1{{- /*
2Copyright 2017 CNI authors
3Modifications copyright (c) Linkerd authors
4
5Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License.
7You may obtain a copy of the License at
8
9 http://www.apache.org/licenses/LICENSE-2.0
10
11Unless required by applicable law or agreed to in writing, software
12distributed under the License is distributed on an "AS IS" BASIS,
13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14See the License for the specific language governing permissions and
15limitations under the License.
16
17This file was inspired by
181) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/manifests/istio-cni.yaml
19*/ -}}
20{{- if eq .Release.Service "CLI" -}}
21kind: Namespace
22apiVersion: v1
23metadata:
24 name: {{.Release.Namespace}}
25 labels:
26 linkerd.io/cni-resource: "true"
27 config.linkerd.io/admission-webhooks: disabled
28 pod-security.kubernetes.io/enforce: privileged
29---
30{{ end -}}
31apiVersion: v1
32kind: ServiceAccount
33metadata:
34 name: linkerd-cni
35 namespace: {{ .Release.Namespace }}
36 labels:
37 linkerd.io/cni-resource: "true"
38 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
39{{- if .Values.imagePullSecrets }}
40imagePullSecrets:
41{{ toYaml .Values.imagePullSecrets | indent 2 }}
42{{- end }}
43{{ if .Values.enablePSP -}}
44---
45apiVersion: policy/v1beta1
46kind: PodSecurityPolicy
47metadata:
48 name: linkerd-{{.Release.Namespace}}-cni
49 annotations:
50 seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
51 labels:
52 linkerd.io/cni-resource: "true"
53 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
54spec:
55 {{- if not .Values.privileged }}
56 allowPrivilegeEscalation: false
57 {{- end }}
58 fsGroup:
59 rule: RunAsAny
60 runAsUser:
61 rule: RunAsAny
62 runAsGroup:
63 rule: RunAsAny
64 seLinux:
65 rule: RunAsAny
66 supplementalGroups:
67 rule: RunAsAny
68 volumes:
69 - hostPath
70 - secret
71 - emptyDir
72---
73apiVersion: rbac.authorization.k8s.io/v1
74kind: Role
75metadata:
76 name: linkerd-cni
77 namespace: {{ .Release.Namespace }}
78 labels:
79 linkerd.io/cni-resource: "true"
80 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
81rules:
82- apiGroups: ['extensions', 'policy']
83 resources: ['podsecuritypolicies']
84 resourceNames:
85 - linkerd-{{.Release.Namespace}}-cni
86 verbs: ['use']
87---
88apiVersion: rbac.authorization.k8s.io/v1
89kind: RoleBinding
90metadata:
91 name: linkerd-cni
92 namespace: {{ .Release.Namespace }}
93 labels:
94 linkerd.io/cni-resource: "true"
95 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
96roleRef:
97 apiGroup: rbac.authorization.k8s.io
98 kind: Role
99 name: linkerd-cni
100subjects:
101- kind: ServiceAccount
102 name: linkerd-cni
103 namespace: {{.Release.Namespace}}
104{{ end -}}
105---
106kind: ClusterRole
107apiVersion: rbac.authorization.k8s.io/v1
108metadata:
109 name: linkerd-cni
110 labels:
111 linkerd.io/cni-resource: "true"
112 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
113rules:
114- apiGroups: [""]
115 resources: ["pods", "nodes", "namespaces", "services"]
116 verbs: ["list", "get", "watch"]
117{{- if .Values.repairController.enabled }}
118- apiGroups: [""]
119 resources: ["pods"]
120 verbs: ["delete"]
121- apiGroups: ["events.k8s.io"]
122 resources: ["events"]
123 verbs: ["create"]
124{{- end }}
125---
126apiVersion: rbac.authorization.k8s.io/v1
127kind: ClusterRoleBinding
128metadata:
129 name: linkerd-cni
130 labels:
131 linkerd.io/cni-resource: "true"
132 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
133roleRef:
134 apiGroup: rbac.authorization.k8s.io
135 kind: ClusterRole
136 name: linkerd-cni
137subjects:
138- kind: ServiceAccount
139 name: linkerd-cni
140 namespace: {{.Release.Namespace}}
141---
142kind: ConfigMap
143apiVersion: v1
144metadata:
145 name: linkerd-cni-config
146 namespace: {{ .Release.Namespace }}
147 labels:
148 linkerd.io/cni-resource: "true"
149 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
150data:
151 dest_cni_net_dir: "{{.Values.destCNINetDir}}"
152 dest_cni_bin_dir: "{{.Values.destCNIBinDir}}"
153 # The CNI network configuration to install on each node. The special
154 # values in this config will be automatically populated.
