{{- /* Copyright 2017 CNI authors Modifications copyright (c) Linkerd authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. This file was inspired by 1) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/manifests/istio-cni.yaml */ -}} {{- if .Values.installNamespace -}} kind: Namespace apiVersion: v1 metadata: name: {{.Values.namespace}} annotations: {{.Values.proxyInjectAnnotation}}: {{.Values.proxyInjectDisabled}} labels: {{.Values.cniResourceLabel}}: "true" config.linkerd.io/admission-webhooks: disabled --- {{ end -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: linkerd-{{.Values.namespace}}-cni labels: {{.Values.cniResourceLabel}}: "true" spec: allowPrivilegeEscalation: false fsGroup: rule: RunAsAny hostNetwork: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - hostPath - secret --- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: {{.Values.namespace}} labels: {{.Values.cniResourceLabel}}: "true" {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 2 }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-cni namespace: {{.Values.namespace}} labels: {{.Values.cniResourceLabel}}: "true" rules: - apiGroups: ['extensions', 'policy'] resources: ['podsecuritypolicies'] resourceNames: - linkerd-{{.Values.namespace}}-cni verbs: ['use'] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-cni namespace: {{.Values.namespace}} labels: {{.Values.cniResourceLabel}}: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: linkerd-cni subjects: - kind: ServiceAccount name: linkerd-cni namespace: {{.Values.namespace}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-cni labels: {{.Values.cniResourceLabel}}: "true" rules: - apiGroups: [""] resources: ["pods", "nodes", "namespaces"] verbs: ["list", "get", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-cni labels: {{.Values.cniResourceLabel}}: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-cni subjects: - kind: ServiceAccount name: linkerd-cni namespace: {{.Values.namespace}} --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-cni-config namespace: {{.Values.namespace}} labels: {{.Values.cniResourceLabel}}: "true" data: dest_cni_net_dir: "{{.Values.destCNINetDir}}" dest_cni_bin_dir: "{{.Values.destCNIBinDir}}" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. cni_network_config: |- { "name": "linkerd-cni", "type": "linkerd-cni", "log_level": "{{.Values.logLevel}}", "policy": { "type": "k8s", "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" }, "linkerd": { "incoming-proxy-port": {{.Values.inboundProxyPort}}, "outgoing-proxy-port": {{.Values.outboundProxyPort}}, "proxy-uid": {{.Values.proxyUID}}, "ports-to-redirect": [{{.Values.portsToRedirect}}], "inbound-ports-to-ignore": [ {{- include "partials.splitStringList" .Values.ignoreInboundPorts -}} ], "outbound-ports-to-ignore": [ {{- include "partials.splitStringList" .Values.ignoreOutboundPorts -}} ], "simulate": false, "use-wait-flag": {{.Values.useWaitFlag}} } } --- kind: DaemonSet apiVersion: apps/v1 metadata: name: linkerd-cni namespace: {{.Values.namespace}} labels: k8s-app: linkerd-cni {{.Values.cniResourceLabel}}: "true" annotations: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.cniPluginVersion) .Values.cliVersion}} spec: selector: matchLabels: k8s-app: linkerd-cni updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: linkerd-cni annotations: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.cniPluginVersion) .Values.cliVersion}} spec: {{- if .Values.tolerations }} {{- include "linkerd.tolerations" . | nindent 6 }} {{- end }} nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: linkerd-cni {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} containers: # This container installs the linkerd CNI binaries # and CNI network config file on each node. The install # script copies the files into place and then sleeps so # that Kubernetes doesn't keep trying to restart it. - name: install-cni image: {{.Values.cniPluginImage}}:{{.Values.cniPluginVersion}} env: - name: DEST_CNI_NET_DIR valueFrom: configMapKeyRef: name: linkerd-cni-config key: dest_cni_net_dir - name: DEST_CNI_BIN_DIR valueFrom: configMapKeyRef: name: linkerd-cni-config key: dest_cni_bin_dir - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: linkerd-cni-config key: cni_network_config - name: SLEEP value: "true" lifecycle: preStop: exec: command: ["kill","-15","1"] volumeMounts: {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }} - mountPath: /host{{.Values.destCNIBinDir}} name: cni-bin-dir - mountPath: /host{{.Values.destCNINetDir}} name: cni-net-dir {{- else }} - mountPath: /host{{.Values.destCNINetDir}} name: cni-net-dir {{- end }} volumes: {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }} - name: cni-bin-dir hostPath: path: {{.Values.destCNIBinDir}} - name: cni-net-dir hostPath: path: {{.Values.destCNINetDir}} {{- else }} - name: cni-net-dir hostPath: path: {{.Values.destCNINetDir}} {{- end }}