bzub/README.md

## README.md

      
    Raw
  

              README.md
            
          
    kube-router with kubeadm

kube-proxy replacement procedure

On the controller node after kubeadm init is complete:
KUBECONFIG=/etc/kubernetes/admin.conf kubectl apply -f kube-router-kubeadm-all-features.yaml
KUBECONFIG=/etc/kubernetes/admin.conf kubectl -n kube-system delete ds kube-proxy
docker run --privileged --net=host gcr.io/google_containers/kube-proxy-amd64:v1.7.3 kube-proxy --cleanup-iptables
We mount the configMap that contains kube-proxy's kubeconfig to our kube-router pod for API connectivity.
        volumeMounts:
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
        - name: cni
          mountPath: /etc/cni/net.d
        - name: kubeconfig
          mountPath: /var/lib/kube-router
          readOnly: true
# [...]
      volumes:
      - hostPath:
          path: /lib/modules
        name: lib-modules
      - hostPath:
          path: /etc/cni/net.d
        name: cni
      - name: kubeconfig
        configMap:
          name: kube-proxy
          items:
          - key: kubeconfig.conf
            path: kubeconfig

  
## kube-router-kubeadm-all-features.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-router-cfg
  namespace: kube-system
  labels:
    tier: node
    k8s-app: kube-router
data:
  cni-conf.json: |
    {
      "name":"kubernetes",
      "type":"bridge",
      "bridge":"kube-bridge",
      "isDefaultGateway":true,
      "ipam": {
        "type":"host-local"
      }
    }
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    k8s-app: kube-router
    tier: node
  name: kube-router
  namespace: kube-system
spec:
  template:
    metadata:
      labels:
        k8s-app: kube-router
        tier: node
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        pod.beta.kubernetes.io/init-containers: '[
            {
                "name": "install-cni",
                "image": "busybox",
                "command": [ "/bin/sh", "-c", "set -e -x; if [ ! -f /etc/cni/net.d/10-kuberouter.conf ]; then TMP=/etc/cni/net.d/.tmp-kuberouter-cfg; cp /etc/kube-router/cni-conf.json ${TMP}; mv ${TMP} /etc/cni/net.d/10-kuberouter.conf; fi" ],
                "volumeMounts": [
                    {
                        "name": "cni",
                        "mountPath": "/etc/cni/net.d"
                    },
                    {
                        "name": "kube-router-cfg",
                        "mountPath": "/etc/kube-router"
                    }
                ],
                "volumes": {
                     "name": "cni",
                     "hostPath": {
                          "path": "/etc/cni/net.d"
                     }
                }
            }
        ]'
    spec:
      serviceAccountName: kube-router
      serviceAccount: kube-router
      containers:
      - name: kube-router
        image: cloudnativelabs/kube-router-git:master
        imagePullPolicy: Always
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        resources:
          requests:
            cpu: 50m
            memory: 50Mi
        securityContext:
          privileged: true
        volumeMounts:
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
        - name: cni
          mountPath: /etc/cni/net.d
        - name: kubeconfig
          mountPath: /var/lib/kube-router
          readOnly: true
      hostNetwork: true
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      volumes:
      - hostPath:
          path: /lib/modules
        name: lib-modules
      - hostPath:
          path: /etc/cni/net.d
        name: cni
      - name: kubeconfig
        configMap:
          name: kube-proxy
          items:
          - key: kubeconfig.conf
            path: kubeconfig
        #hostPath:
        #  path: /var/lib/kube-router/kubeconfig
      - name: kube-router-cfg
        configMap:
          name: kube-router-cfg
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-router
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-router
  namespace: kube-system
rules:
  - apiGroups:
    - ""
    resources:
      - namespaces
      - pods
      - services
      - nodes
      - endpoints
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - "networking.k8s.io"
    resources:
      - networkpolicies
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - extensions
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-router
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-router
subjects:
- kind: ServiceAccount
  name: kube-router
  namespace: kube-system
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: kube-router-cfg
	namespace: kube-system
	labels:
	tier: node
	k8s-app: kube-router
	data:
	cni-conf.json: \|
	{
	"name":"kubernetes",
	"type":"bridge",
	"bridge":"kube-bridge",
	"isDefaultGateway":true,
	"ipam": {
	"type":"host-local"
	}
	}
	---
	apiVersion: extensions/v1beta1
	kind: DaemonSet
	metadata:
	labels:
	k8s-app: kube-router
	tier: node
	name: kube-router
	namespace: kube-system
	spec:
	template:
	metadata:
	labels:
	k8s-app: kube-router
	tier: node
	annotations:
	scheduler.alpha.kubernetes.io/critical-pod: ''
	pod.beta.kubernetes.io/init-containers: '[
	{
	"name": "install-cni",
	"image": "busybox",
	"command": [ "/bin/sh", "-c", "set -e -x; if [ ! -f /etc/cni/net.d/10-kuberouter.conf ]; then TMP=/etc/cni/net.d/.tmp-kuberouter-cfg; cp /etc/kube-router/cni-conf.json ${TMP}; mv ${TMP} /etc/cni/net.d/10-kuberouter.conf; fi" ],
	"volumeMounts": [
	{
	"name": "cni",
	"mountPath": "/etc/cni/net.d"
	},
	{
	"name": "kube-router-cfg",
	"mountPath": "/etc/kube-router"
	}
	],
	"volumes": {
	"name": "cni",
	"hostPath": {
	"path": "/etc/cni/net.d"
	}
	}
	}
	]'
	spec:
	serviceAccountName: kube-router
	serviceAccount: kube-router
	containers:
	- name: kube-router
	image: cloudnativelabs/kube-router-git:master
	imagePullPolicy: Always
	env:
	- name: NODE_NAME
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	resources:
	requests:
	cpu: 50m
	memory: 50Mi
	securityContext:
	privileged: true
	volumeMounts:
	- name: lib-modules
	mountPath: /lib/modules
	readOnly: true
	- name: cni
	mountPath: /etc/cni/net.d
	- name: kubeconfig
	mountPath: /var/lib/kube-router
	readOnly: true
	hostNetwork: true
	tolerations:
	- key: CriticalAddonsOnly
	operator: Exists
	- effect: NoSchedule
	key: node-role.kubernetes.io/master
	operator: Exists
	volumes:
	- hostPath:
	path: /lib/modules
	name: lib-modules
	- hostPath:
	path: /etc/cni/net.d
	name: cni
	- name: kubeconfig
	configMap:
	name: kube-proxy
	items:
	- key: kubeconfig.conf
	path: kubeconfig
	#hostPath:
	# path: /var/lib/kube-router/kubeconfig
	- name: kube-router-cfg
	configMap:
	name: kube-router-cfg
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: kube-router
	namespace: kube-system
	---
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: kube-router
	namespace: kube-system
	rules:
	- apiGroups:
	- ""
	resources:
	- namespaces
	- pods
	- services
	- nodes
	- endpoints
	verbs:
	- list
	- get
	- watch
	- apiGroups:
	- "networking.k8s.io"
	resources:
	- networkpolicies
	verbs:
	- list
	- get
	- watch
	- apiGroups:
	- extensions
	resources:
	- networkpolicies
	verbs:
	- get
	- list
	- watch
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: kube-router
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: kube-router
	subjects:
	- kind: ServiceAccount
	name: kube-router
	namespace: kube-system