155 # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0
156 cni_network_config: |-
157 {
158 "name": "linkerd-cni",
159 "type": "linkerd-cni",
160 "log_level": "{{.Values.logLevel}}",
161 "policy": {
162 "type": "k8s",
163 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
164 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
165 },
166 "kubernetes": {
167 "kubeconfig": "__KUBECONFIG_FILEPATH__"
168 },
169 "linkerd": {
170 "incoming-proxy-port": {{.Values.inboundProxyPort}},
171 "outgoing-proxy-port": {{.Values.outboundProxyPort}},
172 "proxy-uid": {{.Values.proxyUID}},
173 {{- if ge (int .Values.proxyGID) 0 }}
174 "proxy-gid": {{.Values.proxyGID}},
175 {{- end }}
176 "ports-to-redirect": [{{.Values.portsToRedirect}}],
177 "inbound-ports-to-ignore": ["{{- .Values.proxyAdminPort }}","{{ .Values.proxyControlPort }}"
178 {{- if .Values.ignoreInboundPorts }},{{- include "partials.splitStringList" .Values.ignoreInboundPorts -}}{{- end }}],
179 {{- if .Values.ignoreOutboundPorts }}
180 "outbound-ports-to-ignore": [
181 {{- include "partials.splitStringList" .Values.ignoreOutboundPorts -}}
182 ],
183 {{- end }}
184 "simulate": false,
185 "use-wait-flag": {{.Values.useWaitFlag}},
186 "iptables-mode": {{.Values.iptablesMode | quote}},
187 "ipv6": {{.Values.disableIPv6 | ternary "false" "true"}}
188 }
189 }
190---
191kind: DaemonSet
192apiVersion: apps/v1
193metadata:
194 name: linkerd-cni
195 namespace: {{ .Release.Namespace }}
196 labels:
197 k8s-app: linkerd-cni
198 linkerd.io/cni-resource: "true"
199 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
200 annotations:
201 {{ include "partials.annotations.created-by" . }}
202spec:
203 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
204 selector:
205 matchLabels:
206 k8s-app: linkerd-cni
207 updateStrategy:
208 type: RollingUpdate
209 rollingUpdate:
210 maxUnavailable: 1
211 template:
212 metadata:
213 labels:
214 k8s-app: linkerd-cni
215 linkerd.io/cni-resource: "true"
216 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
217 annotations:
218 {{ include "partials.annotations.created-by" . }}
219 linkerd.io/inject: disabled
220 spec:
221 {{- if .Values.tolerations }}
222 {{- include "linkerd.tolerations" . | nindent 6 }}
223 {{- end }}
224 nodeSelector:
225 kubernetes.io/os: linux
226 {{- if .Values.nodeAffinity }}
227 affinity:
228 {{- include "linkerd.node-affinity" . | nindent 8 }}
229 {{- end }}
230 securityContext:
231 seccompProfile:
232 type: RuntimeDefault
233 serviceAccountName: linkerd-cni
234 {{- if .Values.priorityClassName }}
235 priorityClassName: {{ .Values.priorityClassName }}
236 {{- end }}
237 {{- if .Values.extraInitContainers }}
238 initContainers:
239 {{- toYaml .Values.extraInitContainers | nindent 6 }}
240 {{- end }}
241 containers:
242 # This container installs the linkerd CNI binaries
243 # and CNI network config file on each node. The install
244 # script copies the files into place and then sleeps so
245 # that Kubernetes doesn't keep trying to restart it.
