deploy/clusters/templates/flannel-addon.yaml

   1 {{- range $clusterName, $cluster := .Values.clusters }}
   2 {{- if eq $cluster.cni "flannel" }}
   3 ---
   4 apiVersion: v1
   5 data:
   6   flannel.yaml: |
   7     ---
   8     apiVersion: policy/v1beta1
   9     kind: PodSecurityPolicy
  10     metadata:
  11       name: psp.flannel.unprivileged
  12       annotations:
  13         seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  14         seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  15         apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  16         apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  17     spec:
  18       privileged: false
  19       volumes:
  20       - configMap
  21       - secret
  22       - emptyDir
  23       - hostPath
  24       allowedHostPaths:
  25       - pathPrefix: "/etc/cni/net.d"
  26       - pathPrefix: "/etc/kube-flannel"
  27       - pathPrefix: "/run/flannel"
  28       readOnlyRootFilesystem: false
  29       # Users and groups
  30       runAsUser:
  31         rule: RunAsAny
  32       supplementalGroups:
  33         rule: RunAsAny
  34       fsGroup:
  35         rule: RunAsAny
  36       # Privilege Escalation
  37       allowPrivilegeEscalation: false
  38       defaultAllowPrivilegeEscalation: false
  39       # Capabilities
  40       allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  41       defaultAddCapabilities: []
  42       requiredDropCapabilities: []
  43       # Host namespaces
  44       hostPID: false
  45       hostIPC: false
  46       hostNetwork: true
  47       hostPorts:
  48       - min: 0
  49         max: 65535
  50       # SELinux
  51       seLinux:
  52         # SELinux is unused in CaaSP
  53         rule: 'RunAsAny'
  54     ---
  55     kind: ClusterRole
  56     apiVersion: rbac.authorization.k8s.io/v1
  57     metadata:
  58       name: flannel
  59     rules:
  60     - apiGroups: ['extensions']
  61       resources: ['podsecuritypolicies']
  62       verbs: ['use']
  63       resourceNames: ['psp.flannel.unprivileged']
  64     - apiGroups:
  65       - ""
  66       resources:
  67       - pods
  68       verbs:
  69       - get
  70     - apiGroups:
  71       - ""
  72       resources:
  73       - nodes
  74       verbs:
  75       - list
  76       - watch
  77     - apiGroups:
  78       - ""
  79       resources:
  80       - nodes/status
  81       verbs:
  82       - patch
  83     ---
  84     kind: ClusterRoleBinding
  85     apiVersion: rbac.authorization.k8s.io/v1
  86     metadata:
  87       name: flannel
  88     roleRef:
  89       apiGroup: rbac.authorization.k8s.io
  90       kind: ClusterRole
  91       name: flannel
  92     subjects:
  93     - kind: ServiceAccount
  94       name: flannel
  95       namespace: kube-system
  96     ---
  97     apiVersion: v1
  98     kind: ServiceAccount
  99     metadata:
 100       name: flannel
 101       namespace: kube-system
 102     ---
 103     kind: ConfigMap
 104     apiVersion: v1
 105     metadata:
 106       name: kube-flannel-cfg
 107       namespace: kube-system
 108       labels:
 109         tier: node
 110         app: flannel
 111     data:
 112       cni-conf.json: |
 113         {
 114           "name": "cbr0",
 115           "cniVersion": "0.3.1",
 116           "plugins": [
 117             {
 118               "type": "flannel",
 119               "delegate": {
 120                 "hairpinMode": true,
 121                 "isDefaultGateway": true
 122               }
 123             },
 124             {
 125               "type": "portmap",
 126               "capabilities": {
 127                 "portMappings": true
 128               }
 129             }
 130           ]
 131         }
 132       net-conf.json: |
 133         {
 134           "Network": "{{ $cluster.podCidr }}",
 135           "Backend": {
 136             "Type": "vxlan"
 137           }
 138         }
 139     ---
 140     apiVersion: apps/v1
 141     kind: DaemonSet
 142     metadata:
 143       name: kube-flannel-ds
 144       namespace: kube-system
 145       labels:
 146         tier: node
 147         app: flannel
 148     spec:
 149       selector:
 150         matchLabels:
 151           app: flannel
 152       template:
 153         metadata:
 154           labels:
 155             tier: node
 156             app: flannel
 157         spec:
 158           affinity:
 159             nodeAffinity:
 160               requiredDuringSchedulingIgnoredDuringExecution:
 161                 nodeSelectorTerms:
 162                 - matchExpressions:
 163                   - key: kubernetes.io/os
 164                     operator: In
 165                     values:
 166                     - linux
 167           hostNetwork: true
 168           priorityClassName: system-node-critical
 169           tolerations:
 170           - operator: Exists
 171             effect: NoSchedule
 172           serviceAccountName: flannel
 173           initContainers:
 174           - name: install-cni-plugin
 175             image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2
 176             command:
 177             - cp
 178             args:
 179             - -f
 180             - /flannel
 181             - /opt/cni/bin/flannel
 182             volumeMounts:
 183             - name: cni-plugin
 184               mountPath: /opt/cni/bin
 185           - name: install-cni
 186             image: quay.io/coreos/flannel:v0.15.0
 187             command:
 188             - cp
 189             args:
 190             - -f
 191             - /etc/kube-flannel/cni-conf.json
 192             - /etc/cni/net.d/10-flannel.conflist
 193             volumeMounts:
 194             - name: cni
 195               mountPath: /etc/cni/net.d
 196             - name: flannel-cfg
 197               mountPath: /etc/kube-flannel/
 198           containers:
 199           - name: kube-flannel
 200             image: quay.io/coreos/flannel:v0.15.0
 201             command:
 202             - /opt/bin/flanneld
 203             args:
 204             - --ip-masq
 205             - --kube-subnet-mgr
 206             resources:
 207               requests:
 208                 cpu: "100m"
 209                 memory: "50Mi"
 210               limits:
 211                 cpu: "100m"
 212                 memory: "50Mi"
 213             securityContext:
 214               privileged: false
 215               capabilities:
 216                 add: ["NET_ADMIN", "NET_RAW"]
 217             env:
 218             - name: POD_NAME
 219               valueFrom:
 220                 fieldRef:
 221                   fieldPath: metadata.name
 222             - name: POD_NAMESPACE
 223               valueFrom:
 224                 fieldRef:
 225                   fieldPath: metadata.namespace
 226             volumeMounts:
 227             - name: run
 228               mountPath: /run/flannel
 229             - name: flannel-cfg
 230               mountPath: /etc/kube-flannel/
 231           volumes:
 232           - name: run
 233             hostPath:
 234               path: /run/flannel
 235           - name: cni-plugin
 236             hostPath:
 237               path: /opt/cni/bin
 238           - name: cni
 239             hostPath:
 240               path: /etc/cni/net.d
 241           - name: flannel-cfg
 242             configMap:
 243               name: kube-flannel-cfg
 244 kind: ConfigMap
 245 metadata:
 246   creationTimestamp: null
 247   name: {{ $clusterName }}-flannel-addon
 248 {{- end }}
 249 {{- end }}