diff options
Diffstat (limited to 'tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files')
4 files changed, 304 insertions, 433 deletions
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml new file mode 100644 index 00000000..1fe77cd6 --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml @@ -0,0 +1,36 @@ +# +# cloned from https://github.com/nokia/danm/blob/v4.3.0/integration/manifests/cni_plugins/cni_plugins_ds.yaml +# +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: danm-cni + namespace: kube-system +spec: + selector: + matchLabels: + danm.k8s.io: danm-cni + template: + metadata: + labels: + danm.k8s.io: danm-cni + spec: + containers: + - name: danm-cni + image: danm-cni-plugins + imagePullPolicy: IfNotPresent + volumeMounts: + - name: host-cni + mountPath: /host/cni + - name: host-net-d + mountPath: /host/net.d + hostNetwork: true + terminationGracePeriodSeconds: 0 + volumes: + - name: host-cni + hostPath: + path: /opt/cni/bin + - name: host-net-d + hostPath: + path: /etc/cni/net.d diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml new file mode 100644 index 00000000..1b61a04a --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml @@ -0,0 +1,94 @@ +# +# cloned from https://github.com/nokia/danm/tree/v4.3.0/integration/manifests/netwatcher +# +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: netwatcher + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:netwatcher +rules: +rules: +- apiGroups: + - danm.k8s.io + resources: + - danmnets + - clusternetworks + - tenantnetworks + verbs: + - get + - list + - watch + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:netwatcher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:netwatcher +subjects: +- kind: ServiceAccount + namespace: kube-system + name: netwatcher +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: netwatcher + namespace: kube-system +spec: + selector: + matchLabels: + danm.k8s.io: netwatcher + template: + metadata: + labels: + danm.k8s.io: netwatcher + spec: + serviceAccountName: netwatcher + hostNetwork: true + dnsPolicy: ClusterFirst + hostIPC: true + hostPID: true + containers: + - name: netwatcher + image: netwatcher + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - SYS_PTRACE + - SYS_ADMIN + - NET_ADMIN + - NET_RAW + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + terminationGracePeriodSeconds: 0 diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh new file mode 100755 index 00000000..d1486f62 --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh @@ -0,0 +1,121 @@ +#!/bin/sh + +set -e + +usage() { + cat <<EOF +Generate certificate suitable for use with an sidecar-injector webhook service. +This script uses k8s' CertificateSigningRequest API to a generate a +certificate signed by k8s CA suitable for use with sidecar-injector webhook +services. This requires permissions to create and approve CSR. See +https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for +detailed explantion and additional instructions. +The server key/cert k8s CA cert are stored in a k8s secret. +usage: ${0} [OPTIONS] +The following flags are required. + --service Service name of webhook. + --namespace Namespace where webhook service and secret reside. + --secret Secret name for CA certificate and server certificate/key pair. +EOF + exit 1 +} + +while [ $# -gt 0 ]; do + case ${1} in + --service) + service="$2" + shift + ;; + --secret) + secret="$2" + shift + ;; + --namespace) + namespace="$2" + shift + ;; + *) + usage + ;; + esac + shift +done + +[ -z ${service} ] && service=danm-webhook-svc +[ -z ${secret} ] && secret=danm-webhook-certs +[ -z ${namespace} ] && namespace=kube-system + +if [ ! -x "$(command -v openssl)" ]; then + echo "openssl not found" + exit 1 +fi + +csrName=${service}.${namespace} +tmpdir=$(mktemp -d) +echo "creating certs in tmpdir ${tmpdir} " + +cat <<EOF >> ${tmpdir}/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${service} +DNS.2 = ${service}.${namespace} +DNS.3 = ${service}.${namespace}.svc +EOF + +openssl genrsa -out ${tmpdir}/server-key.pem 2048 +openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf + +# clean-up any previously created CSR for our service. Ignore errors if not present. +kubectl delete csr ${csrName} 2>/dev/null || true + +# create server cert/key CSR and send to k8s API +cat <<EOF | kubectl create -f - +apiVersion: certificates.k8s.io/v1beta1 +kind: CertificateSigningRequest +metadata: + name: ${csrName} +spec: + groups: + - system:authenticated + request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') + usages: + - digital signature + - key encipherment + - server auth +EOF + +# verify CSR has been created +while true; do + kubectl get csr ${csrName} + if [ "$?" -eq 0 ]; then + break + fi +done + +# approve and fetch the signed certificate +kubectl certificate approve ${csrName} +# verify certificate has been signed +for x in $(seq 10); do + serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}') + if [ -n ${serverCert} ]; then + break + fi + sleep 1 +done +echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem + + +# create the secret with CA cert and server cert/key +kubectl create secret generic ${secret} \ + --from-file=key.pem=${tmpdir}/server-key.pem \ + --from-file=cert.pem=${tmpdir}/server-cert.pem \ + --dry-run -o yaml | + kubectl -n ${namespace} apply -f - diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml index 00110ad6..1233ead4 100644 --- a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/kube-flannel-daemonset.yml @@ -1,5 +1,5 @@ # -# cloned from https://github.com/coreos/flannel/blob/v0.12.0/Documentation/kube-flannel.yml +# cloned from https://github.com/flannel-io/flannel/blob/v0.14.0/Documentation/kube-flannel.yml # --- apiVersion: policy/v1beta1 @@ -14,14 +14,14 @@ metadata: spec: privileged: false volumes: - - configMap - - secret - - emptyDir - - hostPath + - configMap + - secret + - emptyDir + - hostPath allowedHostPaths: - - pathPrefix: "/etc/cni/net.d" - - pathPrefix: "/etc/kube-flannel" - - pathPrefix: "/run/flannel" + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" readOnlyRootFilesystem: