With the new config option `keystone_auth_default_policy`, cloud admin can set a default keystone auth policy for k8s cluster when the keystone auth is enabled. As a result, user can use their current keystone user to access k8s cluster as long as they're assigned correct roles, and they will get the pre-defined permissions set by the cloud provider. The default policy now is based on the v2 format recently introduced in k8s-keystone-auth which is getting more useful now. For example, in v1 it doesn't support a policy for user to access resources from all namespaces but kube-system, but v2 can do that. NOTE: Now we're using openstackmagnum dockerhub repo until CPO team fixing their image release issue. Task: 30069 Story: 1755770 Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
|2 years ago|
|COPYING||5 years ago|
|README.md||5 years ago|
|cluster.yaml||2 years ago|
|swarmmaster.yaml||4 years ago|
|swarmnode.yaml||4 years ago|
A Docker swarm cluster with Heat
These templates will work with the Juno version of Heat.
These templates will work with either CentOS Atomic Host or Fedora 21 Atomic.
Creating the stack
First, you must create a swarm token, which is used to uniquely identify the cluster to the global discovery service. This can be done by issuing a create call to the swarm CLI. Alternatively, if you have access to Docker you can use the dockerswarm/swarm image.
$ swarm create afeb445bcb2f573aeb8ff3a199785f45 $ docker run dockerswarm/swarm create d8cdfe5128af6e1075b34aa06ff1cc2c
Creating an environment file
local.yaml with parameters specific to
parameters: ssh_key_name: testkey external_network: 028d70dd-67b8-4901-8bdd-0c62b06cce2d dns_nameserver: 192.168.200.1 server_image: fedora-atomic-latest discovery_url: token://d8cdfe5128af6e1075b34aa06ff1cc2c
And then create the stack, referencing that environment file:
heat stack-create -f swarm.yaml -e local.yaml my-swarm-cluster
You must provide values for:
Interacting with Swarm
The Docker CLI interacts with the cluster through the swarm master listening on port 2376.
You can get the ip address of the swarm master using the
heat output-show command:
$ heat output-show my-swarm-cluster swarm_master "192.168.200.86"
Provide the Docker CLI with the address for the swarm master.
$ docker -H tcp://192.168.200.86:2376 info Containers: 4 Nodes: 3 swarm-master: 10.0.0.1:2375 swarm-node1: 10.0.0.2:2375 swarm-node2: 10.0.0.3:2375
You can test the swarm cluster with the Docker CLI by running a container. In the example below, a container is spawned in the cluster to ping 220.127.116.11.
$ docker -H tcp://192.168.200.86:2376 run -i cirros /bin/ping -c 4 18.104.22.168 PING 22.214.171.124 (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: seq=0 ttl=127 time=40.749 ms 64 bytes from 184.108.40.206: seq=1 ttl=127 time=46.264 ms 64 bytes from 220.127.116.11: seq=2 ttl=127 time=42.808 ms 64 bytes from 18.104.22.168: seq=3 ttl=127 time=42.270 ms --- 22.214.171.124 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 40.749/43.022/46.264 ms
Copyright 2014 Lars Kellogg-Stedman firstname.lastname@example.org Copyright 2015 Rackspace Hosting
Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.