# yamllint disable rule:hyphens rule:commas rule:indentation
---
# ovn-namespace.yaml
#
# Setup for Kubernetes to support the ovn-kubernetes plugin
#
# Create the namespace for ovn-kubernetes.
#
# This provisioning is done as part of installation after the cluster is
# up and before the ovn daemonsets are created.

apiVersion: v1
kind: Namespace
metadata:
  name: ovn-kubernetes

---
# ovn-policy.yaml
#
# Setup for Kubernetes to support the ovn-kubernetes plugin
#
# Create the service account and policies.
# ovnkube interacts with kubernetes and the environment
# must be properly set up.
# 
# This provisioning is done as part of installation after the cluster is
# up and before the ovn daemonsets are created.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ovn
  namespace: ovn-kubernetes

---
# for now throw in all the privileges to run a pod. we can fine grain it further later.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ovn-kubernetes
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
  hostPID: true
  hostIPC: true
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65536

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ovn-kubernetes
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  - nodes
  - endpoints
  - services
  - configmaps
  verbs: ["get", "list", "watch"]
- apiGroups:
  - extensions
  - networking.k8s.io
  - apps
  resources:
  - networkpolicies
  - statefulsets
  verbs: ["get", "list", "watch"]
- apiGroups:
  - ""
  resources:
  - events
  - endpoints
  - configmaps
  verbs: ["create", "patch", "update"]
- apiGroups:
  - ""
  resources:
  - nodes
  - pods
  verbs: ["patch", "update"]
- apiGroups:
  - extensions
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - ovn-kubernetes
  verbs: ["use"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ovn-kubernetes
roleRef:
  name: ovn-kubernetes
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: ovn
  namespace: ovn-kubernetes

---
# The network cidr and service cidr are set in the ovn-config configmap
kind: ConfigMap
apiVersion: v1
metadata:
  name: ovn-config
  namespace: ovn-kubernetes
data:
  net_cidr:      "192.168.0.0/16"
  svc_cidr:      "172.16.1.0/24"
  k8s_apiserver: "https://10.169.41.225:6443"
  mtu:           "1400"