Code Review / icn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Update versions of jump server components
[icn.git] / deploy / cluster / templates / flannel-addon.yaml
1 {{- if eq .Values.cni "flannel" }}
2 ---
3 apiVersion: v1
4 data:
5   flannel.yaml: |
6     ---
7     apiVersion: policy/v1beta1
8     kind: PodSecurityPolicy
9     metadata:
10       name: psp.flannel.unprivileged
11       annotations:
12         seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
13         seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
14         apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
15         apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
16     spec:
17       privileged: false
18       volumes:
19       - configMap
20       - secret
21       - emptyDir
22       - hostPath
23       allowedHostPaths:
24       - pathPrefix: "/etc/cni/net.d"
25       - pathPrefix: "/etc/kube-flannel"
26       - pathPrefix: "/run/flannel"
27       readOnlyRootFilesystem: false
28       # Users and groups
29       runAsUser:
30         rule: RunAsAny
31       supplementalGroups:
32         rule: RunAsAny
33       fsGroup:
34         rule: RunAsAny
35       # Privilege Escalation
36       allowPrivilegeEscalation: false
37       defaultAllowPrivilegeEscalation: false
38       # Capabilities
39       allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
40       defaultAddCapabilities: []
41       requiredDropCapabilities: []
42       # Host namespaces
43       hostPID: false
44       hostIPC: false
45       hostNetwork: true
46       hostPorts:
47       - min: 0
48         max: 65535
49       # SELinux
50       seLinux:
51         # SELinux is unused in CaaSP
52         rule: 'RunAsAny'
53     ---
54     kind: ClusterRole
55     apiVersion: rbac.authorization.k8s.io/v1
56     metadata:
57       name: flannel
58     rules:
59     - apiGroups: ['extensions']
60       resources: ['podsecuritypolicies']
61       verbs: ['use']
62       resourceNames: ['psp.flannel.unprivileged']
63     - apiGroups:
64       - ""
65       resources:
66       - pods
67       verbs:
68       - get
69     - apiGroups:
70       - ""
71       resources:
72       - nodes
73       verbs:
74       - list
75       - watch
76     - apiGroups:
77       - ""
78       resources:
79       - nodes/status
80       verbs:
81       - patch
82     ---
83     kind: ClusterRoleBinding
84     apiVersion: rbac.authorization.k8s.io/v1
85     metadata:
86       name: flannel
87     roleRef:
88       apiGroup: rbac.authorization.k8s.io
89       kind: ClusterRole
90       name: flannel
91     subjects:
92     - kind: ServiceAccount
93       name: flannel
94       namespace: kube-system
95     ---
96     apiVersion: v1
97     kind: ServiceAccount
98     metadata:
99       name: flannel
100       namespace: kube-system
101     ---
102     kind: ConfigMap
103     apiVersion: v1
104     metadata:
105       name: kube-flannel-cfg
106       namespace: kube-system
107       labels:
108         tier: node
109         app: flannel
110     data:
111       cni-conf.json: |
112         {
113           "name": "cbr0",
114           "cniVersion": "0.3.1",
115           "plugins": [
116             {
117               "type": "flannel",
118               "delegate": {
119                 "hairpinMode": true,
120                 "isDefaultGateway": true
121               }
122             },
123             {
124               "type": "portmap",
125               "capabilities": {
126                 "portMappings": true
127               }
128             }
129           ]
130         }
131       net-conf.json: |
132         {
133           "Network": "{{ .Values.podCidr }}",
134           "Backend": {
135             "Type": "vxlan"
136           }
137         }
138     ---
139     apiVersion: apps/v1
140     kind: DaemonSet
141     metadata:
142       name: kube-flannel-ds
143       namespace: kube-system
144       labels:
145         tier: node
146         app: flannel
147     spec:
148       selector:
149         matchLabels:
150           app: flannel
151       template:
152         metadata:
153           labels:
154             tier: node
155             app: flannel
156         spec:
157           affinity:
158             nodeAffinity:
159               requiredDuringSchedulingIgnoredDuringExecution:
160                 nodeSelectorTerms:
161                 - matchExpressions:
162                   - key: kubernetes.io/os
163                     operator: In
164                     values:
165                     - linux
166           hostNetwork: true
167           priorityClassName: system-node-critical
168           tolerations:
169           - operator: Exists
170             effect: NoSchedule
171           serviceAccountName: flannel
172           initContainers:
173           - name: install-cni-plugin
174            #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le (dockerhub limitations may apply)
175             image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
176             command:
177             - cp
178             args:
179             - -f
180             - /flannel
181             - /opt/cni/bin/flannel
182             volumeMounts:
183             - name: cni-plugin
184               mountPath: /opt/cni/bin
185           - name: install-cni
186            #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
187             image: rancher/mirrored-flannelcni-flannel:v0.16.1
188             command:
189             - cp
190             args:
191             - -f
192             - /etc/kube-flannel/cni-conf.json
193             - /etc/cni/net.d/10-flannel.conflist
194             volumeMounts:
195             - name: cni
196               mountPath: /etc/cni/net.d
197             - name: flannel-cfg
198               mountPath: /etc/kube-flannel/
199           containers:
200           - name: kube-flannel
201            #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
202             image: rancher/mirrored-flannelcni-flannel:v0.16.1
203             command:
204             - /opt/bin/flanneld
205             args:
206             - --ip-masq
207             - --kube-subnet-mgr
208             resources:
209               requests:
210                 cpu: "100m"
211                 memory: "50Mi"
212               limits:
213                 cpu: "100m"
214                 memory: "50Mi"
215             securityContext:
216               privileged: false
217               capabilities:
218                 add: ["NET_ADMIN", "NET_RAW"]
219             env:
220             - name: POD_NAME
221               valueFrom:
222                 fieldRef:
223                   fieldPath: metadata.name
224             - name: POD_NAMESPACE
225               valueFrom:
226                 fieldRef:
227                   fieldPath: metadata.namespace
228             volumeMounts:
229             - name: run
230               mountPath: /run/flannel
231             - name: flannel-cfg
232               mountPath: /etc/kube-flannel/
233             - name: xtables-lock
234               mountPath: /run/xtables.lock
235           volumes:
236           - name: run
237             hostPath:
238               path: /run/flannel
239           - name: cni-plugin
240             hostPath:
241               path: /opt/cni/bin
242           - name: cni
243             hostPath:
244               path: /etc/cni/net.d
245           - name: flannel-cfg
246             configMap:
247               name: kube-flannel-cfg
248           - name: xtables-lock
249             hostPath:
250               path: /run/xtables.lock
251               type: FileOrCreate
252 kind: ConfigMap
253 metadata:
254   creationTimestamp: null
255   name: {{ .Values.clusterName }}-flannel-addon
256 {{- end }}