+---
+# ovn-namespace.yaml
+#
+# Setup for Kubernetes to support the ovn-kubernetes plugin
+#
+# Create the namespace for ovn-kubernetes.
+#
+# This provisioning is done as part of installation after the cluster is
+# up and before the ovn daemonsets are created.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ annotations:
+ openshift.io/node-selector: "beta.kubernetes.io/os=linux"
+ name: ovn-kubernetes
+
+---
+# ovn-policy.yaml
+#
+# Setup for Kubernetes to support the ovn-kubernetes plugin
+#
+# Create the service account and policies.
+# ovnkube interacts with kubernetes and the environment
+# must be properly set up.
+#
+# This provisioning is done as part of installation after the cluster is
+# up and before the ovn daemonsets are created.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: ovn
+ namespace: ovn-kubernetes
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ annotations:
+ rbac.authorization.k8s.io/system-only: "true"
+ name: system:ovn-reader
+rules:
+- apiGroups:
+ - ""
+ - extensions
+ resources:
+ - pods
+ - namespaces
+ - networkpolicies
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: ovn-reader
+roleRef:
+ name: system:ovn-reader
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+ name: ovn
+ namespace: ovn-kubernetes
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cluster-admin-0
+roleRef:
+ name: cluster-admin
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+ name: ovn
+ namespace: ovn-kubernetes
+
+---
+# service to expose the ovnkube-db pod
+apiVersion: v1
+kind: Service
+metadata:
+ name: ovnkube-db
+ namespace: ovn-kubernetes
+spec:
+ ports:
+ - name: north
+ port: 6641
+ protocol: TCP
+ targetPort: 6641
+ - name: south
+ port: 6642
+ protocol: TCP
+ targetPort: 6642
+ sessionAffinity: None
+ clusterIP: None
+ type: ClusterIP
+
+---
+# The network cidr and service cidr are set in the ovn-config configmap
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: ovn-config
+ namespace: ovn-kubernetes
+data:
+ net_cidr: "{{ net_cidr | default('10.128.0.0/14/23') }}"
+ svc_cidr: "{{ svc_cidr | default('172.30.0.0/16') }}"
+ k8s_apiserver: "{{ k8s_apiserver.stdout }}"