false # Users and groups runAsUser: @@ -34,7 +34,7 @@ spec: allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: false # Capabilities - allowedCapabilities: ['NET_ADMIN'] + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] defaultAddCapabilities: [] requiredDropCapabilities: [] # Host namespaces @@ -50,36 +50,36 @@ spec: rule: 'RunAsAny' --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flannel rules: - - apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['psp.flannel.unprivileged'] - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flannel roleRef: @@ -137,7 +137,7 @@ data: apiVersion: apps/v1 kind: DaemonSet metadata: - name: kube-flannel-ds-amd64 + name: kube-flannel-ds namespace: kube-system labels: tier: node @@ -156,23 +156,20 @@ spec: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux hostNetwork: true + priorityClassName: system-node-critical tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni - image: quay.io/coreos/flannel:v0.12.0-amd64 + image: quay.io/coreos/flannel:v0.14.0 command: - cp args: @@ -186,7 +183,7 @@ spec: mountPath: /etc/kube-flannel/ containers: - name: kube-flannel - image: quay.io/coreos/flannel:v0.12.0-amd64 + image: quay.io/coreos/flannel:v0.14.0 command: - /opt/bin/flanneld args: @@ -202,7 +199,7 @@ spec: securityContext: privileged: false capabilities: - add: ["NET_ADMIN"] + add: ["NET_ADMIN", "NET_RAW"] env: - name: POD_NAME valueFrom: @@ -218,389 +215,12 @@ spec: - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-flannel-ds-arm64 - namespace: kube-system - labels: - tier: node - app: flannel -spec: - selector: - matchLabels: - app: flannel - template: - metadata: - labels: - tier: node - app: flannel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - - key: beta.kubernetes.io/arch - operator: In - values: - - arm64 - hostNetwork: true - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: flannel - initContainers: - - name: install-cni - image: quay.io/coreos/flannel:v0.12.0-arm64 - command: - - cp - args: - - -f - - /etc/kube-flannel/cni-conf.json - - /etc/cni/net.d/10-flannel.conflist - volumeMounts: - - name: cni - mountPath: /etc/cni/net.d - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - containers: - - name: kube-flannel - image: quay.io/coreos/flannel:v0.12.0-arm64 - command: - - /opt/bin/flanneld - args: - - --ip-masq - - --kube-subnet-mgr - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: false - capabilities: - add: ["NET_ADMIN"] - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: run - mountPath: /run/flannel - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-flannel-ds-arm - namespace: kube-system - labels: - tier: node - app: flannel -spec: - selector: - matchLabels: - app: flannel - template: - metadata: - labels: - tier: node - app: flannel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - - key: beta.kubernetes.io/arch - operator: In - values: - - arm - hostNetwork: true - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: flannel - initContainers: - - name: install-cni - image: quay.io/coreos/flannel:v0.12.0-arm - command: - - cp - args: - - -f - - /etc/kube-flannel/cni-conf.json - - /etc/cni/net.d/10-flannel.conflist - volumeMounts: - - name: cni - mountPath: /etc/cni/net.d - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - containers: - - name: kube-flannel - image: quay.io/coreos/flannel:v0.12.0-arm - command: - - /opt/bin/flanneld - args: - - --ip-masq - - --kube-subnet-mgr - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: false - capabilities: - add: ["NET_ADMIN"] - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: run - mountPath: /run/flannel - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-flannel-ds-ppc64le - namespace: kube-system - labels: - tier: node - app: flannel -spec: - selector: - matchLabels: - app: flannel - template: - metadata: - labels: - tier: node - app: flannel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - hostNetwork: true - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: flannel - initContainers: - - name: install-cni - image: quay.io/coreos/flannel:v0.12.0-ppc64le - command: - - cp - args: - - -f - - /etc/kube-flannel/cni-conf.json - - /etc/cni/net.d/10-flannel.conflist - volumeMounts: - - name: cni - mountPath: /etc/cni/net.d - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - containers: - - name: kube-flannel - image: quay.io/coreos/flannel:v0.12.0-ppc64le - command: - - /opt/bin/flanneld - args: - - --ip-masq - - --kube-subnet-mgr - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: false - capabilities: - add: ["NET_ADMIN"] - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: run - mountPath: /run/flannel - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-flannel-ds-s390x - namespace: kube-system - labels: - tier: node - app: flannel -spec: - selector: - matchLabels: - app: flannel - template: - metadata: - labels: - tier: node - app: flannel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - hostNetwork: true - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: flannel - initContainers: - - name: install-cni - image: quay.io/coreos/flannel:v0.12.0-s390x - command: - - cp - args: - - -f - - /etc/kube-flannel/cni-conf.json - - /etc/cni/net.d/10-flannel.conflist - volumeMounts: - - name: cni - mountPath: /etc/cni/net.d - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - containers: - - name: kube-flannel - image: quay.io/coreos/flannel:v0.12.0-s390x - command: - - /opt/bin/flanneld - args: - - --ip-masq - - --kube-subnet-mgr - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: false - capabilities: - add: ["NET_ADMIN"] - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: run - mountPath: /run/flannel - - name: flannel-cfg - mountPath: /etc/kube-flannel/ - volumes: - - name: run - hostPath: - path: /run/flannel - - name: cni - hostPath: - path: /etc/cni/net.d - - name: flannel-cfg - configMap: - name: kube-flannel-cfg - + - name: run + hostPath: + path: /run/flannel + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg
\ No newline at end of file |