| --- |
| # Copyright 2017-present Open Networking Foundation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| --- |
| kind: ClusterRole |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: genie-plugin |
| rules: |
| - apiGroups: |
| - "" |
| resources: |
| - pods |
| verbs: |
| - get |
| - update |
| - patch |
| - apiGroups: |
| - "alpha.network.k8s.io" |
| resources: |
| - logicalnetworks |
| verbs: |
| - get |
| - update |
| - patch |
| - apiGroups: |
| - "alpha.network.k8s.io" |
| resources: |
| - physicalnetworks |
| verbs: |
| - get |
| - update |
| - patch |
| - apiGroups: |
| - "" |
| resources: |
| - configmaps |
| verbs: |
| - get |
| - apiGroups: |
| - "admissionregistration.k8s.io" |
| resources: |
| - validatingwebhookconfigurations |
| verbs: |
| - get |
| - update |
| - create |
| - delete |
| |
| --- |
| kind: ClusterRole |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: genie-policy |
| rules: |
| - apiGroups: |
| - "" |
| resources: |
| - networkpolicies |
| verbs: |
| - get |
| - apiGroups: |
| - "" |
| resources: |
| - namespaces |
| verbs: |
| - get |
| |
| --- |
| kind: ClusterRoleBinding |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: genie-plugin |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: genie-plugin |
| subjects: |
| - kind: ServiceAccount |
| name: genie-plugin |
| namespace: kube-system |
| - kind: ServiceAccount |
| name: genie-policy |
| namespace: kube-system |
| - kind: Group |
| name: system:authenticated |
| apiGroup: rbac.authorization.k8s.io |
| |
| --- |
| kind: ClusterRoleBinding |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: genie-policy |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: genie-policy |
| subjects: |
| - kind: ServiceAccount |
| name: genie-policy |
| namespace: kube-system |
| |
| --- |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| name: genie-plugin |
| namespace: kube-system |
| |
| --- |
| apiVersion: v1 |
| kind: ServiceAccount |
| metadata: |
| name: genie-policy |
| namespace: kube-system |
| |
| --- |
| # This ConfigMap can be used to configure a self-hosted CNI-Genie installation. |
| kind: ConfigMap |
| apiVersion: v1 |
| metadata: |
| name: genie-config |
| namespace: kube-system |
| data: |
| # The CNI network configuration to install on each node. |
| cni_genie_network_config: |- |
| { |
| "name": "k8s-pod-network", |
| "type": "genie", |
| "log_level": "info", |
| "datastore_type": "kubernetes", |
| "default_plugin": "calico", |
| "hostname": "__KUBERNETES_NODE_NAME__", |
| "policy": { |
| "type": "k8s", |
| "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" |
| }, |
| "kubernetes": { |
| "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", |
| "kubeconfig": "/etc/cni/net.d/genie-kubeconfig" |
| }, |
| "romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__", |
| "segment_label_name": "romanaSegment" |
| } |
| |
| --- |
| # Install CNI-Genie plugin on each slave node. |
| kind: DaemonSet |
| apiVersion: apps/v1 |
| metadata: |
| name: genie-plugin |
| namespace: kube-system |
| labels: |
| k8s-app: genie |
| spec: |
| selector: |
| matchLabels: |
| k8s-app: genie |
| template: |
| metadata: |
| labels: |
| k8s-app: genie |
| annotations: |
| scheduler.alpha.kubernetes.io/critical-pod: '' |
| scheduler.alpha.kubernetes.io/tolerations: | |
| [ |
| { |
| "key": "dedicated", |
| "value": "master", |
| "effect": "NoSchedule" |
| }, |
| { |
