-
Notifications
You must be signed in to change notification settings - Fork 123
/
genie-plugin.yaml
220 lines (215 loc) · 5.23 KB
/
genie-plugin.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: genie-plugin
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- update
- patch
- apiGroups:
- "alpha.network.k8s.io"
resources:
- logicalnetworks
verbs:
- get
- update
- patch
- apiGroups:
- "alpha.network.k8s.io"
resources:
- physicalnetworks
verbs:
- get
- update
- patch
- apiGroups:
- "k8s.cni.cncf.io"
resources:
- network-attachment-definitions
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
- create
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: genie-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: genie-plugin
subjects:
- kind: ServiceAccount
name: genie-plugin
namespace: kube-system
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: genie-plugin
namespace: kube-system
---
# This ConfigMap can be used to configure a self-hosted CNI-Genie installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: genie-config
namespace: kube-system
data:
# The CNI network configuration to install on each node.
cni_genie_network_config: |-
{
"name": "k8s-pod-network",
"type": "genie",
"cniVersion": "0.2.0",
"log_level": "info",
"datastore_type": "kubernetes",
"hostname": "__KUBERNETES_NODE_NAME__",
"policy": {
"type": "k8s",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"kubeconfig": "/etc/cni/net.d/genie-kubeconfig"
},
"romana_root": "http://__ROMANA_SERVICE_HOST__:__ROMANA_SERVICE_PORT__",
"segment_label_name": "romanaSegment"
}
---
# Install CNI-Genie plugin on each slave node.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: genie-plugin
namespace: kube-system
labels:
k8s-app: genie
spec:
selector:
matchLabels:
k8s-app: genie
template:
metadata:
labels:
k8s-app: genie
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
hostNetwork: true
hostPID: true
serviceAccountName: genie-plugin
containers:
# Create a container with install.sh that
# Installs required 00-genie.conf and genie binary
# on slave node.
- name: install-cni
image: quay.io/huawei-cni-genie/genie-plugin:latest
imagePullPolicy: Always
command: ["/launch.sh"]
env:
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: genie-config
key: cni_genie_network_config
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node.kubernetes.io/not-ready
effect: NoSchedule
operator: Exists
volumes:
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
---
# Genie network admission controller daemonset configuration
# Genie network admission controller pods will run only in master nodes
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: genie-network-admission-controller
namespace: kube-system
labels:
role: genie-network-admission-controller
spec:
selector:
matchLabels:
role: genie-network-admission-controller
template:
metadata:
labels:
role: genie-network-admission-controller
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node.kubernetes.io/not-ready
effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
serviceAccountName: genie-plugin
containers:
- name: genie-network-admission-controller
image: quay.io/huawei-cni-genie/genie-admission-controller:latest
imagePullPolicy: Always
ports:
- containerPort: 8000
---
# Genie network admission controller service
apiVersion: v1
kind: Service
metadata:
labels:
role: genie-network-admission-controller
name: genie-network-admission-controller
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8000
selector:
role: genie-network-admission-controller