@ -1,9 +1,11 @@
#!/bin/sh
#!/bin/ba sh
set -e
set +x
. /etc/sysconfig/heat-params
set -x
if [ " $NETWORK_DRIVER " = "flannel" ] ; then
_prefix = ${ CONTAINER_INFRA_PREFIX :- quay .io/coreos/ }
FLANNEL_DEPLOY = /srv/magnum/kubernetes/manifests/flannel-deploy.yaml
@ -11,13 +13,65 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
[ -f ${ FLANNEL_DEPLOY } ] || {
echo " Writing File: $FLANNEL_DEPLOY "
mkdir -p " $( dirname ${ FLANNEL_DEPLOY } ) "
set +x
cat << EOF > ${FLANNE L_DEPLOY}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: [ 'NET_ADMIN' ]
defaultAddCapabilities: [ ]
requiredDropCapabilities: [ ]
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unsed in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups: [ 'extensions' ]
resources: [ 'podsecuritypolicies' ]
verbs: [ 'use' ]
resourceNames: [ 'psp.flannel.unprivileged' ]
- apiGroups:
- ""
resources:
@ -101,7 +155,7 @@ data:
echo "Wrote CNI binaries to /host/opt/cni/bin/" ;
fi ;
---
apiVersion: extensions/v1beta 1
apiVersion: apps/v 1
kind: DaemonSet
metadata:
name: kube-flannel-ds-amd64
@ -110,6 +164,9 @@ metadata:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
@ -120,14 +177,8 @@ spec:
nodeSelector:
beta.kubernetes.io/arch: amd64
tolerations:
# Make sure flannel gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni-plugins
@ -170,7 +221,9 @@ spec:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: true
privileged: false
capabilities:
add: [ "NET_ADMIN" ]
env:
- name: POD_NAME
valueFrom:
@ -182,7 +235,7 @@ spec:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
@ -191,7 +244,7 @@ spec:
path: /opt/cni/bin
- name: run
hostPath:
path: /run
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
@ -200,6 +253,7 @@ spec:
name: kube-flannel-cfg
EOF
}
set -x
if [ " $MASTER_INDEX " = "0" ] ; then