Code Review / iec.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Upgrade ovn-kubernetes CNI to latest release
[iec.git] / src / foundation / scripts / cni / ovn-kubernetes / templates / ovn-setup.yaml.j2
diff --git a/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2 b/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2
index c1d81d1..fd02efd 100644 (file)
--- a/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2
+++ b/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2
@@ -11,8 +11,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  annotations:
-    openshift.io/node-selector: "beta.kubernetes.io/os=linux"
   name: ovn-kubernetes
 
 ---
@@ -33,64 +31,90 @@ metadata:
   name: ovn
   namespace: ovn-kubernetes
 
+---
+# for now throw in all the privileges to run a pod. we can fine grain it further later.
+
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: ovn-kubernetes
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  fsGroup:
+    rule: RunAsAny
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  hostPID: true
+  hostIPC: true
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65536
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    rbac.authorization.k8s.io/system-only: "true"
-  name: system:ovn-reader
+  name: ovn-kubernetes
 rules:
 - apiGroups:
   - ""
-  - extensions
   resources:
   - pods
   - namespaces
-  - networkpolicies
   - nodes
-  verbs:
-  - get
-  - list
-  - watch
+  - endpoints
+  - services
+  - configmaps
+  verbs: ["get", "list", "watch"]
 - apiGroups:
+  - extensions
   - networking.k8s.io
+  - apps
   resources:
   - networkpolicies
-  verbs:
-  - get
-  - list
-  - watch
+  - statefulsets
+  verbs: ["get", "list", "watch"]
 - apiGroups:
   - ""
   resources:
   - events
-  verbs:
-  - create
-  - patch
-  - update
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ovn-reader
-roleRef:
-  name: system:ovn-reader
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: ovn
-  namespace: ovn-kubernetes
+  - endpoints
+  - configmaps
+  verbs: ["create", "patch", "update"]
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - pods
+  verbs: ["patch", "update"]
+- apiGroups:
+  - extensions
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - ovn-kubernetes
+  verbs: ["use"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-admin-0
+  name: ovn-kubernetes
 roleRef:
-  name: cluster-admin
+  name: ovn-kubernetes
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects:
@@ -98,27 +122,6 @@ subjects:
   name: ovn
   namespace: ovn-kubernetes
 
----
-# service to expose the ovnkube-db pod
-apiVersion: v1
-kind: Service
-metadata:
-  name: ovnkube-db
-  namespace: ovn-kubernetes
-spec:
-  ports:
-  - name: north
-    port: 6641
-    protocol: TCP
-    targetPort: 6641
-  - name: south
-    port: 6642
-    protocol: TCP
-    targetPort: 6642
-  sessionAffinity: None
-  clusterIP: None
-  type: ClusterIP
-
 ---
 # The network cidr and service cidr are set in the ovn-config configmap
 kind: ConfigMap
@@ -127,6 +130,7 @@ metadata:
   name: ovn-config
   namespace: ovn-kubernetes
 data:
-  net_cidr:      "{{ net_cidr | default('10.128.0.0/14/23') }}"
-  svc_cidr:      "{{ svc_cidr | default('172.30.0.0/16') }}"
-  k8s_apiserver: "{{ k8s_apiserver.stdout }}"
+  net_cidr:      "{{ net_cidr }}"
+  svc_cidr:      "{{ svc_cidr }}"
+  k8s_apiserver: "{{ k8s_apiserver }}"
+  mtu:           "{{ mtu_value }}"