272 lines
6.0 KiB
Bash
272 lines
6.0 KiB
Bash
set -e
|
|
set +x
|
|
. /etc/sysconfig/heat-params
|
|
set -x
|
|
|
|
|
|
if [ "$NETWORK_DRIVER" = "flannel" ]; then
|
|
_prefix=${CONTAINER_INFRA_PREFIX:-quay.io/coreos/}
|
|
FLANNEL_DEPLOY=/srv/magnum/kubernetes/manifests/flannel-deploy.yaml
|
|
|
|
[ -f ${FLANNEL_DEPLOY} ] || {
|
|
echo "Writing File: $FLANNEL_DEPLOY"
|
|
mkdir -p "$(dirname ${FLANNEL_DEPLOY})"
|
|
set +x
|
|
cat << EOF > ${FLANNEL_DEPLOY}
|
|
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: psp.flannel.unprivileged
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
|
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
|
spec:
|
|
privileged: false
|
|
volumes:
|
|
- configMap
|
|
- secret
|
|
- emptyDir
|
|
- hostPath
|
|
allowedHostPaths:
|
|
- pathPrefix: "/etc/cni/net.d"
|
|
- pathPrefix: "/etc/kube-flannel"
|
|
- pathPrefix: "/run/flannel"
|
|
readOnlyRootFilesystem: false
|
|
# Users and groups
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
# Privilege Escalation
|
|
allowPrivilegeEscalation: false
|
|
defaultAllowPrivilegeEscalation: false
|
|
# Capabilities
|
|
allowedCapabilities: ['NET_ADMIN']
|
|
defaultAddCapabilities: []
|
|
requiredDropCapabilities: []
|
|
# Host namespaces
|
|
hostPID: false
|
|
hostIPC: false
|
|
hostNetwork: true
|
|
hostPorts:
|
|
- min: 0
|
|
max: 65535
|
|
# SELinux
|
|
seLinux:
|
|
# SELinux is unsed in CaaSP
|
|
rule: 'RunAsAny'
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: flannel
|
|
rules:
|
|
- apiGroups: ['extensions']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames: ['psp.flannel.unprivileged']
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes/status
|
|
verbs:
|
|
- patch
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: flannel
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: flannel
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: flannel
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: flannel
|
|
namespace: kube-system
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: kube-flannel-cfg
|
|
namespace: kube-system
|
|
labels:
|
|
tier: node
|
|
app: flannel
|
|
data:
|
|
cni-conf.json: |
|
|
{
|
|
"name": "cbr0",
|
|
"cniVersion": "0.2.0",
|
|
"plugins": [
|
|
{
|
|
"type": "flannel",
|
|
"delegate": {
|
|
"hairpinMode": true,
|
|
"isDefaultGateway": true
|
|
}
|
|
},
|
|
{
|
|
"type": "portmap",
|
|
"capabilities": {
|
|
"portMappings": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
net-conf.json: |
|
|
{
|
|
"Network": "$FLANNEL_NETWORK_CIDR",
|
|
"Subnetlen": $FLANNEL_NETWORK_SUBNETLEN,
|
|
"Backend": {
|
|
"Type": "$FLANNEL_BACKEND"
|
|
}
|
|
}
|
|
magnum-install-cni.sh: |
|
|
#!/bin/sh
|
|
set -e -x;
|
|
if [ -w "/host/opt/cni/bin/" ]; then
|
|
cp /opt/cni/bin/* /host/opt/cni/bin/;
|
|
echo "Wrote CNI binaries to /host/opt/cni/bin/";
|
|
fi;
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: kube-flannel-ds
|
|
namespace: kube-system
|
|
labels:
|
|
tier: node
|
|
app: flannel
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
tier: node
|
|
app: flannel
|
|
template:
|
|
metadata:
|
|
labels:
|
|
tier: node
|
|
app: flannel
|
|
spec:
|
|
# https://pagure.io/atomic/kubernetes-sig/issue/3
|
|
# https://danwalsh.livejournal.com/74754.html
|
|
securityContext:
|
|
seLinuxOptions:
|
|
type: "spc_t"
|
|
hostNetwork: true
|
|
tolerations:
|
|
- operator: Exists
|
|
effect: NoSchedule
|
|
serviceAccountName: flannel
|
|
initContainers:
|
|
- name: install-cni-plugins
|
|
image: ${_prefix}flannel-cni:${FLANNEL_CNI_TAG}
|
|
command:
|
|
- sh
|
|
args:
|
|
- /etc/kube-flannel/magnum-install-cni.sh
|
|
volumeMounts:
|
|
- name: host-cni-bin
|
|
mountPath: /host/opt/cni/bin/
|
|
- name: flannel-cfg
|
|
mountPath: /etc/kube-flannel/
|
|
- name: install-cni
|
|
image: ${_prefix}flannel:${FLANNEL_TAG}
|
|
command:
|
|
- cp
|
|
args:
|
|
- -f
|
|
- /etc/kube-flannel/cni-conf.json
|
|
- /etc/cni/net.d/10-flannel.conflist
|
|
volumeMounts:
|
|
- name: cni
|
|
mountPath: /etc/cni/net.d
|
|
- name: flannel-cfg
|
|
mountPath: /etc/kube-flannel/
|
|
containers:
|
|
- name: kube-flannel
|
|
image: ${_prefix}flannel:${FLANNEL_TAG}
|
|
command:
|
|
- /opt/bin/flanneld
|
|
args:
|
|
- --ip-masq
|
|
- --kube-subnet-mgr
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
securityContext:
|
|
privileged: false
|
|
capabilities:
|
|
add: ["NET_ADMIN"]
|
|
env:
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
volumeMounts:
|
|
- name: run
|
|
mountPath: /run/flannel
|
|
- name: flannel-cfg
|
|
mountPath: /etc/kube-flannel/
|
|
volumes:
|
|
- name: host-cni-bin
|
|
hostPath:
|
|
path: /opt/cni/bin
|
|
- name: run
|
|
hostPath:
|
|
path: /run/flannel
|
|
- name: cni
|
|
hostPath:
|
|
path: /etc/cni/net.d
|
|
- name: flannel-cfg
|
|
configMap:
|
|
name: kube-flannel-cfg
|
|
EOF
|
|
}
|
|
set -x
|
|
|
|
if [ "$MASTER_INDEX" = "0" ]; then
|
|
|
|
until [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
|
|
do
|
|
echo "Waiting for Kubernetes API..."
|
|
sleep 5
|
|
done
|
|
fi
|
|
|
|
/usr/bin/kubectl apply -f "${FLANNEL_DEPLOY}" --namespace=kube-system
|
|
fi
|