...

Text file src/github.com/linkerd/linkerd2/charts/linkerd2-cni/templates/cni-plugin.yaml

Documentation: github.com/linkerd/linkerd2/charts/linkerd2-cni/templates

     1{{- /*
     2Copyright 2017 CNI authors
     3Modifications copyright (c) Linkerd authors
     4
     5Licensed under the Apache License, Version 2.0 (the "License");
     6you may not use this file except in compliance with the License.
     7You may obtain a copy of the License at
     8
     9     http://www.apache.org/licenses/LICENSE-2.0
    10
    11Unless required by applicable law or agreed to in writing, software
    12distributed under the License is distributed on an "AS IS" BASIS,
    13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14See the License for the specific language governing permissions and
    15limitations under the License.
    16
    17This file was inspired by
    181) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/manifests/istio-cni.yaml
    19*/ -}}
    20{{- if eq .Release.Service "CLI" -}}
    21kind: Namespace
    22apiVersion: v1
    23metadata:
    24  name: {{.Release.Namespace}}
    25  labels:
    26    linkerd.io/cni-resource: "true"
    27    config.linkerd.io/admission-webhooks: disabled
    28    pod-security.kubernetes.io/enforce: privileged
    29---
    30{{ end -}}
    31apiVersion: v1
    32kind: ServiceAccount
    33metadata:
    34  name: linkerd-cni
    35  namespace: {{ .Release.Namespace }}
    36  labels:
    37    linkerd.io/cni-resource: "true"
    38    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    39{{- if .Values.imagePullSecrets }}
    40imagePullSecrets:
    41{{ toYaml .Values.imagePullSecrets | indent 2 }}
    42{{- end }}
    43{{ if .Values.enablePSP -}}
    44---
    45apiVersion: policy/v1beta1
    46kind: PodSecurityPolicy
    47metadata:
    48  name: linkerd-{{.Release.Namespace}}-cni
    49  annotations:
    50    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
    51  labels:
    52    linkerd.io/cni-resource: "true"
    53    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    54spec:
    55  {{- if not .Values.privileged }}
    56  allowPrivilegeEscalation: false
    57  {{- end }}
    58  fsGroup:
    59    rule: RunAsAny
    60  runAsUser:
    61    rule: RunAsAny
    62  runAsGroup:
    63    rule: RunAsAny
    64  seLinux:
    65    rule: RunAsAny
    66  supplementalGroups:
    67    rule: RunAsAny
    68  volumes:
    69  - hostPath
    70  - secret
    71  - emptyDir
    72---
    73apiVersion: rbac.authorization.k8s.io/v1
    74kind: Role
    75metadata:
    76  name: linkerd-cni
    77  namespace: {{ .Release.Namespace }}
    78  labels:
    79    linkerd.io/cni-resource: "true"
    80    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    81rules:
    82- apiGroups: ['extensions', 'policy']
    83  resources: ['podsecuritypolicies']
    84  resourceNames:
    85  - linkerd-{{.Release.Namespace}}-cni
    86  verbs: ['use']
    87---
    88apiVersion: rbac.authorization.k8s.io/v1
    89kind: RoleBinding
    90metadata:
    91  name: linkerd-cni
    92  namespace: {{ .Release.Namespace }}
    93  labels:
    94    linkerd.io/cni-resource: "true"
    95    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    96roleRef:
    97  apiGroup: rbac.authorization.k8s.io
    98  kind: Role
    99  name: linkerd-cni
   100subjects:
   101- kind: ServiceAccount
   102  name: linkerd-cni
   103  namespace: {{.Release.Namespace}}
   104{{ end -}}
   105---
   106kind: ClusterRole
   107apiVersion: rbac.authorization.k8s.io/v1
   108metadata:
   109  name: linkerd-cni
   110  labels:
   111    linkerd.io/cni-resource: "true"
   112    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   113rules:
   114- apiGroups: [""]
   115  resources: ["pods", "nodes", "namespaces", "services"]
   116  verbs: ["list", "get", "watch"]
   117{{- if .Values.repairController.enabled }}
   118- apiGroups: [""]
   119  resources: ["pods"]
   120  verbs: ["delete"]
   121- apiGroups: ["events.k8s.io"]
   122  resources: ["events"]
   123  verbs: ["create"]
   124{{- end }}
   125---
   126apiVersion: rbac.authorization.k8s.io/v1
   127kind: ClusterRoleBinding
   128metadata:
   129  name: linkerd-cni
   130  labels:
   131    linkerd.io/cni-resource: "true"
   132    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   133roleRef:
   134  apiGroup: rbac.authorization.k8s.io
   135  kind: ClusterRole
   136  name: linkerd-cni
   137subjects:
   138- kind: ServiceAccount
   139  name: linkerd-cni
   140  namespace: {{.Release.Namespace}}
   141---
   142kind: ConfigMap
   143apiVersion: v1
   144metadata:
   145  name: linkerd-cni-config
   146  namespace: {{ .Release.Namespace }}
   147  labels:
   148    linkerd.io/cni-resource: "true"
   149    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   150data:
   151  dest_cni_net_dir: "{{.Values.destCNINetDir}}"
   152  dest_cni_bin_dir: "{{.Values.destCNIBinDir}}"
   153  # The CNI network configuration to install on each node. The special
   154  # values in this config will be automatically populated.
