blob: 51df41c3165ae5a6812890596403ce59f95d5c8e [file] [log] [blame]
Andy Bavier2259a6b2018-07-12 15:27:48 -07001---
2# Copyright 2017-present Open Networking Foundation
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15---
16kind: ClusterRole
Matteo Scandolo5628d4b2021-01-11 11:46:12 -080017apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -070018metadata:
19 name: genie-plugin
20rules:
21 - apiGroups:
22 - ""
23 resources:
24 - pods
25 verbs:
26 - get
27 - update
28 - patch
29 - apiGroups:
30 - "alpha.network.k8s.io"
31 resources:
32 - logicalnetworks
33 verbs:
34 - get
35 - update
36 - patch
37 - apiGroups:
38 - "alpha.network.k8s.io"
39 resources:
40 - physicalnetworks
41 verbs:
42 - get
43 - update
44 - patch
45 - apiGroups:
46 - ""
47 resources:
48 - configmaps
49 verbs:
50 - get
51 - apiGroups:
52 - "admissionregistration.k8s.io"
53 resources:
54 - validatingwebhookconfigurations
55 verbs:
56 - get
57 - update
58 - create
59 - delete
60
61---
62kind: ClusterRole
Matteo Scandolo5628d4b2021-01-11 11:46:12 -080063apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -070064metadata:
65 name: genie-policy
66rules:
67 - apiGroups:
68 - ""
69 resources:
70 - networkpolicies
71 verbs:
72 - get
73 - apiGroups:
74 - ""
75 resources:
76 - namespaces
77 verbs:
78 - get
79
80---
81kind: ClusterRoleBinding
Matteo Scandolo5628d4b2021-01-11 11:46:12 -080082apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -070083metadata:
84 name: genie-plugin
85roleRef:
86 apiGroup: rbac.authorization.k8s.io
87 kind: ClusterRole
88 name: genie-plugin
89subjects:
90- kind: ServiceAccount
91 name: genie-plugin
92 namespace: kube-system
93- kind: ServiceAccount
94 name: genie-policy
95 namespace: kube-system
96- kind: Group
97 name: system:authenticated
98 apiGroup: rbac.authorization.k8s.io
99
100---
101kind: ClusterRoleBinding
Matteo Scandolo5628d4b2021-01-11 11:46:12 -0800102apiVersion: rbac.authorization.k8s.io/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -0700103metadata:
104 name: genie-policy
105roleRef:
106 apiGroup: rbac.authorization.k8s.io
107 kind: ClusterRole
108 name: genie-policy
109subjects:
110- kind: ServiceAccount
111 name: genie-policy
112 namespace: kube-system
113
114---
115apiVersion: v1
116kind: ServiceAccount
117metadata:
118 name: genie-plugin
119 namespace: kube-system
120
121---
122apiVersion: v1
123kind: ServiceAccount
124metadata:
125 name: genie-policy
126 namespace: kube-system
127
128---
129# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
130kind: ConfigMap
131apiVersion: v1
132metadata:
133 name: genie-config
134 namespace: kube-system
135data:
136 # The CNI network configuration to install on each node.
137 cni_genie_network_config: |-
138 {
139 "name": "k8s-pod-network",
140 "type": "genie",
141 "log_level": "info",
142 "datastore_type": "kubernetes",
143 "default_plugin": "calico",
144 "hostname": "__KUBERNETES_NODE_NAME__",
145 "policy": {
146 "type": "k8s",
147 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
148 },
149 "kubernetes": {
150 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
151 "kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
152 },
153 "romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
154 "segment_label_name": "romanaSegment"
155 }
156
157---
158# Install CNI-Genie plugin on each slave node.
159kind: DaemonSet
Matteo Scandolo5628d4b2021-01-11 11:46:12 -0800160apiVersion: apps/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -0700161metadata:
162 name: genie-plugin
163 namespace: kube-system
164 labels:
165 k8s-app: genie
166spec:
167 selector:
168 matchLabels:
169 k8s-app: genie
170 template:
171 metadata:
172 labels:
173 k8s-app: genie
174 annotations:
175 scheduler.alpha.kubernetes.io/critical-pod: ''
176 scheduler.alpha.kubernetes.io/tolerations: |
177 [
178 {
179 "key": "dedicated",
180 "value": "master",
181 "effect": "NoSchedule"
182 },
183 {
184 "key": "CriticalAddonsOnly",
185 "operator": "Exists"
186 }
187 ]
188 spec:
189 hostNetwork: true
190 hostPID: true
191 serviceAccountName: genie-plugin
192 containers:
193 # Create a container with install.sh that
194 # Installs required 00-genie.conf and genie binary
195 # on slave node.
