diff options
| author | OpenShift Bot <eparis+openshiftbot@redhat.com> | 2017-03-27 22:28:40 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-03-27 22:28:40 -0500 |
| commit | a502b675936b617515ae7a00228aa62f1ec5bc53 (patch) | |
| tree | fac00fa6dee431cc92ac92610387def9b8aeb155 /roles/calico_master/templates | |
| parent | a22e780b21eacf9ae7fc067d9f26e1a01c1d4558 (diff) | |
| parent | 7aa584b59baba5a7018d38aadd19aa7646702391 (diff) | |
| download | openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.gz openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.bz2 openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.xz openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.zip | |
Merge pull request #3038 from djosborne/calico
Merged by openshift-bot
Diffstat (limited to 'roles/calico_master/templates')
| -rw-r--r-- | roles/calico_master/templates/calico-policy-controller.yml.j2 | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/roles/calico_master/templates/calico-policy-controller.yml.j2 b/roles/calico_master/templates/calico-policy-controller.yml.j2 new file mode 100644 index 000000000..66c334ceb --- /dev/null +++ b/roles/calico_master/templates/calico-policy-controller.yml.j2 @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico + namespace: kube-system +--- +kind: ClusterRole +apiVersion: v1 +metadata: + name: calico + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - pods + - namespaces + verbs: + - list + - get + - watch + - apiGroups: ["extensions"] + resources: + - networkpolicies + verbs: + - list + - get + - watch +--- +apiVersion: v1 +kind: ClusterRoleBinding +metadata: + name: calico +roleRef: + name: calico +subjects: +- kind: SystemUser + name: kube-system:calico +- kind: ServiceAccount + name: calico + namespace: kube-system +userNames: + - system:serviceaccount:kube-system:calico +--- +# This manifest deploys the Calico policy controller on Kubernetes. +# See https://github.com/projectcalico/k8s-policy +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + scheduler.alpha.kubernetes.io/tolerations: | + [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, + {"key":"CriticalAddonsOnly", "operator":"Exists"}] +spec: + # The policy controller can only have a single active instance. + replicas: 1 + strategy: + type: Recreate + template: + metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + spec: + # The policy controller must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + serviceAccountName: calico + containers: + - name: calico-policy-controller + image: quay.io/calico/kube-policy-controller:v0.5.3 + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + value: {{ etcd_endpoints }} + # Location of the CA certificate for etcd. + - name: ETCD_CA_CERT_FILE + value: {{ calico_etcd_ca_cert_file }} + # Location of the client key for etcd. + - name: ETCD_KEY_FILE + value: {{ calico_etcd_key_file }} + # Location of the client certificate for etcd. + - name: ETCD_CERT_FILE + value: {{ calico_etcd_cert_file }} + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + - name: CONFIGURE_ETC_HOSTS + value: "true" + volumeMounts: + # Mount in the etcd TLS secrets. + - name: certs + mountPath: /etc/origin/calico + + volumes: + # Mount in the etcd TLS secrets. + - name: certs + hostPath: + path: /etc/origin/calico |