Blame - ponnet/templates/genie-cni-1.8.yaml - helm-charts

blob: 51df41c3165ae5a6812890596403ce59f95d5c8e [file] [log] [blame]

Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	1	---
				2	# Copyright 2017-present Open Networking Foundation
				3	#
				4	# Licensed under the Apache License, Version 2.0 (the "License");
				5	# you may not use this file except in compliance with the License.
				6	# You may obtain a copy of the License at
				7	#
				8	# http://www.apache.org/licenses/LICENSE-2.0
				9	#
				10	# Unless required by applicable law or agreed to in writing, software
				11	# distributed under the License is distributed on an "AS IS" BASIS,
				12	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	# See the License for the specific language governing permissions and
				14	# limitations under the License.
				15	---
				16	kind: ClusterRole
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	17	apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	18	metadata:
				19	name: genie-plugin
				20	rules:
				21	- apiGroups:
				22	- ""
				23	resources:
				24	- pods
				25	verbs:
				26	- get
				27	- update
				28	- patch
				29	- apiGroups:
				30	- "alpha.network.k8s.io"
				31	resources:
				32	- logicalnetworks
				33	verbs:
				34	- get
				35	- update
				36	- patch
				37	- apiGroups:
				38	- "alpha.network.k8s.io"
				39	resources:
				40	- physicalnetworks
				41	verbs:
				42	- get
				43	- update
				44	- patch
				45	- apiGroups:
				46	- ""
				47	resources:
				48	- configmaps
				49	verbs:
				50	- get
				51	- apiGroups:
				52	- "admissionregistration.k8s.io"
				53	resources:
				54	- validatingwebhookconfigurations
				55	verbs:
				56	- get
				57	- update
				58	- create
				59	- delete
				60
				61	---
				62	kind: ClusterRole
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	63	apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	64	metadata:
				65	name: genie-policy
				66	rules:
				67	- apiGroups:
				68	- ""
				69	resources:
				70	- networkpolicies
				71	verbs:
				72	- get
				73	- apiGroups:
				74	- ""
				75	resources:
				76	- namespaces
				77	verbs:
				78	- get
				79
				80	---
				81	kind: ClusterRoleBinding
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	82	apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	83	metadata:
				84	name: genie-plugin
				85	roleRef:
				86	apiGroup: rbac.authorization.k8s.io
				87	kind: ClusterRole
				88	name: genie-plugin
				89	subjects:
				90	- kind: ServiceAccount
				91	name: genie-plugin
				92	namespace: kube-system
				93	- kind: ServiceAccount
				94	name: genie-policy
				95	namespace: kube-system
				96	- kind: Group
				97	name: system:authenticated
				98	apiGroup: rbac.authorization.k8s.io
				99
				100	---
				101	kind: ClusterRoleBinding
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	102	apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	103	metadata:
				104	name: genie-policy
				105	roleRef:
				106	apiGroup: rbac.authorization.k8s.io
				107	kind: ClusterRole
				108	name: genie-policy
				109	subjects:
				110	- kind: ServiceAccount
				111	name: genie-policy
				112	namespace: kube-system
				113
				114	---
				115	apiVersion: v1
				116	kind: ServiceAccount
				117	metadata:
				118	name: genie-plugin
				119	namespace: kube-system
				120
				121	---
				122	apiVersion: v1
				123	kind: ServiceAccount
				124	metadata:
				125	name: genie-policy
				126	namespace: kube-system
				127
				128	---
				129	# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
				130	kind: ConfigMap
				131	apiVersion: v1
				132	metadata:
				133	name: genie-config
				134	namespace: kube-system
				135	data:
				136	# The CNI network configuration to install on each node.
				137	cni_genie_network_config: \|-
				138	{
				139	"name": "k8s-pod-network",
				140	"type": "genie",
				141	"log_level": "info",
				142	"datastore_type": "kubernetes",
				143	"default_plugin": "calico",
				144	"hostname": "__KUBERNETES_NODE_NAME__",
				145	"policy": {
				146	"type": "k8s",
				147	"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
				148	},
				149	"kubernetes": {
				150	"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
				151	"kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
				152	},
				153	"romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
				154	"segment_label_name": "romanaSegment"
				155	}
				156
				157	---
				158	# Install CNI-Genie plugin on each slave node.
				159	kind: DaemonSet
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	160	apiVersion: apps/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	161	metadata:
				162	name: genie-plugin
				163	namespace: kube-system
				164	labels:
				165	k8s-app: genie
				166	spec:
				167	selector:
				168	matchLabels:
				169	k8s-app: genie
				170	template:
				171	metadata:
				172	labels:
				173	k8s-app: genie
				174	annotations:
				175	scheduler.alpha.kubernetes.io/critical-pod: ''
				176	scheduler.alpha.kubernetes.io/tolerations: \|
				177	[
				178	{
				179	"key": "dedicated",
				180	"value": "master",
				181	"effect": "NoSchedule"
				182	},
				183	{
				184	"key": "CriticalAddonsOnly",
				185	"operator": "Exists"
				186	}
				187	]
				188	spec:
				189	hostNetwork: true
				190	hostPID: true
				191	serviceAccountName: genie-plugin
				192	containers:
				193	# Create a container with install.sh that
				194	# Installs required 00-genie.conf and genie binary
				195	# on slave node.
