Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

394 lines
8.5 KiB

  1. #!/bin/sh
  2. step="kube-apiserver-to-kubelet-role"
  3. printf "Starting to run ${step}\n"
  4. set +x
  5. . /etc/sysconfig/heat-params
  6. set -x
  7. echo "Waiting for Kubernetes API..."
  8. until [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
  9. do
  10. sleep 5
  11. done
  12. cat <<EOF | kubectl apply --validate=false -f -
  13. apiVersion: rbac.authorization.k8s.io/v1beta1
  14. kind: ClusterRole
  15. metadata:
  16. annotations:
  17. rbac.authorization.kubernetes.io/autoupdate: "true"
  18. labels:
  19. kubernetes.io/bootstrapping: rbac-defaults
  20. name: system:kube-apiserver-to-kubelet
  21. rules:
  22. - apiGroups:
  23. - ""
  24. resources:
  25. - nodes/proxy
  26. - nodes/stats
  27. - nodes/log
  28. - nodes/spec
  29. - nodes/metrics
  30. verbs:
  31. - "*"
  32. EOF
  33. cat <<EOF | kubectl apply --validate=false -f -
  34. apiVersion: rbac.authorization.k8s.io/v1beta1
  35. kind: ClusterRoleBinding
  36. metadata:
  37. name: system:kube-apiserver
  38. namespace: ""
  39. roleRef:
  40. apiGroup: rbac.authorization.k8s.io
  41. kind: ClusterRole
  42. name: system:kube-apiserver-to-kubelet
  43. subjects:
  44. - apiGroup: rbac.authorization.k8s.io
  45. kind: User
  46. name: kubernetes
  47. EOF
  48. # Create an admin user and give it the cluster role.
  49. ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
  50. [ -f ${ADMIN_RBAC} ] || {
  51. echo "Writing File: $ADMIN_RBAC"
  52. mkdir -p $(dirname ${ADMIN_RBAC})
  53. cat << EOF > ${ADMIN_RBAC}
  54. apiVersion: v1
  55. kind: ServiceAccount
  56. metadata:
  57. name: admin
  58. namespace: kube-system
  59. ---
  60. apiVersion: rbac.authorization.k8s.io/v1beta1
  61. kind: ClusterRoleBinding
  62. metadata:
  63. name: admin
  64. roleRef:
  65. apiGroup: rbac.authorization.k8s.io
  66. kind: ClusterRole
  67. name: cluster-admin
  68. subjects:
  69. - kind: ServiceAccount
  70. name: admin
  71. namespace: kube-system
  72. EOF
  73. }
  74. kubectl apply --validate=false -f ${ADMIN_RBAC}
  75. POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
  76. # Pod Security Policies
  77. [ -f ${POD_SECURITY_POLICIES} ] || {
  78. echo "Writing File: $POD_SECURITY_POLICIES"
  79. mkdir -p $(dirname ${POD_SECURITY_POLICIES})
  80. cat > ${POD_SECURITY_POLICIES} <<EOF
  81. ---
  82. apiVersion: policy/v1beta1
  83. kind: PodSecurityPolicy
  84. metadata:
  85. name: magnum.privileged
  86. annotations:
  87. kubernetes.io/description: 'privileged allows full unrestricted access to
  88. pod features, as if the PodSecurityPolicy controller was not enabled.'
