mirror of https://github.com/linkerd/linkerd2.git
284 lines
8.0 KiB
Go
284 lines
8.0 KiB
Go
// Copyright 2017 CNI authors
|
|
// Modifications copyright (c) Linkerd authors
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// This file was inspired by:
|
|
// 1) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/manifests/istio-cni.yaml
|
|
|
|
package install
|
|
|
|
const (
|
|
// CNITemplate provides the base template for the `linkerd install-cni-plugin` command.
|
|
CNITemplate = `### Namespace ###
|
|
kind: Namespace
|
|
apiVersion: v1
|
|
metadata:
|
|
name: {{.Namespace}}
|
|
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: linkerd-{{.Namespace}}-cni
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
hostNetwork: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- hostPath
|
|
- secret
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
rules:
|
|
- apiGroups: ['extensions', 'policy']
|
|
resources: ['podsecuritypolicies']
|
|
resourceNames:
|
|
- linkerd-{{.Namespace}}-cni
|
|
verbs: ['use']
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
---
|
|
# Include a clusterrole for the linkerd CNI DaemonSet,
|
|
# and bind it to the linkerd-cni serviceaccount.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "nodes", "namespaces"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-cni
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-cni
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
---
|
|
# This ConfigMap is used to configure a self-hosted linkerd CNI installation.
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-cni-config
|
|
namespace: {{.Namespace}}
|
|
labels:
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
data:
|
|
incoming_proxy_port: "{{.InboundPort}}"
|
|
outgoing_proxy_port: "{{.OutboundPort}}"
|
|
proxy_uid: "{{.ProxyUID}}"
|
|
inbound_ports_to_ignore: "{{.IgnoreInboundPorts}}"
|
|
outbound_ports_to_ignore: "{{.IgnoreOutboundPorts}}"
|
|
simulate: "false"
|
|
log_level: "{{.LogLevel}}"
|
|
dest_cni_net_dir: "{{.DestCNINetDir}}"
|
|
dest_cni_bin_dir: "{{.DestCNIBinDir}}"
|
|
use_wait_flag: "{{.UseWaitFlag}}"
|
|
# The CNI network configuration to install on each node. The special
|
|
# values in this config will be automatically populated.
|
|
cni_network_config: |-
|
|
{
|
|
"name": "linkerd-cni",
|
|
"type": "linkerd-cni",
|
|
"log_level": "__LOG_LEVEL__",
|
|
"policy": {
|
|
"type": "k8s",
|
|
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
|
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
|
},
|
|
"kubernetes": {
|
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
|
},
|
|
"linkerd": {
|
|
"incoming-proxy-port": __INCOMING_PROXY_PORT__,
|
|
"outgoing-proxy-port": __OUTGOING_PROXY_PORT__,
|
|
"proxy-uid": __PROXY_UID__,
|
|
"ports-to-redirect": [__PORTS_TO_REDIRECT__],
|
|
"inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__],
|
|
"outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__],
|
|
"simulate": __SIMULATE__,
|
|
"use-wait-flag": __USE_WAIT_FLAG__
|
|
}
|
|
}
|
|
---
|
|
# This manifest installs the linkerd CNI plugins and network config on
|
|
# each master and worker node in a Kubernetes cluster.
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: linkerd-cni
|
|
namespace: {{.Namespace}}
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
{{.ControllerNamespaceLabel}}: {{.Namespace}}
|
|
linkerd.io/cni-resource: "true"
|
|
annotations:
|
|
{{.CreatedByAnnotation}}: {{.CliVersion}}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: linkerd-cni
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: linkerd-cni
|
|
annotations:
|
|
{{.CreatedByAnnotation}}: {{.CliVersion}}
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
hostNetwork: true
|
|
serviceAccountName: linkerd-cni
|
|
containers:
|
|
# This container installs the linkerd CNI binaries
|
|
# and CNI network config file on each node. The install
|
|
# script copies the files into place and then sleeps so
|
|
# that Kubernetes doesn't keep trying to restart it.
|
|
- name: install-cni
|
|
image: {{.CNIPluginImage}}
|
|
env:
|
|
- name: DEST_CNI_NET_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_net_dir
|
|
- name: DEST_CNI_BIN_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: dest_cni_bin_dir
|
|
# The CNI network config to install on each node.
|
|
- name: CNI_NETWORK_CONFIG
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: cni_network_config
|
|
- name: INCOMING_PROXY_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: incoming_proxy_port
|
|
- name: OUTGOING_PROXY_PORT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: outgoing_proxy_port
|
|
- name: PROXY_UID
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: proxy_uid
|
|
- name: INBOUND_PORTS_TO_IGNORE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: inbound_ports_to_ignore
|
|
- name: LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: linkerd-cni-config
|
|
key: log_level
|
|
- name: SLEEP
|
|
value: "true"
|
|
- name: USE_WAIT_FLAG
|
|
value: "{{.UseWaitFlag}}"
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: ["kill","-15","1"]
|
|
volumeMounts:
|
|
{{- if ne .DestCNIBinDir .DestCNINetDir }}
|
|
- mountPath: /host{{.DestCNIBinDir}}
|
|
name: cni-bin-dir
|
|
- mountPath: /host{{.DestCNINetDir}}
|
|
name: cni-net-dir
|
|
{{- else }}
|
|
- mountPath: /host{{.DestCNINetDir}}
|
|
name: cni-net-dir
|
|
{{- end }}
|
|
volumes:
|
|
# Used to install CNI.
|
|
{{- if ne .DestCNIBinDir .DestCNINetDir }}
|
|
- name: cni-bin-dir
|
|
hostPath:
|
|
path: {{.DestCNIBinDir}}
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: {{.DestCNINetDir}}
|
|
{{- else }}
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: {{.DestCNINetDir}}
|
|
{{- end }}
|
|
`
|
|
)
|