				196	- name: install-cni
				197	image: quay.io/huawei-cni-genie/genie-plugin:latest
				198	imagePullPolicy: Always
				199	command: ["/launch.sh"]
				200	env:
				201	- name: CNI_NETWORK_CONFIG
				202	valueFrom:
				203	configMapKeyRef:
				204	name: genie-config
				205	key: cni_genie_network_config
				206	- name: KUBERNETES_NODE_NAME
				207	valueFrom:
				208	fieldRef:
				209	fieldPath: spec.nodeName
				210	volumeMounts:
				211	- mountPath: /host/opt/cni/bin
				212	name: cni-bin-dir
				213	- mountPath: /host/etc/cni/net.d
				214	name: cni-net-dir
				215	volumes:
				216	- name: cni-bin-dir
				217	hostPath:
				218	path: /opt/cni/bin
				219	- name: cni-net-dir
				220	hostPath:
				221	path: /etc/cni/net.d
				222
				223	---
				224	# Genie network admission controller daemonset configuration
				225	# Genie network admission controller pods will run only in master nodes
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	226	apiVersion: apps/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	227	kind: DaemonSet
				228	metadata:
				229	name: genie-network-admission-controller
				230	namespace: kube-system
				231	spec:
				232	template:
				233	metadata:
				234	labels:
				235	role: genie-network-admission-controller
				236	annotations:
				237	scheduler.alpha.kubernetes.io/critical-pod: ''
				238	spec:
				239	tolerations:
				240	- key: node-role.kubernetes.io/master
				241	effect: NoSchedule
				242	- key: CriticalAddonsOnly
				243	operator: Exists
				244	nodeSelector:
				245	node-role.kubernetes.io/master: ""
				246	hostNetwork: true
				247	serviceAccountName: genie-plugin
				248	containers:
				249	- name: genie-network-admission-controller
				250	image: quay.io/huawei-cni-genie/genie-admission-controller:latest
				251	imagePullPolicy: Always
				252	ports:
				253	- containerPort: 8000
				254	---
				255	# Genie network admission controller service
				256	apiVersion: v1
				257	kind: Service
				258	metadata:
				259	labels:
				260	role: genie-network-admission-controller
				261	name: genie-network-admission-controller
				262	namespace: kube-system
				263	spec:
				264	ports:
				265	- port: 443
				266	targetPort: 8000
				267	selector:
				268	role: genie-network-admission-controller
				269
				270	---
				271	# Daemonset configuration for geine network policy
				272	kind: DaemonSet
Matteo Scandolo	5628d4b	2021-01-11 11:46:12 -0800	[diff] [blame^]	273	apiVersion: apps/v1
Andy Bavier	2259a6b	2018-07-12 15:27:48 -0700	[diff] [blame]	274	metadata:
				275	name: genie-policy-controller
				276	namespace: kube-system
				277	labels:
				278	k8s-app: genie-policy
				279	spec:
				280	selector:
				281	matchLabels:
				282	k8s-app: genie-policy
				283	template:
				284	metadata:
				285	labels:
				286	k8s-app: genie-policy
				287	annotations:
				288	scheduler.alpha.kubernetes.io/critical-pod: ''
				289	scheduler.alpha.kubernetes.io/tolerations: \|
				290	[
				291	{
				292	"key": "dedicated",
				293	"value": "master",
				294	"effect": "NoSchedule"
				295	},
				296	{
				297	"key": "CriticalAddonsOnly",
				298	"operator": "Exists"
				299	}
				300	]
				301	spec:
				302	hostNetwork: true
				303	hostPID: true
				304	serviceAccountName: genie-policy
				305	containers:
				306	- name: policy-engine
				307	env:
				308	- name: NODE_NAME
				309	valueFrom:
				310	fieldRef:
				311	fieldPath: spec.nodeName
				312	image: quay.io/huawei-cni-genie/genie-policy-controller:latest
				313	imagePullPolicy: Always
				314	command:
				315	- /genie-policy
				316	args:
				317	- -kubeconfig=/etc/kubernetes/admin.conf
				318	- -logtostderr=true
				319	securityContext:
				320	privileged: true
				321	volumeMounts:
				322	- name: etc-kubernetes
				323	mountPath: /etc/kubernetes
				324	readOnly: true
				325	volumes:
				326	- name: etc-kubernetes
				327	hostPath:
				328	path: /etc/kubernetes