X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=src%2Ffoundation%2Fscripts%2Fcni%2Fovn-kubernetes%2Fyaml%2Fovn-setup.yaml;fp=src%2Ffoundation%2Fscripts%2Fcni%2Fovn-kubernetes%2Fyaml%2Fovn-setup.yaml;h=28c2dfb77e4380ecb362cd6ad469b6e2d0c76b4f;hb=fa1c3405246cfa807b6c2e917d90ab8a44222bdb;hp=0000000000000000000000000000000000000000;hpb=bba2e4db70d9f5b39845e991020db05de4d03b62;p=iec.git diff --git a/src/foundation/scripts/cni/ovn-kubernetes/yaml/ovn-setup.yaml b/src/foundation/scripts/cni/ovn-kubernetes/yaml/ovn-setup.yaml new file mode 100644 index 0000000..28c2dfb --- /dev/null +++ b/src/foundation/scripts/cni/ovn-kubernetes/yaml/ovn-setup.yaml @@ -0,0 +1,137 @@ +# yamllint disable rule:hyphens rule:commas rule:indentation +--- +# ovn-namespace.yaml +# +# Setup for Kubernetes to support the ovn-kubernetes plugin +# +# Create the namespace for ovn-kubernetes. +# +# This provisioning is done as part of installation after the cluster is +# up and before the ovn daemonsets are created. + +apiVersion: v1 +kind: Namespace +metadata: + name: ovn-kubernetes + +--- +# ovn-policy.yaml +# +# Setup for Kubernetes to support the ovn-kubernetes plugin +# +# Create the service account and policies. +# ovnkube interacts with kubernetes and the environment +# must be properly set up. +# +# This provisioning is done as part of installation after the cluster is +# up and before the ovn daemonsets are created. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovn + namespace: ovn-kubernetes + +--- +# for now throw in all the privileges to run a pod. we can fine grain it further later. + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: ovn-kubernetes + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' + hostPID: true + hostIPC: true + hostNetwork: true + hostPorts: + - min: 0 + max: 65536 + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ovn-kubernetes +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + - nodes + - endpoints + - services + - configmaps + verbs: ["get", "list", "watch"] +- apiGroups: + - extensions + - networking.k8s.io + - apps + resources: + - networkpolicies + - statefulsets + verbs: ["get", "list", "watch"] +- apiGroups: + - "" + resources: + - events + - endpoints + - configmaps + verbs: ["create", "patch", "update"] +- apiGroups: + - "" + resources: + - nodes + - pods + verbs: ["patch", "update"] +- apiGroups: + - extensions + - policy + resources: + - podsecuritypolicies + resourceNames: + - ovn-kubernetes + verbs: ["use"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-kubernetes +roleRef: + name: ovn-kubernetes + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: ovn + namespace: ovn-kubernetes + +--- +# The network cidr and service cidr are set in the ovn-config configmap +kind: ConfigMap +apiVersion: v1 +metadata: + name: ovn-config + namespace: ovn-kubernetes +data: + net_cidr: "192.168.0.0/16" + svc_cidr: "172.16.1.0/24" + k8s_apiserver: "https://10.169.41.225:6443" + mtu: "1400"