src/foundation/scripts/cni/flannel/kube-flannel.yml

   1 ---
   2 apiVersion: extensions/v1beta1
   3 kind: PodSecurityPolicy
   4 metadata:
   5   name: psp.flannel.unprivileged
   6   annotations:
   7     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
   8     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
   9     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  10     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  11 spec:
  12   privileged: false
  13   volumes:
  14     - configMap
  15     - secret
  16     - emptyDir
  17     - hostPath
  18   allowedHostPaths:
  19     - pathPrefix: "/etc/cni/net.d"
  20     - pathPrefix: "/etc/kube-flannel"
  21     - pathPrefix: "/run/flannel"
  22   readOnlyRootFilesystem: false
  23   # Users and groups
  24   runAsUser:
  25     rule: RunAsAny
  26   supplementalGroups:
  27     rule: RunAsAny
  28   fsGroup:
  29     rule: RunAsAny
  30   # Privilege Escalation
  31   allowPrivilegeEscalation: false
  32   defaultAllowPrivilegeEscalation: false
  33   # Capabilities
  34   allowedCapabilities: ['NET_ADMIN']
  35   defaultAddCapabilities: []
  36   requiredDropCapabilities: []
  37   # Host namespaces
  38   hostPID: false
  39   hostIPC: false
  40   hostNetwork: true
  41   hostPorts:
  42     - min: 0
  43       max: 65535
  44   # SELinux
  45   seLinux:
  46     # SELinux is unsed in CaaSP
  47     rule: 'RunAsAny'
  48 ---
  49 kind: ClusterRole
  50 apiVersion: rbac.authorization.k8s.io/v1beta1
  51 metadata:
  52   name: flannel
  53 rules:
  54   - apiGroups: ['extensions']
  55     resources: ['podsecuritypolicies']
  56     verbs: ['use']
  57     resourceNames: ['psp.flannel.unprivileged']
  58   - apiGroups:
  59       - ""
  60     resources:
  61       - pods
  62     verbs:
  63       - get
  64   - apiGroups:
  65       - ""
  66     resources:
  67       - nodes
  68     verbs:
  69       - list
  70       - watch
  71   - apiGroups:
  72       - ""
  73     resources:
  74       - nodes/status
  75     verbs:
  76       - patch
  77 ---
  78 kind: ClusterRoleBinding
  79 apiVersion: rbac.authorization.k8s.io/v1beta1
  80 metadata:
  81   name: flannel
  82 roleRef:
  83   apiGroup: rbac.authorization.k8s.io
  84   kind: ClusterRole
  85   name: flannel
  86 subjects:
  87   - kind: ServiceAccount
  88     name: flannel
  89     namespace: kube-system
  90 ---
  91 apiVersion: v1
  92 kind: ServiceAccount
  93 metadata:
  94   name: flannel
  95   namespace: kube-system
  96 ---
  97 kind: ConfigMap
  98 apiVersion: v1
  99 metadata:
 100   name: kube-flannel-cfg
 101   namespace: kube-system
 102   labels:
 103     tier: node
 104     app: flannel
 105 data:
 106   cni-conf.json: |
 107     {
 108       "name": "cbr0",
 109       "plugins": [
 110         {
 111           "type": "flannel",
 112           "delegate": {
 113             "hairpinMode": true,
 114             "isDefaultGateway": true
 115           }
 116         },
 117         {
 118           "type": "portmap",
 119           "capabilities": {
 120             "portMappings": true
 121           }
 122         }
 123       ]
 124     }
 125   net-conf.json: |
 126     {
 127       "Network": "10.244.0.0/16",
 128       "Backend": {
 129         "Type": "vxlan"
 130       }
 131     }
 132 ---
 133 apiVersion: extensions/v1beta1
 134 kind: DaemonSet
 135 metadata:
 136   name: kube-flannel-ds-amd64
 137   namespace: kube-system
 138   labels:
 139     tier: node
 140     app: flannel
 141 spec:
 142   template:
 143     metadata:
 144       labels:
 145         tier: node
 146         app: flannel
 147     spec:
 148       hostNetwork: true
 149       nodeSelector:
 150         beta.kubernetes.io/arch: amd64
 151       tolerations:
 152         - operator: Exists
 153           effect: NoSchedule
 154       serviceAccountName: flannel
 155       initContainers:
