openstack-helm-infra/calico/values.yaml
Pete Birley eb58abb880 Calico: Fix security context
This PS fixes the use of the security context macros for the
calico chart.

Change-Id: I2ed8a5e994726b625d76a2c308895441c7d174a9
Signed-off-by: Pete Birley <pete@port.direct>
2019-04-21 15:46:16 +00:00

576 lines
16 KiB
YAML

# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
images:
tags:
# These are minimum versions, older images will very likely not
# work
calico_etcd: quay.io/coreos/etcd:v3.3.9
calico_node: quay.io/calico/node:v3.4.0
calico_cni: quay.io/calico/cni:v3.4.0
calico_ctl: calico/ctl:v3.4.0
calico_settings: calico/ctl:v3.4.0
# NOTE: plural key, singular value
calico_kube_controllers: quay.io/calico/kube-controllers:v3.4.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
- calico_etcd
- calico_node
- calico_cni
- calico_kube_controllers
pod:
security_context:
etcd:
pod:
runAsUser: 0
container:
calico_etcd:
readOnlyRootFilesystem: false
calico_node:
pod:
runAsUser: 0
container:
calico_ctl:
readOnlyRootFilesystem: false
install_cni:
readOnlyRootFilesystem: false
calico_node:
readOnlyRootFilesystem: false
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
kube_controllers:
pod:
runAsUser: 0
container:
kube_controller:
readOnlyRootFilesystem: false
calico_settings:
pod:
runAsUser: 0
container:
calico_settings:
readOnlyRootFilesystem: false
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_settings:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_kube_controllers:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_node:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_cni:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_ctl:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
calico_etcd:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
disruption_budget:
controllers:
min_available: 0
mandatory_access_control:
type: apparmor
calico-node:
calico-node: localhost/docker-default
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- calico-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
calico_kube_controllers:
services:
- endpoint: internal
service: calico-etcd
calico_node:
services:
- endpoint: internal
service: calico-etcd
calico_settings:
services:
- endpoint: internal
service: calico-etcd
calico_etcd:
services: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
etcd:
auth:
client:
tls:
crt: null
ca: null
key: null
path:
# these must be within /etc/calico
crt: /etc/calico/pki/crt
ca: /etc/calico/pki/ca
key: /etc/calico/pki/key
scheme:
default: http
path:
default: ' ' # space required to provide a truly empty path
hosts:
default: 10.96.232.136
host_fqdn_override:
default: null
service:
name: null
port:
client:
default: 6666
peer:
default: 6667
monitoring:
prometheus:
enabled: true
calico_node:
scrape: true
port: 9091
networking:
podSubnet: 192.168.0.0/16
# Physical MTU, if ipip is enabled, the chart will adjust things downward
mtu: 1500
settings:
mesh: "on"
# technically this could be a list, today we only support a single
# podSubnet, the one above. The settings below will be applied to
# that ipPool
ippool:
ipip:
enabled: true
nat_outgoing: true
disabled: false
bgp:
# our asnumber for bgp peering
asnumber: 64512
ipv4:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 10.1.10.39
# asNumber: 64512
peers: []
# this is a list of additional IPv4 cidrs that if we discover
# IPs within them on a host, we will announce the address in
# addition to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 192.168.0.0/16
# community: 54321
# prefix: 55555
# alpha:
# cidr: 10.0.0.0/16
# community: 54322
port:
neighbor: 179
listen: 179
ipv6:
# https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/bgppeer
#
# this is a list of peer objects that will be passed directly to
# calicoctl - for global peers, the scope should be global and
# the node attribute removed
#
# apiVersion: projectcalico.org/v3
# kind: BGPPeer
# metadata:
# name: some.name
# spec:
# node: rack1-host1
# peerIP: 2600:1:2:3::abcd
# asNumber: 64512
peers: []
# this is a list of additional IPv6 cidrs that if we discover
# IPs within them on a host, we will announce them in addition
# to traditional pod workloads
additional_cidrs: []
# community_cidr_ref contains embedded objects that describe a
# BGP community that is to be associated with the supplied CIDR.
# The top-level key names are not important.
#
# The resulting BGP community will take the form of
# <prefix>:<community>
# If no prefix is specified then the asnumber is used
community_cidr_ref:
# cidr_community_description:
# cidr: 2600:1:2:3::abcd/28
# community: 54321
# prefix: 55555
# alpha:
# cidr: 1400:a:2:3::abcd/26
# community: 54322
port:
neighbor: 179
listen: 179
# Policy contains embedded Calico policy and/or endpoint objects.
# Because lists are cumbersome to deal with this is stuctured as a
# dictionary (therefore not ordered). The top-level key names are
# not important, priority contains a value between 0 and 9 inclusive
# and rules contains any objects (typically used as rules).
# Priority 0 objects are emitted before priority 9. It is
# recommended any rules such as HostEndpoint be given a higher
# priority so that they are applied after more generic objects.
# Priority values outside of integers 0 through 9 are not valid and
# should not be used.
policy:
