Created
July 19, 2019 22:39
-
-
Save cpretzer/f8d060464078f9e6d4ec007c73db20a4 to your computer and use it in GitHub Desktop.
YAML file generated for custom Linkerd cni-plugin image
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Namespace ### | |
kind: Namespace | |
apiVersion: v1 | |
metadata: | |
name: linkerd | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: linkerd-linkerd-cni | |
spec: | |
allowPrivilegeEscalation: false | |
fsGroup: | |
rule: RunAsAny | |
hostNetwork: true | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- hostPath | |
- secret | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: linkerd-cni | |
namespace: linkerd | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
name: linkerd-cni | |
namespace: linkerd | |
rules: | |
- apiGroups: ['extensions', 'policy'] | |
resources: ['podsecuritypolicies'] | |
resourceNames: | |
- linkerd-linkerd-cni | |
verbs: ['use'] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: linkerd-cni | |
namespace: linkerd | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: linkerd-cni | |
subjects: | |
- kind: ServiceAccount | |
name: linkerd-cni | |
namespace: linkerd | |
--- | |
# Include a clusterrole for the linkerd CNI DaemonSet, | |
# and bind it to the linkerd-cni serviceaccount. | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: linkerd-cni | |
rules: | |
- apiGroups: [""] | |
resources: ["pods", "nodes", "namespaces"] | |
verbs: ["list", "get", "watch"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: linkerd-cni | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: linkerd-cni | |
subjects: | |
- kind: ServiceAccount | |
name: linkerd-cni | |
namespace: linkerd | |
--- | |
# This ConfigMap is used to configure a self-hosted linkerd CNI installation. | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: linkerd-cni-config | |
namespace: linkerd | |
data: | |
incoming_proxy_port: "4143" | |
outgoing_proxy_port: "4140" | |
proxy_uid: "2102" | |
inbound_ports_to_ignore: "4190,4191" | |
outbound_ports_to_ignore: "" | |
simulate: "false" | |
log_level: "debug" | |
dest_cni_net_dir: "/etc/cni/net.d" | |
dest_cni_bin_dir: "/home/kubernetes/bin" | |
# The CNI network configuration to install on each node. The special | |
# values in this config will be automatically populated. | |
cni_network_config: |- | |
{ | |
"name": "linkerd-cni", | |
"type": "linkerd-cni", | |
"log_level": "__LOG_LEVEL__", | |
"policy": { | |
"type": "k8s", | |
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", | |
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" | |
}, | |
"kubernetes": { | |
"kubeconfig": "__KUBECONFIG_FILEPATH__" | |
}, | |
"linkerd": { | |
"incoming-proxy-port": __INCOMING_PROXY_PORT__, | |
"outgoing-proxy-port": __OUTGOING_PROXY_PORT__, | |
"proxy-uid": __PROXY_UID__, | |
"ports-to-redirect": [__PORTS_TO_REDIRECT__], | |
"inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__], | |
"outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__], | |
"simulate": __SIMULATE__, | |
"use-wait-flag": true | |
} | |
} | |
--- | |
# This manifest installs the linkerd CNI plugins and network config on | |
# each master and worker node in a Kubernetes cluster. | |
kind: DaemonSet | |
apiVersion: extensions/v1beta1 | |
metadata: | |
name: linkerd-cni | |
namespace: linkerd | |
labels: | |
k8s-app: linkerd-cni | |
annotations: | |
linkerd.io/created-by: linkerd/cli stable-2.4.0 | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: linkerd-cni | |
updateStrategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxUnavailable: 1 | |
template: | |
metadata: | |
labels: | |
k8s-app: linkerd-cni | |
annotations: | |
linkerd.io/created-by: linkerd/cli stable-2.4.0 | |
spec: | |
nodeSelector: | |
beta.kubernetes.io/os: linux | |
hostNetwork: true | |
serviceAccountName: linkerd-cni | |
containers: | |
# This container installs the linkerd CNI binaries | |
# and CNI network config file on each node. The install | |
# script copies the files into place and then sleeps so | |
# that Kubernetes doesn't keep trying to restart it. | |
- name: install-cni | |
image: gcr.io/linkerd-io/cni-plugin:2970-build-v2 | |
env: | |
- name: DEST_CNI_NET_DIR | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: dest_cni_net_dir | |
- name: DEST_CNI_BIN_DIR | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: dest_cni_bin_dir | |
# The CNI network config to install on each node. | |
- name: CNI_NETWORK_CONFIG | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: cni_network_config | |
- name: INCOMING_PROXY_PORT | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: incoming_proxy_port | |
- name: OUTGOING_PROXY_PORT | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: outgoing_proxy_port | |
- name: PROXY_UID | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: proxy_uid | |
- name: INBOUND_PORTS_TO_IGNORE | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: inbound_ports_to_ignore | |
- name: LOG_LEVEL | |
valueFrom: | |
configMapKeyRef: | |
name: linkerd-cni-config | |
key: log_level | |
- name: SLEEP | |
value: "true" | |
lifecycle: | |
preStop: | |
exec: | |
command: ["kill","-15","1"] | |
volumeMounts: | |
- mountPath: /host/home/kubernetes/bin | |
name: cni-bin-dir | |
- mountPath: /host/etc/cni/net.d | |
name: cni-net-dir | |
volumes: | |
# Used to install CNI. | |
- name: cni-bin-dir | |
hostPath: | |
path: /home/kubernetes/bin | |
- name: cni-net-dir | |
hostPath: | |
path: /etc/cni/net.d | |
--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment