diff options
author | Dan Osborne <djosborne10@gmail.com> | 2017-03-10 16:07:45 -0800 |
---|---|---|
committer | Dan Osborne <djosborne10@gmail.com> | 2017-03-23 13:53:46 -0700 |
commit | 7aa584b59baba5a7018d38aadd19aa7646702391 (patch) | |
tree | ccaf232790a12e81b923b4595d020deac1bfbe16 /roles/calico_master/templates | |
parent | 33e181c39d5024ecd226567139a7b0d36683bf2c (diff) | |
download | openshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.gz openshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.bz2 openshift-7aa584b59baba5a7018d38aadd19aa7646702391.tar.xz openshift-7aa584b59baba5a7018d38aadd19aa7646702391.zip |
Add calico.
Diffstat (limited to 'roles/calico_master/templates')
-rw-r--r-- | roles/calico_master/templates/calico-policy-controller.yml.j2 | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/roles/calico_master/templates/calico-policy-controller.yml.j2 b/roles/calico_master/templates/calico-policy-controller.yml.j2 new file mode 100644 index 000000000..66c334ceb --- /dev/null +++ b/roles/calico_master/templates/calico-policy-controller.yml.j2 @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico + namespace: kube-system +--- +kind: ClusterRole +apiVersion: v1 +metadata: + name: calico + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - pods + - namespaces + verbs: + - list + - get + - watch + - apiGroups: ["extensions"] + resources: + - networkpolicies + verbs: + - list + - get + - watch +--- +apiVersion: v1 +kind: ClusterRoleBinding +metadata: + name: calico +roleRef: + name: calico +subjects: +- kind: SystemUser + name: kube-system:calico +- kind: ServiceAccount + name: calico + namespace: kube-system +userNames: + - system:serviceaccount:kube-system:calico +--- +# This manifest deploys the Calico policy controller on Kubernetes. +# See https://github.com/projectcalico/k8s-policy +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + scheduler.alpha.kubernetes.io/tolerations: | + [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, + {"key":"CriticalAddonsOnly", "operator":"Exists"}] +spec: + # The policy controller can only have a single active instance. + replicas: 1 + strategy: + type: Recreate + template: + metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + spec: + # The policy controller must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + serviceAccountName: calico + containers: + - name: calico-policy-controller + image: quay.io/calico/kube-policy-controller:v0.5.3 + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + value: {{ etcd_endpoints }} + # Location of the CA certificate for etcd. + - name: ETCD_CA_CERT_FILE + value: {{ calico_etcd_ca_cert_file }} + # Location of the client key for etcd. + - name: ETCD_KEY_FILE + value: {{ calico_etcd_key_file }} + # Location of the client certificate for etcd. + - name: ETCD_CERT_FILE + value: {{ calico_etcd_cert_file }} + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + - name: CONFIGURE_ETC_HOSTS + value: "true" + volumeMounts: + # Mount in the etcd TLS secrets. + - name: certs + mountPath: /etc/origin/calico + + volumes: + # Mount in the etcd TLS secrets. + - name: certs + hostPath: + path: /etc/origin/calico |