196 - name: install-cni
197 image: quay.io/huawei-cni-genie/genie-plugin:latest
198 imagePullPolicy: Always
199 command: ["/launch.sh"]
200 env:
201 - name: CNI_NETWORK_CONFIG
202 valueFrom:
203 configMapKeyRef:
204 name: genie-config
205 key: cni_genie_network_config
206 - name: KUBERNETES_NODE_NAME
207 valueFrom:
208 fieldRef:
209 fieldPath: spec.nodeName
210 volumeMounts:
211 - mountPath: /host/opt/cni/bin
212 name: cni-bin-dir
213 - mountPath: /host/etc/cni/net.d
214 name: cni-net-dir
215 volumes:
216 - name: cni-bin-dir
217 hostPath:
218 path: /opt/cni/bin
219 - name: cni-net-dir
220 hostPath:
221 path: /etc/cni/net.d
222
223---
224# Genie network admission controller daemonset configuration
225# Genie network admission controller pods will run only in master nodes
Matteo Scandolo5628d4b2021-01-11 11:46:12 -0800226apiVersion: apps/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -0700227kind: DaemonSet
228metadata:
229 name: genie-network-admission-controller
230 namespace: kube-system
231spec:
232 template:
233 metadata:
234 labels:
235 role: genie-network-admission-controller
236 annotations:
237 scheduler.alpha.kubernetes.io/critical-pod: ''
238 spec:
239 tolerations:
240 - key: node-role.kubernetes.io/master
241 effect: NoSchedule
242 - key: CriticalAddonsOnly
243 operator: Exists
244 nodeSelector:
245 node-role.kubernetes.io/master: ""
246 hostNetwork: true
247 serviceAccountName: genie-plugin
248 containers:
249 - name: genie-network-admission-controller
250 image: quay.io/huawei-cni-genie/genie-admission-controller:latest
251 imagePullPolicy: Always
252 ports:
253 - containerPort: 8000
254---
255# Genie network admission controller service
256apiVersion: v1
257kind: Service
258metadata:
259 labels:
260 role: genie-network-admission-controller
261 name: genie-network-admission-controller
262 namespace: kube-system
263spec:
264 ports:
265 - port: 443
266 targetPort: 8000
267 selector:
268 role: genie-network-admission-controller
269
270---
271# Daemonset configuration for geine network policy
272kind: DaemonSet
Matteo Scandolo5628d4b2021-01-11 11:46:12 -0800273apiVersion: apps/v1
Andy Bavier2259a6b2018-07-12 15:27:48 -0700274metadata:
275 name: genie-policy-controller
276 namespace: kube-system
277 labels:
278 k8s-app: genie-policy
279spec:
280 selector:
281 matchLabels:
282 k8s-app: genie-policy
283 template:
284 metadata:
285 labels:
286 k8s-app: genie-policy
287 annotations:
288 scheduler.alpha.kubernetes.io/critical-pod: ''
289 scheduler.alpha.kubernetes.io/tolerations: |
290 [
291 {
292 "key": "dedicated",
293 "value": "master",
294 "effect": "NoSchedule"
295 },
296 {
297 "key": "CriticalAddonsOnly",
298 "operator": "Exists"
299 }
300 ]
301 spec:
302 hostNetwork: true
303 hostPID: true
304 serviceAccountName: genie-policy
305 containers:
306 - name: policy-engine
307 env:
308 - name: NODE_NAME
309 valueFrom:
310 fieldRef:
311 fieldPath: spec.nodeName
312 image: quay.io/huawei-cni-genie/genie-policy-controller:latest
313 imagePullPolicy: Always
314 command:
315 - /genie-policy
316 args:
317 - -kubeconfig=/etc/kubernetes/admin.conf
318 - -logtostderr=true
319 securityContext:
320 privileged: true
321 volumeMounts:
322 - name: etc-kubernetes
323 mountPath: /etc/kubernetes
324 readOnly: true
325 volumes:
326 - name: etc-kubernetes
327 hostPath:
328 path: /etc/kubernetes