# Copyright (c) 2017 OpenStack Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This manifest deploys stackube-proxy container in hostnetwork # on each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: stackube-proxy namespace: kube-system labels: component: stackube-proxy k8s-app: stackube-proxy kubernetes.io/cluster-service: "true" name: stackube-proxy spec: selector: matchLabels: component: stackube-proxy k8s-app: stackube-proxy kubernetes.io/cluster-service: "true" name: stackube-proxy template: metadata: labels: component: stackube-proxy k8s-app: stackube-proxy kubernetes.io/cluster-service: "true" name: stackube-proxy annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: hostNetwork: true hostPID: true hostIPC: true serviceAccountName: stackube-proxy dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 containers: - name: stackube-proxy resources: {} image: stackube/stackube-proxy:v1.0beta securityContext: privileged: true command: ["/start.sh"] env: # The endpoint of openstack authentication. - name: AUTH_URL valueFrom: configMapKeyRef: name: stackube-config key: auth-url # The username for openstack authentication. - name: USERNAME valueFrom: configMapKeyRef: name: stackube-config key: username # The password for openstack authentication. - name: PASSWORD valueFrom: configMapKeyRef: name: stackube-config key: password # The tenant name for openstack authentication. - name: TENANT_NAME valueFrom: configMapKeyRef: name: stackube-config key: tenant-name # The region for openstack authentication. - name: REGION valueFrom: configMapKeyRef: name: stackube-config key: region # The id of openstack external network. - name: EXT_NET_ID valueFrom: configMapKeyRef: name: stackube-config key: ext-net-id # The kubernetes service host. - name: KUBERNETES_SERVICE_HOST valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-host # The kubernetes service port. - name: KUBERNETES_SERVICE_PORT valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-port volumeMounts: - mountPath: /var/run/netns name: netns - mountPath: /etc/ssl/certs name: certs - mountPath: /etc/pki name: pki volumes: # Used to operate host netns. - name: netns hostPath: path: /var/run/netns # Used to verify the keystone server. - name: certs hostPath: path: /etc/ssl/certs - name: pki hostPath: path: /etc/pki --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: stackube-proxy roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: stackube-proxy subjects: - kind: ServiceAccount name: stackube-proxy namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: stackube-proxy rules: - apiGroups: - "*" resources: - "*" verbs: - "*" --- apiVersion: v1 kind: ServiceAccount metadata: name: stackube-proxy namespace: kube-system