summaryrefslogtreecommitdiffstats
path: root/roles/calico_master/templates
diff options
context:
space:
mode:
authorDan Osborne <djosborne10@gmail.com>2017-03-10 16:07:45 -0800
committerDan Osborne <djosborne10@gmail.com>2017-03-23 13:53:46 -0700
commit7aa584b59baba5a7018d38aadd19aa7646702391 (patch)
treeccaf232790a12e81b923b4595d020deac1bfbe16 /roles/calico_master/templates
parent33e181c39d5024ecd226567139a7b0d36683bf2c (diff)
downloadopenshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.gz
openshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.bz2
openshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.xz
openshift-7aa584b59baba5a7018d38aadd19aa7646702391.zip
Add calico.
Diffstat (limited to 'roles/calico_master/templates')
-rw-r--r--roles/calico_master/templates/calico-policy-controller.yml.j2105
1 files changed, 105 insertions, 0 deletions
diff --git a/roles/calico_master/templates/calico-policy-controller.yml.j2 b/roles/calico_master/templates/calico-policy-controller.yml.j2
new file mode 100644
index 000000000..66c334ceb
--- /dev/null
+++ b/roles/calico_master/templates/calico-policy-controller.yml.j2
@@ -0,0 +1,105 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico
+ namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: v1
+metadata:
+ name: calico
+ namespace: kube-system
+rules:
+ - apiGroups: [""]
+ resources:
+ - pods
+ - namespaces
+ verbs:
+ - list
+ - get
+ - watch
+ - apiGroups: ["extensions"]
+ resources:
+ - networkpolicies
+ verbs:
+ - list
+ - get
+ - watch
+---
+apiVersion: v1
+kind: ClusterRoleBinding
+metadata:
+ name: calico
+roleRef:
+ name: calico
+subjects:
+- kind: SystemUser
+ name: kube-system:calico
+- kind: ServiceAccount
+ name: calico
+ namespace: kube-system
+userNames:
+ - system:serviceaccount:kube-system:calico
+---
+# This manifest deploys the Calico policy controller on Kubernetes.
+# See https://github.com/projectcalico/k8s-policy
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: calico-policy-controller
+ namespace: kube-system
+ labels:
+ k8s-app: calico-policy
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: |
+ [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
+ {"key":"CriticalAddonsOnly", "operator":"Exists"}]
+spec:
+ # The policy controller can only have a single active instance.
+ replicas: 1
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ name: calico-policy-controller
+ namespace: kube-system
+ labels:
+ k8s-app: calico-policy
+ spec:
+ # The policy controller must run in the host network namespace so that
+ # it isn't governed by policy that would prevent it from working.
+ hostNetwork: true
+ serviceAccountName: calico
+ containers:
+ - name: calico-policy-controller
+ image: quay.io/calico/kube-policy-controller:v0.5.3
+ env:
+ # The location of the Calico etcd cluster.
+ - name: ETCD_ENDPOINTS
+ value: {{ etcd_endpoints }}
+ # Location of the CA certificate for etcd.
+ - name: ETCD_CA_CERT_FILE
+ value: {{ calico_etcd_ca_cert_file }}
+ # Location of the client key for etcd.
+ - name: ETCD_KEY_FILE
+ value: {{ calico_etcd_key_file }}
+ # Location of the client certificate for etcd.
+ - name: ETCD_CERT_FILE
+ value: {{ calico_etcd_cert_file }}
+ # Since we're running in the host namespace and might not have KubeDNS
+ # access, configure the container's /etc/hosts to resolve
+ # kubernetes.default to the correct service clusterIP.
+ - name: CONFIGURE_ETC_HOSTS
+ value: "true"
+ volumeMounts:
+ # Mount in the etcd TLS secrets.
+ - name: certs
+ mountPath: /etc/origin/calico
+
+ volumes:
+ # Mount in the etcd TLS secrets.
+ - name: certs
+ hostPath:
+ path: /etc/origin/calico