   155  # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0
   156  cni_network_config: |-
   157    {
   158      "name": "linkerd-cni",
   159      "type": "linkerd-cni",
   160      "log_level": "{{.Values.logLevel}}",
   161      "policy": {
   162          "type": "k8s",
   163          "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
   164          "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
   165      },
   166      "kubernetes": {
   167          "kubeconfig": "__KUBECONFIG_FILEPATH__"
   168      },
   169      "linkerd": {
   170        "incoming-proxy-port": {{.Values.inboundProxyPort}},
   171        "outgoing-proxy-port": {{.Values.outboundProxyPort}},
   172        "proxy-uid": {{.Values.proxyUID}},
   173        {{- if ge (int .Values.proxyGID) 0 }}
   174        "proxy-gid": {{.Values.proxyGID}},
   175        {{- end }}
   176        "ports-to-redirect": [{{.Values.portsToRedirect}}],
   177        "inbound-ports-to-ignore": ["{{- .Values.proxyAdminPort }}","{{ .Values.proxyControlPort }}"
   178        {{- if .Values.ignoreInboundPorts }},{{- include "partials.splitStringList" .Values.ignoreInboundPorts -}}{{- end }}],
   179        {{- if .Values.ignoreOutboundPorts }}
   180        "outbound-ports-to-ignore": [
   181          {{- include "partials.splitStringList" .Values.ignoreOutboundPorts -}}
   182        ],
   183        {{- end }}
   184        "simulate": false,
   185        "use-wait-flag": {{.Values.useWaitFlag}},
   186        "iptables-mode": {{.Values.iptablesMode | quote}},
   187        "ipv6": {{.Values.disableIPv6 | ternary "false" "true"}}
   188      }
   189    }
   190---
   191kind: DaemonSet
   192apiVersion: apps/v1
   193metadata:
   194  name: linkerd-cni
   195  namespace: {{ .Release.Namespace }}
   196  labels:
   197    k8s-app: linkerd-cni
   198    linkerd.io/cni-resource: "true"
   199    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   200  annotations:
   201    {{ include "partials.annotations.created-by" . }}
   202spec:
   203  revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
   204  selector:
   205    matchLabels:
   206      k8s-app: linkerd-cni
   207  updateStrategy:
   208    type: RollingUpdate
   209    rollingUpdate:
   210      maxUnavailable: 1
   211  template:
   212    metadata:
   213      labels:
   214        k8s-app: linkerd-cni
   215        linkerd.io/cni-resource: "true"
   216        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
   217      annotations:
   218        {{ include "partials.annotations.created-by" . }}
   219        linkerd.io/inject: disabled
   220    spec:
   221      {{- if .Values.tolerations }}
   222      {{- include "linkerd.tolerations" . | nindent 6 }}
   223      {{- end }}
   224      nodeSelector:
   225        kubernetes.io/os: linux
   226      {{- if .Values.nodeAffinity }}
   227      affinity:
   228      {{- include "linkerd.node-affinity" . | nindent 8 }}
   229      {{- end }}
   230      securityContext:
   231        seccompProfile:
   232          type: RuntimeDefault
   233      serviceAccountName: linkerd-cni
   234      {{- if .Values.priorityClassName }}
   235      priorityClassName: {{ .Values.priorityClassName }}
   236      {{- end }}
   237      {{- if .Values.extraInitContainers }}
   238      initContainers:
   239      {{- toYaml .Values.extraInitContainers | nindent 6 }}
   240      {{- end }}
   241      containers:
   242      # This container installs the linkerd CNI binaries
   243      # and CNI network config file on each node. The install
   244      # script copies the files into place and then sleeps so
   245      # that Kubernetes doesn't keep trying to restart it.