 156         - name: install-cni
 157           image: quay.io/coreos/flannel:v0.11.0-amd64
 158           command:
 159             - cp
 160           args:
 161             - -f
 162             - /etc/kube-flannel/cni-conf.json
 163             - /etc/cni/net.d/10-flannel.conflist
 164           volumeMounts:
 165             - name: cni
 166               mountPath: /etc/cni/net.d
 167             - name: flannel-cfg
 168               mountPath: /etc/kube-flannel/
 169       containers:
 170         - name: kube-flannel
 171           image: quay.io/coreos/flannel:v0.11.0-amd64
 172           command:
 173             - /opt/bin/flanneld
 174           args:
 175             - --ip-masq
 176             - --kube-subnet-mgr
 177           resources:
 178             requests:
 179               cpu: "100m"
 180               memory: "50Mi"
 181             limits:
 182               cpu: "100m"
 183               memory: "50Mi"
 184           securityContext:
 185             privileged: false
 186             capabilities:
 187               add: ["NET_ADMIN"]
 188           env:
 189             - name: POD_NAME
 190               valueFrom:
 191                 fieldRef:
 192                   fieldPath: metadata.name
 193             - name: POD_NAMESPACE
 194               valueFrom:
 195                 fieldRef:
 196                   fieldPath: metadata.namespace
 197           volumeMounts:
 198             - name: run
 199               mountPath: /run/flannel
 200             - name: flannel-cfg
 201               mountPath: /etc/kube-flannel/
 202       volumes:
 203         - name: run
 204           hostPath:
 205             path: /run/flannel
 206         - name: cni
 207           hostPath:
 208             path: /etc/cni/net.d
 209         - name: flannel-cfg
 210           configMap:
 211             name: kube-flannel-cfg
 212 ---
 213 apiVersion: extensions/v1beta1
 214 kind: DaemonSet
 215 metadata:
 216   name: kube-flannel-ds-arm64
 217   namespace: kube-system
 218   labels:
 219     tier: node
 220     app: flannel
 221 spec:
 222   template:
 223     metadata:
 224       labels:
 225         tier: node
 226         app: flannel
 227     spec:
 228       hostNetwork: true
 229       nodeSelector:
 230         beta.kubernetes.io/arch: arm64
 231       tolerations:
 232         - operator: Exists
 233           effect: NoSchedule
 234       serviceAccountName: flannel
 235       initContainers:
 236         - name: install-cni
 237           image: quay.io/coreos/flannel:v0.11.0-arm64
 238           command:
 239             - cp
 240           args:
 241             - -f
 242             - /etc/kube-flannel/cni-conf.json
 243             - /etc/cni/net.d/10-flannel.conflist
 244           volumeMounts:
 245             - name: cni
 246               mountPath: /etc/cni/net.d
 247             - name: flannel-cfg
 248               mountPath: /etc/kube-flannel/
 249       containers:
 250         - name: kube-flannel
 251           image: quay.io/coreos/flannel:v0.11.0-arm64
 252           command:
 253             - /opt/bin/flanneld
 254           args:
 255             - --ip-masq
 256             - --kube-subnet-mgr
 257           resources:
 258             requests:
 259               cpu: "100m"
 260               memory: "50Mi"
 261             limits:
 262               cpu: "100m"
 263               memory: "50Mi"
 264           securityContext:
 265             privileged: false
 266             capabilities:
 267               add: ["NET_ADMIN"]
 268           env:
 269             - name: POD_NAME
 270               valueFrom:
 271                 fieldRef:
 272                   fieldPath: metadata.name
 273             - name: POD_NAMESPACE
 274               valueFrom:
 275                 fieldRef:
 276                   fieldPath: metadata.namespace
 277           volumeMounts:
 278             - name: run
