# Copyright (c) 2017 OpenStack Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This manifest installs kubestack CNI plugins and network config # on each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: kubestack namespace: kube-system labels: k8s-app: kubestack spec: selector: matchLabels: k8s-app: kubestack template: metadata: labels: k8s-app: kubestack annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: hostNetwork: true serviceAccountName: kubestack containers: # This container installs the kubestack CNI binaries # and CNI network config file on each node. - name: install-cni image: stackube/kubestack:v1.0beta command: ["/install-cni.sh"] env: # The endpoint of openstack authentication. - name: AUTH_URL valueFrom: configMapKeyRef: name: stackube-config key: auth-url # The username for openstack authentication. - name: USERNAME valueFrom: configMapKeyRef: name: stackube-config key: username # The password for openstack authentication. - name: PASSWORD valueFrom: configMapKeyRef: name: stackube-config key: password # The tenant name for openstack authentication. - name: TENANT_NAME valueFrom: configMapKeyRef: name: stackube-config key: tenant-name # The region for openstack authentication. - name: REGION valueFrom: configMapKeyRef: name: stackube-config key: region # The id of openstack external network. - name: EXT_NET_ID valueFrom: configMapKeyRef: name: stackube-config key: ext-net-id # The name of openstack neutron plugin. - name: PLUGIN_NAME valueFrom: configMapKeyRef: name: stackube-config key: plugin-name # The name of openstack neutron integration bridge. - name: INTEGRATION_BRIDGE valueFrom: configMapKeyRef: name: stackube-config key: integration-bridge # The kubernetes service host. - name: KUBERNETES_SERVICE_HOST valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-host # The kubernetes service port. - name: KUBERNETES_SERVICE_PORT valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-port volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /host/etc name: kubestack-config-dir volumes: # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d - name: kubestack-config-dir hostPath: path: /etc --- # This manifest deploys the stackube-controller on Kubernetes. apiVersion: extensions/v1beta1 kind: Deployment metadata: name: stackube-controller namespace: kube-system labels: k8s-app: stackube-controller annotations: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: # The stackube-controller can only have a single active instance. replicas: 1 strategy: type: Recreate template: metadata: name: stackube-controller namespace: kube-system labels: k8s-app: stackube-controller spec: # The stackube controller run in the host network namespace for the moment hostNetwork: true serviceAccountName: stackube-controller containers: - name: stackube-controller image: stackube/stackube-controller:v1.0beta command: ["/start.sh"] env: # The endpoint of openstack authentication. - name: AUTH_URL valueFrom: configMapKeyRef: name: stackube-config key: auth-url # The username for openstack authentication. - name: USERNAME valueFrom: configMapKeyRef: name: stackube-config key: username # The password for openstack authentication. - name: PASSWORD valueFrom: configMapKeyRef: name: stackube-config key: password # The tenant name for openstack authentication. - name: TENANT_NAME valueFrom: configMapKeyRef: name: stackube-config key: tenant-name # The region for openstack authentication. - name: REGION valueFrom: configMapKeyRef: name: stackube-config key: region # The id of openstack external network. - name: EXT_NET_ID valueFrom: configMapKeyRef: name: stackube-config key: ext-net-id # The network cidr of user pod. - name: USER_CIDR valueFrom: configMapKeyRef: name: stackube-config key: user-cidr # The network gateway of user pod. - name: USER_GATEWAY valueFrom: configMapKeyRef: name: stackube-config key: user-gateway # The kubernetes service host. - name: KUBERNETES_SERVICE_HOST valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-host # The kubernetes service port. - name: KUBERNETES_SERVICE_PORT valueFrom: configMapKeyRef: name: stackube-config key: kubernetes-port volumeMounts: - mountPath: /etc/ssl/certs name: certs - mountPath: /etc/pki name: pki volumes: # Used to verify the keystone server. - name: certs hostPath: path: /etc/ssl/certs - name: pki hostPath: path: /etc/pki --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: stackube-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: stackube-controller subjects: - kind: ServiceAccount name: stackube-controller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: stackube-controller rules: - apiGroups: - "*" resources: - "*" verbs: - "*" - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - "*" - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - "*" - apiGroups: - stackube.kubernetes.io resources: - tenants - networks verbs: - "*" --- apiVersion: v1 kind: ServiceAccount metadata: name: stackube-controller namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: kubestack namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubestack roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubestack subjects: - kind: ServiceAccount name: kubestack namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kubestack rules: - apiGroups: - "*" resources: - "*" verbs: - "*" - apiGroups: - stackube.kubernetes.io resources: - tenants - networks verbs: - "*"