mirror of https://github.com/linkerd/linkerd2.git
249 lines
7.0 KiB
YAML
249 lines
7.0 KiB
YAML
{{- /*
|
|
Copyright 2017 CNI authors
|
|
Modifications copyright (c) Linkerd authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
|
|
This file was inspired by
|
|
1) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/manifests/istio-cni.yaml
|
|
*/ -}}
|
|
{{- if .Values.installNamespace -}}
|
|
kind: Namespace
|
|
apiVersion: v1
|
|
metadata:
|
|
name: {{.Values.namespace}}
|
|
annotations:
|
|
{{.Values.proxyInjectAnnotation}}: {{.Values.proxyInjectDisabled}}
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
config.linkerd.io/admission-webhooks: disabled
|
|
---
|
|
{{ end -}}
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-cni
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostNetwork: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- hostPath
|
|
- secret
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
{{- if .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{ toYaml .Values.imagePullSecrets | indent 2 }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
rules:
|
|
- apiGroups: ['extensions', 'policy']
|
|
resources: ['podsecuritypolicies']
|
|
resourceNames:
|
|
- linkerd-{{.Values.namespace}}-cni
|
|
verbs: ['use']
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "nodes", "namespaces"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-cni-config
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
data:
|
|
dest_cni_net_dir: "{{.Values.destCNINetDir}}"
|
|
dest_cni_bin_dir: "{{.Values.destCNIBinDir}}"
|
|
# The CNI network configuration to install on each node. The special
|
|
# values in this config will be automatically populated.
|
|
cni_network_config: |-
|
|
{
|
|
"name": "linkerd-cni",
|
|
"type": "linkerd-cni",
|
|
"log_level": "{{.Values.logLevel}}",
|
|
"policy": {
|
|
"type": "k8s",
|
|
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
|
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
|
},
|
|
"kubernetes": {
|
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
|
},
|
|
"linkerd": {
|
|
"incoming-proxy-port": {{.Values.inboundProxyPort}},
|
|
"outgoing-proxy-port": {{.Values.outboundProxyPort}},
|
|
"proxy-uid": {{.Values.proxyUID}},
|
|
"ports-to-redirect": [{{.Values.portsToRedirect}}],
|
|
"inbound-ports-to-ignore": [
|
|
{{- include "partials.splitStringList" .Values.ignoreInboundPorts -}}
|
|
],
|
|
"outbound-ports-to-ignore": [
|
|
{{- include "partials.splitStringList" .Values.ignoreOutboundPorts -}}
|
|
],
|
|
"simulate": false,
|
|
"use-wait-flag": {{.Values.useWaitFlag}}
|
|
}
|
|
}
|
|
---
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
{{.Values.cniResourceLabel}}: "true"
|
|
annotations:
|
|
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.cniPluginVersion) .Values.cliVersion}}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: linkerd-cni
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
annotations:
|
|
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.cniPluginVersion) .Values.cliVersion}}
|
|
spec:
|
|
{{- if .Values.tolerations }}
|
|
{{- include "linkerd.tolerations" . | nindent 6 }}
|
|
{{- end }}
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
hostNetwork: true
|
|
serviceAccountName: linkerd-cni
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: {{ .Values.priorityClassName }}
|
|
{{- end }}
|
|
containers:
|
|
# This container installs the linkerd CNI binaries
|
|
# and CNI network config file on each node. The install
|
|
# script copies the files into place and then sleeps so
|
|
# that Kubernetes doesn't keep trying to restart it.
|
|
- name: install-cni
|
|
image: {{.Values.cniPluginImage}}:{{.Values.cniPluginVersion}}
|
|
env:
|
|
- name: DEST_CNI_NET_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_net_dir
|
|
- name: DEST_CNI_BIN_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_bin_dir
|
|
- name: CNI_NETWORK_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: cni_network_config
|
|
- name: SLEEP
|
|
value: "true"
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: ["kill","-15","1"]
|
|
volumeMounts:
|
|
{{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
|
|
- mountPath: /host{{.Values.destCNIBinDir}}
|
|
name: cni-bin-dir
|
|
- mountPath: /host{{.Values.destCNINetDir}}
|
|
name: cni-net-dir
|
|
{{- else }}
|
|
- mountPath: /host{{.Values.destCNINetDir}}
|
|
name: cni-net-dir
|
|
{{- end }}
|
|
volumes:
|
|
{{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
|
|
- name: cni-bin-dir
|
|
hostPath:
|
|
path: {{.Values.destCNIBinDir}}
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: {{.Values.destCNINetDir}}
|
|
{{- else }}
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: {{.Values.destCNINetDir}}
|
|
{{- end }}
|