246 - name: install-cni
247 image: {{ .Values.image.name -}}:{{- .Values.image.version }}
248 imagePullPolicy: {{ .Values.image.pullPolicy }}
249 env:
250 - name: DEST_CNI_NET_DIR
251 valueFrom:
252 configMapKeyRef:
253 name: linkerd-cni-config
254 key: dest_cni_net_dir
255 - name: DEST_CNI_BIN_DIR
256 valueFrom:
257 configMapKeyRef:
258 name: linkerd-cni-config
259 key: dest_cni_bin_dir
260 - name: CNI_NETWORK_CONFIG
261 valueFrom:
262 configMapKeyRef:
263 name: linkerd-cni-config
264 key: cni_network_config
265 - name: SLEEP
266 value: "true"
267 lifecycle:
268 # In some edge-cases this helps ensure that cleanup() is called in the container's script
269 # https://github.com/linkerd/linkerd2/issues/2355
270 preStop:
271 exec:
272 command:
273 - /bin/sh
274 - -c
275 - kill -15 1; sleep 15s
276 volumeMounts:
277 {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
278 - mountPath: /host{{.Values.destCNIBinDir}}
279 name: cni-bin-dir
280 - mountPath: /host{{.Values.destCNINetDir}}
281 name: cni-net-dir
282 {{- else }}
283 - mountPath: /host{{.Values.destCNINetDir}}
284 name: cni-net-dir
285 {{- end }}
286 - mountPath: /tmp
287 name: linkerd-tmp-dir
288 securityContext:
289 readOnlyRootFilesystem: true
290 privileged: {{.Values.privileged}}
291 {{- if .Values.resources }}
292 {{- include "partials.resources" .Values.resources | nindent 8 }}
293 {{- end }}
294 {{- if .Values.repairController.enabled }}
295 # This container watches over pods whose linkerd-network-validator
296 # container failed, probably because of a race condition while setting up
297 # the CNI plugin chain, and deletes those pods so they can try acquiring a
298 # proper network config again
299 - name: repair-controller
300 image: {{ .Values.image.name -}}:{{- .Values.image.version }}
301 imagePullPolicy: {{ .Values.image.pullPolicy }}
302 {{- if .Values.repairController.enableSecurityContext }}
303 env:
304 - name: LINKERD_CNI_REPAIR_CONTROLLER_NODE_NAME
305 valueFrom:
306 fieldRef:
307 fieldPath: spec.nodeName
308 - name: LINKERD_CNI_REPAIR_CONTROLLER_POD_NAME
309 valueFrom:
310 fieldRef:
311 fieldPath: metadata.name
312 command:
313 - /usr/lib/linkerd/linkerd-cni-repair-controller
314 args:
315 - --admin-addr=0.0.0.0:9990
316 - --log-format
317 - {{ .Values.repairController.logFormat }}
318 - --log-level
319 - {{ .Values.repairController.logLevel }}
320 livenessProbe:
321 httpGet:
322 path: /live
323 port: admin-http
324 readinessProbe:
325 failureThreshold: 7
326 httpGet:
327 path: /ready
328 port: admin-http
329 initialDelaySeconds: 10
330 ports:
331 - containerPort: 9990
332 name: admin-http
333 securityContext:
334 allowPrivilegeEscalation: false
335 capabilities:
336 drop:
337 - ALL
338 privileged: false
339 readOnlyRootFilesystem: true
340 seccompProfile:
341 type: RuntimeDefault
342 {{- end }}
343 {{- if .Values.repairController.resources }}
344 {{- include "partials.resources" .Values.repairController.resources | nindent 8 }}
345 {{- end }}
346 {{- end }}
347 volumes:
348 {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
349 - name: cni-bin-dir
350 hostPath:
351 path: {{.Values.destCNIBinDir}}
352 - name: cni-net-dir
353 hostPath:
354 path: {{.Values.destCNINetDir}}
355 {{- else }}
356 - name: cni-net-dir
357 hostPath:
358 path: {{.Values.destCNINetDir}}
359 {{- end }}
360 - name: linkerd-tmp-dir
361 emptyDir: {}
View as plain text