mirror of https://github.com/linkerd/linkerd2.git
205 lines
4.9 KiB
Plaintext
205 lines
4.9 KiB
Plaintext
---
|
|
# Source: linkerd2-cni/templates/cni-plugin.yaml
|
|
kind: Namespace
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-test
|
|
annotations:
|
|
linkerd.io/inject: disabled
|
|
labels:
|
|
linkerd.io/is-control-plane: "true"
|
|
config.linkerd.io/admission-webhooks: disabled
|
|
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: linkerd-linkerd-test-cni
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostNetwork: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- hostPath
|
|
- secret
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
rules:
|
|
- apiGroups: ['extensions', 'policy']
|
|
resources: ['podsecuritypolicies']
|
|
resourceNames:
|
|
- linkerd-linkerd-test-cni
|
|
verbs: ['use']
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "nodes", "namespaces"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-cni-config
|
|
namespace: linkerd-test
|
|
labels:
|
|
linkerd.io/cni-resource-test: "true"
|
|
data:
|
|
dest_cni_net_dir: "/etc/cni/net.d-test"
|
|
dest_cni_bin_dir: "/opt/cni/bin-test"
|
|
# The CNI network configuration to install on each node. The special
|
|
# values in this config will be automatically populated.
|
|
cni_network_config: |-
|
|
{
|
|
"name": "linkerd-cni",
|
|
"type": "linkerd-cni",
|
|
"log_level": "debug",
|
|
"policy": {
|
|
"type": "k8s",
|
|
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
|
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
|
},
|
|
"kubernetes": {
|
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
|
},
|
|
"linkerd": {
|
|
"incoming-proxy-port": 1234,
|
|
"outgoing-proxy-port": 5678,
|
|
"proxy-uid": 1111,
|
|
"ports-to-redirect": [],
|
|
"inbound-ports-to-ignore": [],
|
|
"outbound-ports-to-ignore": [],
|
|
"simulate": false,
|
|
"use-wait-flag": true
|
|
}
|
|
}
|
|
---
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: linkerd-test
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
linkerd.io/cni-resource-test: "true"
|
|
annotations:
|
|
linkerd.io/created-by-test: test-version
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: linkerd-cni
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
annotations:
|
|
linkerd.io/created-by-test: test-version
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
hostNetwork: true
|
|
serviceAccountName: linkerd-cni
|
|
containers:
|
|
# This container installs the linkerd CNI binaries
|
|
# and CNI network config file on each node. The install
|
|
# script copies the files into place and then sleeps so
|
|
# that Kubernetes doesn't keep trying to restart it.
|
|
- name: install-cni
|
|
image: gcr.io/linkerd-io/cni-plugin-test:test-version
|
|
env:
|
|
- name: DEST_CNI_NET_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_net_dir
|
|
- name: DEST_CNI_BIN_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_bin_dir
|
|
- name: CNI_NETWORK_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: cni_network_config
|
|
- name: SLEEP
|
|
value: "true"
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: ["kill","-15","1"]
|
|
volumeMounts:
|
|
- mountPath: /host/opt/cni/bin-test
|
|
name: cni-bin-dir
|
|
- mountPath: /host/etc/cni/net.d-test
|
|
name: cni-net-dir
|
|
volumes:
|
|
- name: cni-bin-dir
|
|
hostPath:
|
|
path: /opt/cni/bin-test
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: /etc/cni/net.d-test
|