forked from istio/cni
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathistio-cni.yaml
163 lines (154 loc) · 4.65 KB
/
istio-cni.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# Istio-CNI Version v0.1-dev
#
# This manifest installs the following component versions:
# istio-cni:v0.1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-cni
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-cni
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-cni
subjects:
- kind: ServiceAccount
name: istio-cni
namespace: {{ .Release.Namespace }}
---
# This ConfigMap is used to configure a self-hosted Istio CNI installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: istio-cni-config
namespace: {{ .Release.Namespace }}
labels:
{{- template "common_labels" . }}
data:
# The CNI network configuration to add to the plugin chain on each node. The special
# values in this config will be automatically populated.
cni_network_config: |-
{
"type": "istio-cni",
"log_level": {{ quote .Values.logLevel }},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__",
"cni_bin_dir": {{ quote .Values.cniBinDir }},
"exclude_namespaces": [ {{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ]
}
}
---
# This manifest installs the Istio install-cni container, as well
# as the Istio CNI plugin and config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: istio-cni-node
namespace: {{ .Release.Namespace }}
labels:
k8s-app: istio-cni-node
{{- template "common_labels" . }}
spec:
selector:
matchLabels:
k8s-app: istio-cni-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: istio-cni-node
annotations:
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Make sure istio-cni-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
priorityClassName: system-node-critical
serviceAccountName: istio-cni
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 5
containers:
# This container installs the Istio CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: {{ .Values.hub }}/install-cni:{{ .Values.tag }}
imagePullPolicy: {{ .Values.pullPolicy }}
command: ["/install-cni.sh"]
env:
{{- if .Values.cniConfFileName }}
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "{{ .Values.cniConfFileName }}"
{{- end }}
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: istio-cni-config
key: cni_network_config
- name: CNI_NET_DIR
value: {{ default "/etc/cni/net.d" .Values.cniConfDir }}
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
volumes:
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: {{ default "/opt/cni/bin" .Values.cniBinDir }}
- name: cni-net-dir
hostPath:
path: {{ default "/etc/cni/net.d" .Values.cniConfDir }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-cni
namespace: {{ .Release.Namespace }}
---
{{- if ne .Values.psp_cluster_role "" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-cni-psp
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Values.psp_cluster_role }}
subjects:
- kind: ServiceAccount
name: istio-cni
namespace: {{ .Release.Namespace }}
{{- end }}