 279               mountPath: /run/flannel
 280             - name: flannel-cfg
 281               mountPath: /etc/kube-flannel/
 282       volumes:
 283         - name: run
 284           hostPath:
 285             path: /run/flannel
 286         - name: cni
 287           hostPath:
 288             path: /etc/cni/net.d
 289         - name: flannel-cfg
 290           configMap:
 291             name: kube-flannel-cfg
 292 ---
 293 apiVersion: extensions/v1beta1
 294 kind: DaemonSet
 295 metadata:
 296   name: kube-flannel-ds-arm
 297   namespace: kube-system
 298   labels:
 299     tier: node
 300     app: flannel
 301 spec:
 302   template:
 303     metadata:
 304       labels:
 305         tier: node
 306         app: flannel
 307     spec:
 308       hostNetwork: true
 309       nodeSelector:
 310         beta.kubernetes.io/arch: arm
 311       tolerations:
 312         - operator: Exists
 313           effect: NoSchedule
 314       serviceAccountName: flannel
 315       initContainers:
 316         - name: install-cni
 317           image: quay.io/coreos/flannel:v0.11.0-arm
 318           command:
 319             - cp
 320           args:
 321             - -f
 322             - /etc/kube-flannel/cni-conf.json
 323             - /etc/cni/net.d/10-flannel.conflist
 324           volumeMounts:
 325             - name: cni
 326               mountPath: /etc/cni/net.d
 327             - name: flannel-cfg
 328               mountPath: /etc/kube-flannel/
 329       containers:
 330         - name: kube-flannel
 331           image: quay.io/coreos/flannel:v0.11.0-arm
 332           command:
 333             - /opt/bin/flanneld
 334           args:
 335             - --ip-masq
 336             - --kube-subnet-mgr
 337           resources:
 338             requests:
 339               cpu: "100m"
 340               memory: "50Mi"
 341             limits:
 342               cpu: "100m"
 343               memory: "50Mi"
 344           securityContext:
 345             privileged: false
 346             capabilities:
 347               add: ["NET_ADMIN"]
 348           env:
 349             - name: POD_NAME
 350               valueFrom:
 351                 fieldRef:
 352                   fieldPath: metadata.name
 353             - name: POD_NAMESPACE
 354               valueFrom:
 355                 fieldRef:
 356                   fieldPath: metadata.namespace
 357           volumeMounts:
 358             - name: run
 359               mountPath: /run/flannel
 360             - name: flannel-cfg
 361               mountPath: /etc/kube-flannel/
 362       volumes:
 363         - name: run
 364           hostPath:
 365             path: /run/flannel
 366         - name: cni
 367           hostPath:
 368             path: /etc/cni/net.d
 369         - name: flannel-cfg
 370           configMap:
 371             name: kube-flannel-cfg
 372 ---
 373 apiVersion: extensions/v1beta1
 374 kind: DaemonSet
 375 metadata:
 376   name: kube-flannel-ds-ppc64le
 377   namespace: kube-system
 378   labels:
 379     tier: node
 380     app: flannel
 381 spec:
 382   template:
 383     metadata:
 384       labels:
 385         tier: node
 386         app: flannel
 387     spec:
 388       hostNetwork: true
 389       nodeSelector:
 390         beta.kubernetes.io/arch: ppc64le
 391       tolerations:
 392         - operator: Exists
 393           effect: NoSchedule
 394       serviceAccountName: flannel
 395       initContainers:
 396         - name: install-cni
 397           image: quay.io/coreos/flannel:v0.11.0-ppc64le
 398           command:
 399             - cp
 400           args:
 401             - -f
 402             - /etc/kube-flannel/cni-conf.json
 403             - /etc/cni/net.d/10-flannel.conflist
 404           volumeMounts:
 405             - name: cni
 406               mountPath: /etc/cni/net.d
 407             - name: flannel-cfg