| "key": "CriticalAddonsOnly", |
| "operator": "Exists" |
| } |
| ] |
| spec: |
| hostNetwork: true |
| hostPID: true |
| serviceAccountName: genie-plugin |
| containers: |
| # Create a container with install.sh that |
| # Installs required 00-genie.conf and genie binary |
| # on slave node. |
| - name: install-cni |
| image: quay.io/huawei-cni-genie/genie-plugin:latest |
| imagePullPolicy: Always |
| command: ["/launch.sh"] |
| env: |
| - name: CNI_NETWORK_CONFIG |
| valueFrom: |
| configMapKeyRef: |
| name: genie-config |
| key: cni_genie_network_config |
| - name: KUBERNETES_NODE_NAME |
| valueFrom: |
| fieldRef: |
| fieldPath: spec.nodeName |
| volumeMounts: |
| - mountPath: /host/opt/cni/bin |
| name: cni-bin-dir |
| - mountPath: /host/etc/cni/net.d |
| name: cni-net-dir |
| volumes: |
| - name: cni-bin-dir |
| hostPath: |
| path: /opt/cni/bin |
| - name: cni-net-dir |
| hostPath: |
| path: /etc/cni/net.d |
| |
| --- |
| # Genie network admission controller daemonset configuration |
| # Genie network admission controller pods will run only in master nodes |
| apiVersion: apps/v1 |
| kind: DaemonSet |
| metadata: |
| name: genie-network-admission-controller |
| namespace: kube-system |
| spec: |
| template: |
| metadata: |
| labels: |
| role: genie-network-admission-controller |
| annotations: |
| scheduler.alpha.kubernetes.io/critical-pod: '' |
| spec: |
| tolerations: |
| - key: node-role.kubernetes.io/master |
| effect: NoSchedule |
| - key: CriticalAddonsOnly |
| operator: Exists |
| nodeSelector: |
| node-role.kubernetes.io/master: "" |
| hostNetwork: true |
| serviceAccountName: genie-plugin |
| containers: |
| - name: genie-network-admission-controller |
| image: quay.io/huawei-cni-genie/genie-admission-controller:latest |
| imagePullPolicy: Always |
| ports: |
| - containerPort: 8000 |
| --- |
| # Genie network admission controller service |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| labels: |
| role: genie-network-admission-controller |
| name: genie-network-admission-controller |
| namespace: kube-system |
| spec: |
| ports: |
| - port: 443 |
| targetPort: 8000 |
| selector: |
| role: genie-network-admission-controller |
| |
| --- |
| # Daemonset configuration for geine network policy |
| kind: DaemonSet |
| apiVersion: apps/v1 |
| metadata: |
| name: genie-policy-controller |
| namespace: kube-system |
| labels: |
| k8s-app: genie-policy |
| spec: |
| selector: |
| matchLabels: |
| k8s-app: genie-policy |
| template: |
| metadata: |
| labels: |
| k8s-app: genie-policy |
| annotations: |
| scheduler.alpha.kubernetes.io/critical-pod: '' |
| scheduler.alpha.kubernetes.io/tolerations: | |
| [ |
| { |
| "key": "dedicated", |
| "value": "master", |
| "effect": "NoSchedule" |
| }, |
| { |
| "key": "CriticalAddonsOnly", |
| "operator": "Exists" |
| } |
| ] |
| spec: |
| hostNetwork: true |
| hostPID: true |
| serviceAccountName: genie-policy |
| containers: |
| - name: policy-engine |
| env: |
| - name: NODE_NAME |
| valueFrom: |
| fieldRef: |
| fieldPath: spec.nodeName |
| image: quay.io/huawei-cni-genie/genie-policy-controller:latest |
| imagePullPolicy: Always |
| command: |
| - /genie-policy |
| args: |
| - -kubeconfig=/etc/kubernetes/admin.conf |
| - -logtostderr=true |
| securityContext: |
| privileged: true |
| volumeMounts: |
| - name: etc-kubernetes |
| mountPath: /etc/kubernetes |
| readOnly: true |
| volumes: |
| - name: etc-kubernetes |
| hostPath: |
| path: /etc/kubernetes |