deploy/cluster/templates/flannel-addon.yaml

   1 {{- if eq .Values.cni "flannel" }}
   2 ---
   3 apiVersion: v1
   4 data:
   5   flannel.yaml: |
   6     ---
   7     apiVersion: policy/v1beta1
   8     kind: PodSecurityPolicy
   9     metadata:
  10       name: psp.flannel.unprivileged
  11       annotations:
  12         seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  13         seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  14         apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  15         apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  16     spec:
  17       privileged: false
  18       volumes:
  19       - configMap
  20       - secret
  21       - emptyDir
  22       - hostPath
  23       allowedHostPaths:
  24       - pathPrefix: "/etc/cni/net.d"
  25       - pathPrefix: "/etc/kube-flannel"
  26       - pathPrefix: "/run/flannel"
  27       readOnlyRootFilesystem: false
  28       # Users and groups
  29       runAsUser:
  30         rule: RunAsAny
  31       supplementalGroups:
  32         rule: RunAsAny
  33       fsGroup:
  34         rule: RunAsAny
  35       # Privilege Escalation
  36       allowPrivilegeEscalation: false
  37       defaultAllowPrivilegeEscalation: false
  38       # Capabilities
  39       allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  40       defaultAddCapabilities: []
  41       requiredDropCapabilities: []
  42       # Host namespaces
  43       hostPID: false
  44       hostIPC: false
  45       hostNetwork: true
  46       hostPorts:
  47       - min: 0
  48         max: 65535
  49       # SELinux
  50       seLinux:
  51         # SELinux is unused in CaaSP
  52         rule: 'RunAsAny'
  53     ---
  54     kind: ClusterRole
  55     apiVersion: rbac.authorization.k8s.io/v1
  56     metadata:
  57       name: flannel
  58     rules:
  59     - apiGroups: ['extensions']
  60       resources: ['podsecuritypolicies']
  61       verbs: ['use']
  62       resourceNames: ['psp.flannel.unprivileged']
  63     - apiGroups:
  64       - ""
  65       resources:
  66       - pods
  67       verbs:
  68       - get
  69     - apiGroups:
  70       - ""
  71       resources:
  72       - nodes
  73       verbs:
  74       - list
  75       - watch
  76     - apiGroups:
  77       - ""
  78       resources:
  79       - nodes/status
  80       verbs:
  81       - patch
  82     ---
  83     kind: ClusterRoleBinding
  84     apiVersion: rbac.authorization.k8s.io/v1
  85     metadata:
  86       name: flannel
  87     roleRef:
  88       apiGroup: rbac.authorization.k8s.io
  89       kind: ClusterRole
  90       name: flannel
  91     subjects:
  92     - kind: ServiceAccount
  93       name: flannel
  94       namespace: kube-system
  95     ---
  96     apiVersion: v1
  97     kind: ServiceAccount
  98     metadata:
  99       name: flannel
 100       namespace: kube-system
 101     ---
 102     kind: ConfigMap
 103     apiVersion: v1
 104     metadata:
 105       name: kube-flannel-cfg
 106       namespace: kube-system
 107       labels:
 108         tier: node
 109         app: flannel
 110     data:
 111       cni-conf.json: |
 112         {
 113           "name": "cbr0",
 114           "cniVersion": "0.3.1",
 115           "plugins": [
 116             {
 117               "type": "flannel",
 118               "delegate": {
 119                 "hairpinMode": true,
 120                 "isDefaultGateway": true
 121               }
 122             },
 123             {
 124               "type": "portmap",
 125               "capabilities": {
 126                 "portMappings": true
 127               }
 128             }
 129           ]
 130         }
 131       net-conf.json: |
 132         {
 133           "Network": "{{ .Values.podCidr }}",
 134           "Backend": {
 135             "Type": "vxlan"
 136           }
 137         }
 138     ---
 139     apiVersion: apps/v1
 140     kind: DaemonSet
 141     metadata:
 142       name: kube-flannel-ds
 143       namespace: kube-system
 144       labels:
 145         tier: node
 146         app: flannel
 147     spec:
 148       selector:
 149         matchLabels:
 150           app: flannel
 151       template:
 152         metadata:
 153           labels:
 154             tier: node
 155             app: flannel
 156         spec:
 157           affinity:
 158             nodeAffinity:
 159               requiredDuringSchedulingIgnoredDuringExecution:
 160                 nodeSelectorTerms:
 161                 - matchExpressions:
 162                   - key: kubernetes.io/os
 163                     operator: In
 164                     values:
 165                     - linux
 166           hostNetwork: true
 167           priorityClassName: system-node-critical
 168           tolerations:
 169           - operator: Exists
 170             effect: NoSchedule
 171           serviceAccountName: flannel
 172           initContainers:
 173           - name: install-cni-plugin
 174             image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
 175             command:
 176             - cp
 177             args:
 178             - -f
 179             - /flannel
 180             - /opt/cni/bin/flannel
 181             volumeMounts:
 182             - name: cni-plugin
 183               mountPath: /opt/cni/bin
 184           - name: install-cni
 185             image: quay.io/coreos/flannel:v0.15.0
 186             command:
 187             - cp
 188             args:
 189             - -f
 190             - /etc/kube-flannel/cni-conf.json
 191             - /etc/cni/net.d/10-flannel.conflist
 192             volumeMounts:
 193             - name: cni
 194               mountPath: /etc/cni/net.d
 195             - name: flannel-cfg
 196               mountPath: /etc/kube-flannel/
 197           containers:
 198           - name: kube-flannel
 199             image: quay.io/coreos/flannel:v0.15.0
 200             command:
 201             - /opt/bin/flanneld
 202             args:
 203             - --ip-masq
 204             - --kube-subnet-mgr
 205             resources:
 206               requests:
 207                 cpu: "100m"
 208                 memory: "50Mi"
 209               limits:
 210                 cpu: "100m"
 211                 memory: "50Mi"
 212             securityContext:
 213               privileged: false
 214               capabilities:
 215                 add: ["NET_ADMIN", "NET_RAW"]
 216             env:
 217             - name: POD_NAME
 218               valueFrom:
 219                 fieldRef:
 220                   fieldPath: metadata.name
 221             - name: POD_NAMESPACE
 222               valueFrom:
 223                 fieldRef:
 224                   fieldPath: metadata.namespace
 225             volumeMounts:
 226             - name: run
 227               mountPath: /run/flannel
 228             - name: flannel-cfg
 229               mountPath: /etc/kube-flannel/
 230           volumes:
 231           - name: run
 232             hostPath:
 233               path: /run/flannel
 234           - name: cni-plugin
 235             hostPath:
 236               path: /opt/cni/bin
 237           - name: cni
 238             hostPath:
 239               path: /etc/cni/net.d
 240           - name: flannel-cfg
 241             configMap:
 242               name: kube-flannel-cfg
 243 kind: ConfigMap
 244 metadata:
 245   creationTimestamp: null
 246   name: {{ .Values.clusterName }}-flannel-addon
 247 {{- end }}