 408               mountPath: /etc/kube-flannel/
 409       containers:
 410         - name: kube-flannel
 411           image: quay.io/coreos/flannel:v0.11.0-ppc64le
 412           command:
 413             - /opt/bin/flanneld
 414           args:
 415             - --ip-masq
 416             - --kube-subnet-mgr
 417           resources:
 418             requests:
 419               cpu: "100m"
 420               memory: "50Mi"
 421             limits:
 422               cpu: "100m"
 423               memory: "50Mi"
 424           securityContext:
 425             privileged: false
 426             capabilities:
 427               add: ["NET_ADMIN"]
 428           env:
 429             - name: POD_NAME
 430               valueFrom:
 431                 fieldRef:
 432                   fieldPath: metadata.name
 433             - name: POD_NAMESPACE
 434               valueFrom:
 435                 fieldRef:
 436                   fieldPath: metadata.namespace
 437           volumeMounts:
 438             - name: run
 439               mountPath: /run/flannel
 440             - name: flannel-cfg
 441               mountPath: /etc/kube-flannel/
 442       volumes:
 443         - name: run
 444           hostPath:
 445             path: /run/flannel
 446         - name: cni
 447           hostPath:
 448             path: /etc/cni/net.d
 449         - name: flannel-cfg
 450           configMap:
 451             name: kube-flannel-cfg
 452 ---
 453 apiVersion: extensions/v1beta1
 454 kind: DaemonSet
 455 metadata:
 456   name: kube-flannel-ds-s390x
 457   namespace: kube-system
 458   labels:
 459     tier: node
 460     app: flannel
 461 spec:
 462   template:
 463     metadata:
 464       labels:
 465         tier: node
 466         app: flannel
 467     spec:
 468       hostNetwork: true
 469       nodeSelector:
 470         beta.kubernetes.io/arch: s390x
 471       tolerations:
 472         - operator: Exists
 473           effect: NoSchedule
 474       serviceAccountName: flannel
 475       initContainers:
 476         - name: install-cni
 477           image: quay.io/coreos/flannel:v0.11.0-s390x
 478           command:
 479             - cp
 480           args:
 481             - -f
 482             - /etc/kube-flannel/cni-conf.json
 483             - /etc/cni/net.d/10-flannel.conflist
 484           volumeMounts:
 485             - name: cni
 486               mountPath: /etc/cni/net.d
 487             - name: flannel-cfg
 488               mountPath: /etc/kube-flannel/
 489       containers:
 490         - name: kube-flannel
 491           image: quay.io/coreos/flannel:v0.11.0-s390x
 492           command:
 493             - /opt/bin/flanneld
 494           args:
 495             - --ip-masq
 496             - --kube-subnet-mgr
 497           resources:
 498             requests:
 499               cpu: "100m"
 500               memory: "50Mi"
 501             limits:
 502               cpu: "100m"
 503               memory: "50Mi"
 504           securityContext:
 505             privileged: false
 506             capabilities:
 507               add: ["NET_ADMIN"]
 508           env:
 509             - name: POD_NAME
 510               valueFrom:
 511                 fieldRef:
 512                   fieldPath: metadata.name
 513             - name: POD_NAMESPACE
 514               valueFrom:
 515                 fieldRef:
 516                   fieldPath: metadata.namespace
 517           volumeMounts:
 518             - name: run
 519               mountPath: /run/flannel
 520             - name: flannel-cfg
 521               mountPath: /etc/kube-flannel/
 522       volumes:
 523         - name: run
 524           hostPath:
 525             path: /run/flannel
 526         - name: cni
 527           hostPath:
 528             path: /etc/cni/net.d
 529         - name: flannel-cfg
 530           configMap:
 531             name: kube-flannel-cfg