# alpha:
# priority: 0
# rules:
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-6379
# spec:
# order: 0
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: GlobalNetworkPolicy
# metadata:
# name: allow-tcp-3306
# spec:
# order: 1
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 3306
# egress:
# - action: Allow
# beta:
# priority: 1
# rules:
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-6379
# namespace: production
# spec:
# selector: role == 'database'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 6379
# egress:
# - action: Allow
# - apiVersion: projectcalico.org/v3
# kind: NetworkPolicy
# metadata:
# name: allow-tcp-8081
# namespace: production
# spec:
# selector: role == 'webthing'
# types:
# - Ingress
# - Egress
# ingress:
# - action: Allow
# protocol: TCP
# source:
# selector: role == 'frontend'
# destination:
# ports:
# - 8081
# egress:
# - action: Allow
# zulu:
# priority: 9
# rules:
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: first.thing
# labels:
# type: production
# spec:
# interfaceName: eth0
# node: mysecrethost
# expectedIPs:
# - 192.168.0.1
# - 192.168.0.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
# - apiVersion: projectcalico.org/v3
# kind: HostEndpoint
# metadata:
# name: second.thing
# labels:
# type: production
# spec:
# interfaceName: eth1
# node: myothersecrethost
# expectedIPs:
# - 192.168.1.1
# - 192.168.1.2
# profiles:
# - profile1
# - profile2
# ports:
# - name: some-port
# port: 1234
# protocol: TCP
# - name: another-port
# port: 5432
# protocol: UDP
conf:
etcd:
credentials:
ca: null
key: null
certificate: null
# NOTE; syntax has subtly changed since Calico v2. For Armada *all*
# of this needes to be specified. We're using yaml here which we
# can't robustly convert to json (which the node pod requires) so it
# might be we revisit that and embedded a json string that gets
# edits
cni_network_config:
# https://docs.projectcalico.org/v3.4/reference/cni-plugin/configuration
#
# other than the etcd_* keys you likely want to leave this as-is
name: k8s-pod-network
cniVersion: 0.3.0
plugins:
- type: calico
log_level: info
etcd_endpoints: __ETCD_ENDPOINTS__
etcd_key_file: __ETCD_KEY_FILE__
etcd_cert_file: __ETCD_CERT_FILE__
etcd_ca_cert_file: __ETCD_CA_CERT_FILE__
ipam:
type: calico-ipam
policy:
type: k8s
kubernetes:
kubeconfig: __KUBECONFIG_FILEPATH__
- type: portmap
snat: true
capabilities:
portMappings: true
controllers:
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
K8S_API: "https://kubernetes.default:443"
# Choose which controllers to run, see
# https://docs.projectcalico.org//v3.4/reference/kube-controllers/configuration
# for an explanation of each
ENABLED_CONTROLLERS: "policy,namespace,serviceaccount,workloadendpoint,node"
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.
CONFIGURE_ETC_HOSTS: true
node:
# for specific details see
# https://docs.projectcalico.org/v3.4/reference/node/configuration
name: k8s-pod-network
# Cluster type to identify the deployment type
# NOTE: v2 had a list ... v3 a comma separated string
CLUSTER_TYPE: "k8s,bgp"
# Describes which BGP networking backend to use gobgp, bird, none.
# Default is bird. NOTE(alanmeadows) today this chart only
# supports applying the bgp customizations to bird templates - in
# the future we may support gobgp as well
CALICO_NETWORKING_BACKEND: bird
# Location of the CA certificate for etcd.
ETCD_CA_CERT_FILE: ""
# Location of the client key for etcd.
ETCD_KEY_FILE: ""
# Location of the client certificate for etcd.
ETCD_CERT_FILE: ""
# Disable file logging so `kubectl logs` works.
CALICO_DISABLE_FILE_LOGGING: true
# Set Felix endpoint to host default action to ACCEPT.
# early/startup log level for calico-node on startup.
CALICO_STARTUP_LOGLEVEL: "Info"
FELIX_DEFAULTENDPOINTTOHOSTACTION: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen; it's
# recommended you leave this as null and the value from
# networking.podSubnet will be used
CALICO_IPV4POOL_CIDR: null
# See https://docs.projectcalico.org/v3.4/reference/calicoctl/resources/ippool
CALICO_IPV4POOL_BLOCKSIZE: 26
# Change this to 'Never' in environments with direct L2
# communication (such that tunnels are not needed for pods on
# different hosts to communicate with each otehr).
CALICO_IPV4POOL_IPIP: "Always"
# Disable IPv6 on Kubernetes.
FELIX_IPV6SUPPORT: false
# Set MTU for tunnel device used if ipip is enabled, it's
# recommended you leave this as null and an appropriate value will
# be set based on tunneling mode and the networking.mtu value
FELIX_IPINIPMTU: null
# Set Felix logging; also (ab)used for bgp configuration
FELIX_LOGSEVERITYSCREEN: "Info"
FELIX_HEALTHENABLED: true
# Set Felix experimental Prometheus metrics server
FELIX_PROMETHEUSMETRICSENABLED: true
FELIX_PROMETHEUSMETRICSPORT: "9091"
# Auto-detect the BGP IP address.
IP: ""
# Detection of source interface for routing
# options include
# can-reach=DESTINATION
# interface=INTERFACE-REGEX
IP_AUTODETECTION_METHOD: first-found
IPV6_AUTODETECTION_METHOD: first-found
manifests:
configmap_bin: true
configmap_etc: true
configmap_bird: true
daemonset_calico_etcd: true
daemonset_calico_node: true
daemonset_calico_node_calicoctl: true
deployment_calico_kube_controllers: true
job_image_repo_sync: true
job_calico_settings: true
service_calico_etcd: true
secret_certificates: true