+# yamllint disable rule:hyphens rule:commas rule:indentation
+---
+# ovn-namespace.yaml
+#
+# Setup for Kubernetes to support the ovn-kubernetes plugin
+#
+# Create the namespace for ovn-kubernetes.
+#
+# This provisioning is done as part of installation after the cluster is
+# up and before the ovn daemonsets are created.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: ovn-kubernetes
+
+---
+# ovn-policy.yaml
+#
+# Setup for Kubernetes to support the ovn-kubernetes plugin
+#
+# Create the service account and policies.
+# ovnkube interacts with kubernetes and the environment
+# must be properly set up.
+#
+# This provisioning is done as part of installation after the cluster is
+# up and before the ovn daemonsets are created.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: ovn
+ namespace: ovn-kubernetes
+
+---
+# for now throw in all the privileges to run a pod. we can fine grain it further later.
+
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: ovn-kubernetes
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+ allowPrivilegeEscalation: true
+ allowedCapabilities:
+ - '*'
+ fsGroup:
+ rule: RunAsAny
+ privileged: true
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - '*'
+ hostPID: true
+ hostIPC: true
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65536
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: ovn-kubernetes
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - namespaces
+ - nodes
+ - endpoints
+ - services
+ - configmaps
+ verbs: ["get", "list", "watch"]
+- apiGroups:
+ - extensions
+ - networking.k8s.io
+ - apps
+ resources:
+ - networkpolicies
+ - statefulsets
+ verbs: ["get", "list", "watch"]
+- apiGroups:
+ - ""
+ resources:
+ - events
+ - endpoints
+ - configmaps
+ verbs: ["create", "patch", "update"]
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ - pods
+ verbs: ["patch", "update"]
+- apiGroups:
+ - extensions
+ - policy
+ resources:
+ - podsecuritypolicies
+ resourceNames:
+ - ovn-kubernetes
+ verbs: ["use"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: ovn-kubernetes
+roleRef:
+ name: ovn-kubernetes
+ kind: ClusterRole
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+ name: ovn
+ namespace: ovn-kubernetes
+
+---
+# The network cidr and service cidr are set in the ovn-config configmap
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: ovn-config
+ namespace: ovn-kubernetes
+data:
+ net_cidr: "192.168.0.0/16"
+ svc_cidr: "172.16.1.0/24"
+ k8s_apiserver: "https://10.169.41.225:6443"
+ mtu: "1400"