4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
10 CALICO_VERSION="v3.22.0"
11 FLANNEL_VERSION="v0.15.0"
13 function build_source_flannel {
14 curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
15 cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
16 {{- if eq .Values.cni "flannel" }}
18 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
21 sed -i -e 's/ name: flannel-addon/ name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
22 sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
25 function build_source_flux {
26 flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
27 cat <<EOF >>${SCRIPTDIR}/addons/flux-system.yaml
29 apiVersion: rbac.authorization.k8s.io/v1
32 name: psp:privileged:flux-system
33 namespace: flux-system
35 apiGroup: rbac.authorization.k8s.io
40 name: system:serviceaccounts:flux-system
41 apiGroup: rbac.authorization.k8s.io
43 # The name "sync" must be sorted after "flux-system" to ensure
44 # CRDs are instantiated first
45 cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
46 {{- if .Values.flux.decryptionSecret }}
52 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
53 namespace: flux-system
55 sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
58 apiVersion: source.toolkit.fluxcd.io/v1beta1
61 name: {{ .Values.flux.repositoryName }}
62 namespace: flux-system
64 gitImplementation: go-git
67 branch: {{ .Values.flux.branch }}
69 url: {{ .Values.flux.url }}
71 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
74 name: {{ .Values.clusterName }}-flux-sync
75 namespace: flux-system
78 path: {{ .Values.flux.path }}
82 name: {{ .Values.flux.repositoryName }}
83 {{- if .Values.flux.decryptionSecret }}
87 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
90 cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
91 {{- if .Values.flux }}
93 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
96 sed -i -e 's/ name: flux-addon/ name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
99 function build_source_podsecurity {
100 # PodSecurityPolicy is being replaced in future versions of K8s.
101 # The recommended practice is described by K8s at
102 # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
103 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
104 # and provides three levels: privileged, baseline, and restricted.
106 # The question to answer here is how to reconcile the K8s levels
107 # against the Akraino security requirements.
109 # For the time being, the below populates the cluster with the K8s
110 # recommended levels and provides an additional policy (icn) bound
111 # to the system:authenticated group to meet the Akraino
113 cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
115 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
117 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
119 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
121 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
122 sed -e 's/ name: privileged/ name: icn/' |
123 sed -e '/^ allowedCapabilities:/,/^ [!-]/d')
129 requiredDropCapabilities:
132 apiVersion: rbac.authorization.k8s.io/v1
137 addonmanager.kubernetes.io/mode: Reconcile
144 - podsecuritypolicies
148 apiVersion: rbac.authorization.k8s.io/v1
153 addonmanager.kubernetes.io/mode: Reconcile
160 - podsecuritypolicies
164 apiVersion: rbac.authorization.k8s.io/v1
169 addonmanager.kubernetes.io/mode: Reconcile
176 - podsecuritypolicies
180 apiVersion: rbac.authorization.k8s.io/v1
185 addonmanager.kubernetes.io/mode: Reconcile
192 - podsecuritypolicies
196 apiVersion: rbac.authorization.k8s.io/v1
199 name: psp:privileged:nodes
200 namespace: kube-system
202 addonmanager.kubernetes.io/mode: Reconcile
204 apiGroup: rbac.authorization.k8s.io
210 apiGroup: rbac.authorization.k8s.io
212 apiVersion: rbac.authorization.k8s.io/v1
215 name: psp:privileged:kube-system
216 namespace: kube-system
218 apiGroup: rbac.authorization.k8s.io
223 name: system:serviceaccounts:kube-system
224 apiGroup: rbac.authorization.k8s.io
226 apiVersion: rbac.authorization.k8s.io/v1
227 kind: ClusterRoleBinding
233 apiGroup: rbac.authorization.k8s.io
236 name: system:authenticated
237 apiGroup: rbac.authorization.k8s.io
239 cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
241 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
243 sed -i -e 's/ name: podsecurity-addon/ name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
246 function build_source_calico {
247 mkdir -p ${SCRIPTDIR}/addons/calico
248 curl -sL https://docs.projectcalico.org/archive/${CALICO_VERSION%.*}/manifests/calico.yaml -o ${SCRIPTDIR}/addons/calico/calico.yaml
249 # Remove trailing whitespace so that kubectl create configmap
250 # doesn't insert explicit newlines
251 sed -i -r 's/\s+$//g' ${SCRIPTDIR}/addons/calico/calico.yaml
252 cat <<EOF >${SCRIPTDIR}/addons/calico/ip-autodetection-method-patch.yaml
257 namespace: kube-system
264 - name: IP_AUTODETECTION_METHOD
265 value: can-reach=www.google.com
267 cat <<EOF >${SCRIPTDIR}/addons/calico/kustomization.yaml
271 - path: ip-autodetection-method-patch.yaml
273 kustomize build ${SCRIPTDIR}/addons/calico >${SCRIPTDIR}/addons/calico.yaml
274 cat <<EOF >${SCRIPTDIR}/templates/calico-addon.yaml
275 {{- if eq .Values.cni "calico" }}
277 $(kubectl create configmap calico-addon --from-file=${SCRIPTDIR}/addons/calico.yaml -o yaml --dry-run=client)
280 sed -i -e 's/ name: calico-addon/ name: {{ .Values.clusterName }}-calico-addon/' ${SCRIPTDIR}/templates/calico-addon.yaml
283 # This may be used to update the in-place addon YAML files from the
285 function build_source {
286 mkdir -p ${SCRIPTDIR}/addons
290 build_source_podsecurity
294 "build-source") build_source ;;
295 "foo") build_source_calico ;;
297 Usage: $(basename $0) COMMAND
300 build-source - Rebuild the in-tree addon YAML files