  89. seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  90. labels:
  91. kubernetes.io/cluster-service: "true"
  92. addonmanager.kubernetes.io/mode: Reconcile
  93. spec:
  94. privileged: true
  95. allowPrivilegeEscalation: true
  96. allowedCapabilities:
  97. - '*'
  98. volumes:
  99. - '*'
  100. hostNetwork: true
  101. hostPorts:
  102. - min: 0
  103. max: 65535
  104. hostIPC: true
  105. hostPID: true
  106. runAsUser:
  107. rule: 'RunAsAny'
  108. seLinux:
  109. rule: 'RunAsAny'
  110. supplementalGroups:
  111. rule: 'RunAsAny'
  112. fsGroup:
  113. rule: 'RunAsAny'
  114. readOnlyRootFilesystem: false
  115. ---
  116. apiVersion: rbac.authorization.k8s.io/v1
  117. kind: ClusterRole
  118. metadata:
  119. name: magnum:podsecuritypolicy:privileged
  120. labels:
  121. kubernetes.io/cluster-service: "true"
  122. addonmanager.kubernetes.io/mode: Reconcile
  123. rules:
  124. - apiGroups:
  125. - policy
  126. resourceNames:
  127. - magnum.privileged
  128. resources:
  129. - podsecuritypolicies
  130. verbs:
  131. - use
  132. EOF
  133. }
  134. kubectl apply -f ${POD_SECURITY_POLICIES}
  135. # Add the openstack trustee as a secret under kube-system
  136. kubectl -n kube-system create secret generic os-trustee \
  137. --from-literal=os-authURL=${AUTH_URL} \
  138. --from-literal=os-trustID=${TRUST_ID} \
  139. --from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
  140. --from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
  141. --from-literal=os-region=${REGION_NAME} \
  142. --from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
  143. if [ -z "${TRUST_ID}" ] || [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" != "true" ]; then
  144. exit 0
  145. fi
  146. #TODO: add heat variables for master count to determine leaderelect true/False ?
  147. occm_image="${CONTAINER_INFRA_PREFIX:-docker.io/k8scloudprovider/}openstack-cloud-controller-manager:${CLOUD_PROVIDER_TAG}"
  148. OCCM=/srv/magnum/kubernetes/openstack-cloud-controller-manager.yaml
  149. [ -f ${OCCM} ] || {
  150. echo "Writing File: ${OCCM}"
  151. mkdir -p $(dirname ${OCCM})
  152. cat << EOF > ${OCCM}
  153. ---
  154. apiVersion: v1
  155. kind: ServiceAccount
  156. metadata:
  157. name: cloud-controller-manager
  158. namespace: kube-system
  159. ---
  160. apiVersion: v1
  161. items:
  162. - apiVersion: rbac.authorization.k8s.io/v1
  163. kind: ClusterRole
  164. metadata:
  165. name: system:cloud-controller-manager
  166. rules:
  167. - apiGroups:
  168. - ""
  169. resources:
  170. - events
  171. verbs:
  172. - create
  173. - patch
  174. - update
  175. - apiGroups:
  176. - ""
  177. resources:
  178. - nodes
  179. verbs:
  180. - '*'
  181. - apiGroups:
  182. - ""
  183. resources:
  184. - nodes/status
  185. verbs:
  186. - patch
  187. - apiGroups:
  188. - ""
  189. resources:
  190. - services
  191. verbs:
  192. - list
  193. - patch
  194. - update
  195. - watch
  196. - apiGroups:
  197. - ""
  198. resources:
  199. - serviceaccounts
  200. verbs:
  201. - create
  202. - get
  203. - apiGroups:
  204. - ""
  205. resources:
  206. - persistentvolumes
  207. verbs:
  208. - '*'
  209. - apiGroups:
  210. - ""
  211. resources:
  212. - endpoints
  213. verbs:
  214. - create
  215. - get
  216. - list
  217. - watch
  218. - update
  219. - apiGroups:
  220. - ""
  221. resources:
  222. - configmaps
  223. verbs:
  224. - get
  225. - list
  226. - watch
  227. - apiGroups:
  228. - ""
  229. resources:
  230. - secrets
  231. verbs:
  232. - list
  233. - get
  234. - apiVersion: rbac.authorization.k8s.io/v1
  235. kind: ClusterRole
  236. metadata:
  237. name: system:cloud-node-controller
  238. rules:
  239. - apiGroups:
  240. - ""
  241. resources:
  242. - nodes
  243. verbs:
  244. - '*'
  245. - apiGroups:
  246. - ""
  247. resources:
  248. - nodes/status
  249. verbs:
  250. - patch
  251. - apiGroups:
  252. - ""
  253. resources:
  254. - events
  255. verbs:
  256. - create
  257. - patch
  258. - update
  259. - apiVersion: rbac.authorization.k8s.io/v1
  260. kind: ClusterRole
  261. metadata:
  262. name: system:pvl-controller
  263. rules:
  264. - apiGroups:
  265. - ""
  266. resources:
  267. - persistentvolumes
  268. verbs:
  269. - '*'
  270. - apiGroups:
  271. - ""
  272. resources:
  273. - events
  274. verbs:
  275. - create
  276. - patch
  277. - update
  278. kind: List
  279. metadata: {}
  280. ---
  281. apiVersion: v1
  282. items:
  283. - apiVersion: rbac.authorization.k8s.io/v1
  284. kind: ClusterRoleBinding
  285. metadata:
  286. name: system:cloud-node-controller
  287. roleRef:
  288. apiGroup: rbac.authorization.k8s.io
  289. kind: ClusterRole
  290. name: system:cloud-node-controller
  291. subjects:
  292. - kind: ServiceAccount
  293. name: cloud-node-controller
  294. namespace: kube-system
  295. - apiVersion: rbac.authorization.k8s.io/v1
  296. kind: ClusterRoleBinding
  297. metadata:
  298. name: system:pvl-controller
  299. roleRef:
  300. apiGroup: rbac.authorization.k8s.io
  301. kind: ClusterRole
  302. name: system:pvl-controller
  303. subjects:
  304. - kind: ServiceAccount
  305. name: pvl-controller
  306. namespace: kube-system
  307. - apiVersion: rbac.authorization.k8s.io/v1
  308. kind: ClusterRoleBinding
  309. metadata:
  310. name: system:cloud-controller-manager
  311. roleRef:
  312. apiGroup: rbac.authorization.k8s.io
  313. kind: ClusterRole
  314. name: system:cloud-controller-manager
  315. subjects:
  316. - kind: ServiceAccount
  317. name: cloud-controller-manager
  318. namespace: kube-system
  319. kind: List
  320. metadata: {}
  321. ---
  322. apiVersion: apps/v1
  323. kind: DaemonSet
  324. metadata:
  325. labels:
  326. k8s-app: openstack-cloud-controller-manager
  327. name: openstack-cloud-controller-manager
  328. namespace: kube-system
  329. spec:
  330. selector:
  331. matchLabels:
  332. k8s-app: openstack-cloud-controller-manager
  333. template:
  334. metadata:
  335. labels:
  336. k8s-app: openstack-cloud-controller-manager
  337. spec:
  338. hostNetwork: true
  339. serviceAccountName: cloud-controller-manager
  340. containers:
  341. - name: openstack-cloud-controller-manager
  342. image: ${occm_image}
  343. command:
  344. - /bin/openstack-cloud-controller-manager
  345. - --v=2
  346. - --cloud-config=/etc/kubernetes/cloud-config
  347. - --cluster-name=${CLUSTER_UUID}
  348. - --use-service-account-credentials=true
  349. - --bind-address=127.0.0.1
  350. volumeMounts:
  351. - name: cloudconfig
  352. mountPath: /etc/kubernetes
  353. readOnly: true
  354. volumes:
  355. - name: cloudconfig
  356. hostPath:
  357. path: /etc/kubernetes
  358. tolerations:
  359. # this is required so CCM can bootstrap itself
  360. - key: node.cloudprovider.kubernetes.io/uninitialized
  361. value: "true"
  362. effect: NoSchedule
  363. # this is to have the daemonset runnable on master nodes
  364. # the taint may vary depending on your cluster setup
  365. - key: dedicated
  366. value: master
  367. effect: NoSchedule
  368. - key: CriticalAddonsOnly
  369. value: "True"
  370. effect: NoSchedule
  371. # this is to restrict CCM to only run on master nodes
  372. # the node selector may vary depending on your cluster setup
  373. nodeSelector:
  374. node-role.kubernetes.io/master: ""
  375. EOF
  376. }
  377. kubectl create -f ${OCCM}
  378. printf "Finished running ${step}\n"