blob: 51df41c3165ae5a6812890596403ce59f95d5c8e [file] [log] [blame]
---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: genie-plugin
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- update
- patch
- apiGroups:
- "alpha.network.k8s.io"
resources:
- logicalnetworks
verbs:
- get
- update
- patch
- apiGroups:
- "alpha.network.k8s.io"
resources:
- physicalnetworks
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
- create
- delete
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: genie-policy
rules:
- apiGroups:
- ""
resources:
- networkpolicies
verbs:
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: genie-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: genie-plugin
subjects:
- kind: ServiceAccount
name: genie-plugin
namespace: kube-system
- kind: ServiceAccount
name: genie-policy
namespace: kube-system
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: genie-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: genie-policy
subjects:
- kind: ServiceAccount
name: genie-policy
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: genie-plugin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: genie-policy
namespace: kube-system
---
# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: genie-config
namespace: kube-system
data:
# The CNI network configuration to install on each node.
cni_genie_network_config: |-
{
"name": "k8s-pod-network",
"type": "genie",
"log_level": "info",
"datastore_type": "kubernetes",
"default_plugin": "calico",
"hostname": "__KUBERNETES_NODE_NAME__",
"policy": {
"type": "k8s",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
},
"romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
"segment_label_name": "romanaSegment"
}
---
# Install CNI-Genie plugin on each slave node.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: genie-plugin
namespace: kube-system
labels:
k8s-app: genie
spec:
selector:
matchLabels:
k8s-app: genie
template:
metadata:
labels:
k8s-app: genie
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: |
[
{
"key": "dedicated",
"value": "master",
"effect": "NoSchedule"
},
{
"key": "CriticalAddonsOnly",
"operator": "Exists"
}
]
spec:
hostNetwork: true
hostPID: true
serviceAccountName: genie-plugin
containers:
# Create a container with install.sh that
# Installs required 00-genie.conf and genie binary
# on slave node.
- name: install-cni
image: quay.io/huawei-cni-genie/genie-plugin:latest
imagePullPolicy: Always
command: ["/launch.sh"]
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: genie-config
key: cni_genie_network_config
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
volumes:
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
---
# Genie network admission controller daemonset configuration
# Genie network admission controller pods will run only in master nodes
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: genie-network-admission-controller
namespace: kube-system
spec:
template:
metadata:
labels:
role: genie-network-admission-controller
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: CriticalAddonsOnly
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
serviceAccountName: genie-plugin
containers:
- name: genie-network-admission-controller
image: quay.io/huawei-cni-genie/genie-admission-controller:latest
imagePullPolicy: Always
ports:
- containerPort: 8000
---
# Genie network admission controller service
apiVersion: v1
kind: Service
metadata:
labels:
role: genie-network-admission-controller
name: genie-network-admission-controller
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8000
selector:
role: genie-network-admission-controller
---
# Daemonset configuration for geine network policy
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: genie-policy-controller
namespace: kube-system
labels:
k8s-app: genie-policy
spec:
selector:
matchLabels:
k8s-app: genie-policy
template:
metadata:
labels:
k8s-app: genie-policy
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: |
[
{
"key": "dedicated",
"value": "master",
"effect": "NoSchedule"
},
{
"key": "CriticalAddonsOnly",
"operator": "Exists"
}
]
spec:
hostNetwork: true
hostPID: true
serviceAccountName: genie-policy
containers:
- name: policy-engine
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: quay.io/huawei-cni-genie/genie-policy-controller:latest
imagePullPolicy: Always
command:
- /genie-policy
args:
- -kubeconfig=/etc/kubernetes/admin.conf
- -logtostderr=true
securityContext:
privileged: true
volumeMounts:
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
volumes:
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes