+ name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
@@ -156,23 +156,20 @@ spec:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/os
- operator: In
- values:
- - linux
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - amd64
+ - matchExpressions:
+ - key: kubernetes.io/os
+ operator: In
+ values:
+ - linux
hostNetwork: true
+ priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
- image: quay.io/coreos/flannel:v0.12.0-amd64
+ image: quay.io/coreos/flannel:v0.14.0
command:
- cp
args:
@@ -186,7 +183,7 @@ spec:
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
- image: quay.io/coreos/flannel:v0.12.0-amd64
+ image: quay.io/coreos/flannel:v0.14.0
command:
- /opt/bin/flanneld
args:
@@ -202,7 +199,7 @@ spec:
securityContext:
privileged: false
capabilities:
- add: ["NET_ADMIN"]
+ add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
@@ -218,389 +215,12 @@ spec:
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- - name: run
- hostPath:
- path: /run/flannel
- - name: cni
- hostPath:
- path: /etc/cni/net.d
- - name: flannel-cfg
- configMap:
- name: kube-flannel-cfg
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: kube-flannel-ds-arm64
- namespace: kube-system
- labels:
- tier: node
- app: flannel
-spec:
- selector:
- matchLabels:
- app: flannel
- template:
- metadata:
- labels:
- tier: node
- app: flannel
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/os
- operator: In
- values:
- - linux
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - arm64
- hostNetwork: true
- tolerations:
- - operator: Exists
- effect: NoSchedule
- serviceAccountName: flannel
- initContainers:
- - name: install-cni
- image: quay.io/coreos/flannel:v0.12.0-arm64
- command:
- - cp
- args:
- - -f
- - /etc/kube-flannel/cni-conf.json
- - /etc/cni/net.d/10-flannel.conflist
- volumeMounts:
- - name: cni
- mountPath: /etc/cni/net.d
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- containers:
- - name: kube-flannel
- image: quay.io/coreos/flannel:v0.12.0-arm64
- command:
- - /opt/bin/flanneld
- args:
- - --ip-masq
- - --kube-subnet-mgr
- resources:
- requests:
- cpu: "100m"
- memory: "50Mi"
- limits:
- cpu: "100m"
- memory: "50Mi"
- securityContext:
- privileged: false
- capabilities:
- add: ["NET_ADMIN"]
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- volumeMounts:
- - name: run
- mountPath: /run/flannel
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- volumes:
- - name: run
- hostPath:
- path: /run/flannel
- - name: cni
- hostPath:
- path: /etc/cni/net.d
- - name: flannel-cfg
- configMap:
- name: kube-flannel-cfg
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: kube-flannel-ds-arm
- namespace: kube-system
- labels:
- tier: node
- app: flannel
-spec:
- selector:
- matchLabels:
- app: flannel
- template:
- metadata:
- labels:
- tier: node
- app: flannel
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/os
- operator: In
- values:
- - linux
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - arm
- hostNetwork: true
- tolerations:
- - operator: Exists
- effect: NoSchedule
- serviceAccountName: flannel
- initContainers:
- - name: install-cni
- image: quay.io/coreos/flannel:v0.12.0-arm
- command:
- - cp
- args:
- - -f
- - /etc/kube-flannel/cni-conf.json
- - /etc/cni/net.d/10-flannel.conflist
- volumeMounts:
- - name: cni
- mountPath: /etc/cni/net.d
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- containers:
- - name: kube-flannel
- image: quay.io/coreos/flannel:v0.12.0-arm
- command:
- - /opt/bin/flanneld
- args:
- - --ip-masq
- - --kube-subnet-mgr
- resources:
- requests:
- cpu: "100m"
- memory: "50Mi"
- limits:
- cpu: "100m"
- memory: "50Mi"
- securityContext:
- privileged: false
- capabilities:
- add: ["NET_ADMIN"]
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- volumeMounts:
- - name: run
- mountPath: /run/flannel
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- volumes:
- - name: run
- hostPath:
- path: /run/flannel
- - name: cni
- hostPath:
- path: /etc/cni/net.d
- - name: flannel-cfg
- configMap:
- name: kube-flannel-cfg
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: kube-flannel-ds-ppc64le
- namespace: kube-system
- labels:
- tier: node
- app: flannel
-spec:
- selector:
- matchLabels:
- app: flannel
- template:
- metadata:
- labels:
- tier: node
- app: flannel
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/os
- operator: In
- values:
- - linux
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - ppc64le
- hostNetwork: true
- tolerations:
- - operator: Exists
- effect: NoSchedule
- serviceAccountName: flannel
- initContainers:
- - name: install-cni
- image: quay.io/coreos/flannel:v0.12.0-ppc64le
- command:
- - cp
- args:
- - -f
- - /etc/kube-flannel/cni-conf.json
- - /etc/cni/net.d/10-flannel.conflist
- volumeMounts:
- - name: cni
- mountPath: /etc/cni/net.d
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- containers:
- - name: kube-flannel
- image: quay.io/coreos/flannel:v0.12.0-ppc64le
- command:
- - /opt/bin/flanneld
- args:
- - --ip-masq
- - --kube-subnet-mgr
- resources:
- requests:
- cpu: "100m"
- memory: "50Mi"
- limits:
- cpu: "100m"
- memory: "50Mi"
- securityContext:
- privileged: false
- capabilities:
- add: ["NET_ADMIN"]
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- volumeMounts:
- - name: run
- mountPath: /run/flannel
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- volumes:
- - name: run
- hostPath:
- path: /run/flannel
- - name: cni
- hostPath:
- path: /etc/cni/net.d
- - name: flannel-cfg
- configMap:
- name: kube-flannel-cfg
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: kube-flannel-ds-s390x
- namespace: kube-system
- labels:
- tier: node
- app: flannel
-spec:
- selector:
- matchLabels:
- app: flannel
- template:
- metadata:
- labels:
- tier: node
- app: flannel
- spec:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: beta.kubernetes.io/os
- operator: In
- values:
- - linux
- - key: beta.kubernetes.io/arch
- operator: In
- values:
- - s390x
- hostNetwork: true
- tolerations:
- - operator: Exists
- effect: NoSchedule
- serviceAccountName: flannel
- initContainers:
- - name: install-cni
- image: quay.io/coreos/flannel:v0.12.0-s390x
- command:
- - cp
- args:
- - -f
- - /etc/kube-flannel/cni-conf.json
- - /etc/cni/net.d/10-flannel.conflist
- volumeMounts:
- - name: cni
- mountPath: /etc/cni/net.d
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- containers:
- - name: kube-flannel
- image: quay.io/coreos/flannel:v0.12.0-s390x
- command:
- - /opt/bin/flanneld
- args:
- - --ip-masq
- - --kube-subnet-mgr
- resources:
- requests:
- cpu: "100m"
- memory: "50Mi"
- limits:
- cpu: "100m"
- memory: "50Mi"
- securityContext:
- privileged: false
- capabilities:
- add: ["NET_ADMIN"]
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- volumeMounts:
- - name: run
- mountPath: /run/flannel
- - name: flannel-cfg
- mountPath: /etc/kube-flannel/
- volumes:
- - name: run
- hostPath:
- path: /run/flannel
- - name: cni
- hostPath:
- path: /etc/cni/net.d
- - name: flannel-cfg
- configMap:
- name: kube-flannel-cfg
-
+ - name: run
+ hostPath:
+ path: /run/flannel
+ - name: cni
+ hostPath:
+ path: /etc/cni/net.d
+ - name: flannel-cfg
+ configMap:
+ name: kube-flannel-cfg \ No newline at end of file