X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=src%2Ffoundation%2Fscripts%2Fcni%2Fovn-kubernetes%2Ftemplates%2Fovn-setup.yaml.j2;fp=src%2Ffoundation%2Fscripts%2Fcni%2Fovn-kubernetes%2Ftemplates%2Fovn-setup.yaml.j2;h=fd02efd12d2982284d9dbec75f053310b17f59e2;hb=fa1c3405246cfa807b6c2e917d90ab8a44222bdb;hp=c1d81d1a4f3caf003af0bdc120eb687bc400227c;hpb=bba2e4db70d9f5b39845e991020db05de4d03b62;p=iec.git diff --git a/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2 b/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2 index c1d81d1..fd02efd 100644 --- a/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2 +++ b/src/foundation/scripts/cni/ovn-kubernetes/templates/ovn-setup.yaml.j2 @@ -11,8 +11,6 @@ apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: "beta.kubernetes.io/os=linux" name: ovn-kubernetes --- @@ -33,64 +31,90 @@ metadata: name: ovn namespace: ovn-kubernetes +--- +# for now throw in all the privileges to run a pod. we can fine grain it further later. + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: ovn-kubernetes + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' + hostPID: true + hostIPC: true + hostNetwork: true + hostPorts: + - min: 0 + max: 65536 + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-reader + name: ovn-kubernetes rules: - apiGroups: - "" - - extensions resources: - pods - namespaces - - networkpolicies - nodes - verbs: - - get - - list - - watch + - endpoints + - services + - configmaps + verbs: ["get", "list", "watch"] - apiGroups: + - extensions - networking.k8s.io + - apps resources: - networkpolicies - verbs: - - get - - list - - watch + - statefulsets + verbs: ["get", "list", "watch"] - apiGroups: - "" resources: - events - verbs: - - create - - patch - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-reader -roleRef: - name: system:ovn-reader - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: ovn - namespace: ovn-kubernetes + - endpoints + - configmaps + verbs: ["create", "patch", "update"] +- apiGroups: + - "" + resources: + - nodes + - pods + verbs: ["patch", "update"] +- apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + resourceNames: + - ovn-kubernetes + verbs: ["use"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-admin-0 + name: ovn-kubernetes roleRef: - name: cluster-admin + name: ovn-kubernetes kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: @@ -98,27 +122,6 @@ subjects: name: ovn namespace: ovn-kubernetes ---- -# service to expose the ovnkube-db pod -apiVersion: v1 -kind: Service -metadata: - name: ovnkube-db - namespace: ovn-kubernetes -spec: - ports: - - name: north - port: 6641 - protocol: TCP - targetPort: 6641 - - name: south - port: 6642 - protocol: TCP - targetPort: 6642 - sessionAffinity: None - clusterIP: None - type: ClusterIP - --- # The network cidr and service cidr are set in the ovn-config configmap kind: ConfigMap @@ -127,6 +130,7 @@ metadata: name: ovn-config namespace: ovn-kubernetes data: - net_cidr: "{{ net_cidr | default('10.128.0.0/14/23') }}" - svc_cidr: "{{ svc_cidr | default('172.30.0.0/16') }}" - k8s_apiserver: "{{ k8s_apiserver.stdout }}" + net_cidr: "{{ net_cidr }}" + svc_cidr: "{{ svc_cidr }}" + k8s_apiserver: "{{ k8s_apiserver }}" + mtu: "{{ mtu_value }}"