   246      - name: install-cni
   247        image: {{ .Values.image.name -}}:{{- .Values.image.version }}
   248        imagePullPolicy: {{ .Values.image.pullPolicy }}
   249        env:
   250        - name: DEST_CNI_NET_DIR
   251          valueFrom:
   252            configMapKeyRef:
   253              name: linkerd-cni-config
   254              key: dest_cni_net_dir
   255        - name: DEST_CNI_BIN_DIR
   256          valueFrom:
   257            configMapKeyRef:
   258              name: linkerd-cni-config
   259              key: dest_cni_bin_dir
   260        - name: CNI_NETWORK_CONFIG
   261          valueFrom:
   262            configMapKeyRef:
   263              name: linkerd-cni-config
   264              key: cni_network_config
   265        - name: SLEEP
   266          value: "true"
   267        lifecycle:
   268          # In some edge-cases this helps ensure that cleanup() is called in the container's script
   269          # https://github.com/linkerd/linkerd2/issues/2355
   270          preStop:
   271            exec:
   272              command:
   273              - /bin/sh
   274              - -c
   275              - kill -15 1; sleep 15s
   276        volumeMounts:
   277        {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
   278        - mountPath: /host{{.Values.destCNIBinDir}}
   279          name: cni-bin-dir
   280        - mountPath: /host{{.Values.destCNINetDir}}
   281          name: cni-net-dir
   282        {{- else }}
   283        - mountPath: /host{{.Values.destCNINetDir}}
   284          name: cni-net-dir
   285        {{- end }}
   286        - mountPath: /tmp
   287          name: linkerd-tmp-dir
   288        securityContext:
   289          readOnlyRootFilesystem: true
   290          privileged: {{.Values.privileged}}
   291        {{- if .Values.resources }}
   292        {{- include "partials.resources" .Values.resources | nindent 8 }}
   293        {{- end }}
   294      {{- if .Values.repairController.enabled }}
   295      # This container watches over pods whose linkerd-network-validator
   296      # container failed, probably because of a race condition while setting up
   297      # the CNI plugin chain, and deletes those pods so they can try acquiring a
   298      # proper network config again
   299      - name: repair-controller
   300        image: {{ .Values.image.name -}}:{{- .Values.image.version }}
   301        imagePullPolicy: {{ .Values.image.pullPolicy }}
   302        {{- if .Values.repairController.enableSecurityContext }}
   303        env:
   304        - name: LINKERD_CNI_REPAIR_CONTROLLER_NODE_NAME
   305          valueFrom:
   306            fieldRef:
   307              fieldPath: spec.nodeName
   308        - name: LINKERD_CNI_REPAIR_CONTROLLER_POD_NAME
   309          valueFrom:
   310            fieldRef:
   311              fieldPath: metadata.name
   312        command:
   313          - /usr/lib/linkerd/linkerd-cni-repair-controller
   314        args:
   315          - --admin-addr=0.0.0.0:9990
   316          - --log-format
   317          - {{ .Values.repairController.logFormat }}
   318          - --log-level
   319          - {{ .Values.repairController.logLevel }}
   320        livenessProbe:
   321          httpGet:
   322            path: /live
   323            port: admin-http
   324        readinessProbe:
   325          failureThreshold: 7
   326          httpGet:
   327            path: /ready
   328            port: admin-http
   329          initialDelaySeconds: 10
   330        ports:
   331        - containerPort: 9990
   332          name: admin-http
   333        securityContext:
   334          allowPrivilegeEscalation: false
   335          capabilities:
   336            drop:
   337            - ALL
   338          privileged: false
   339          readOnlyRootFilesystem: true
   340          seccompProfile:
   341            type: RuntimeDefault
   342        {{- end }}
   343        {{- if .Values.repairController.resources }}
   344        {{- include "partials.resources" .Values.repairController.resources | nindent 8 }}
   345        {{- end }}
   346      {{- end }}
   347      volumes:
   348      {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
   349      - name: cni-bin-dir
   350        hostPath:
   351          path: {{.Values.destCNIBinDir}}
   352      - name: cni-net-dir
   353        hostPath:
   354          path: {{.Values.destCNINetDir}}
   355      {{- else }}
   356      - name: cni-net-dir
   357        hostPath:
   358          path: {{.Values.destCNINetDir}}
   359      {{- end }}
   360      - name: linkerd-tmp-dir
   361        emptyDir: {}

View as plain text