forked from istio/cni
-
Notifications
You must be signed in to change notification settings - Fork 0
/
istio-cni.yaml
138 lines (130 loc) · 3.74 KB
/
istio-cni.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Istio-CNI Version v0.1-dev
#
# This manifest installs the following component versions:
# istio-cni:v0.1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-cni
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-cni
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-cni
subjects:
- kind: ServiceAccount
name: istio-cni
namespace: kube-system
---
# This ConfigMap is used to configure a self-hosted Istio CNI installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: istio-cni-config
namespace: kube-system
data:
# The CNI network configuration to add to the plugin chain on each node. The special
# values in this config will be automatically populated.
cni_network_config: |-
{
"type": "istio-cni",
"log_level": "info",
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__",
"cni_bin_dir": "/opt/cni/bin",
"exclude_namespaces": [ "istio-system" ]
}
}
---
# This manifest installs the Istio install-cni container, as well
# as the Istio CNI plugin and config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: istio-node
namespace: kube-system
labels:
k8s-app: istio-node
spec:
selector:
matchLabels:
k8s-app: istio-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: istio-node
annotations:
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Make sure istio-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: istio-cni
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
containers:
# This container installs the Istio CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: docker.io/tiswanso/install-cni:v0.1-dev
imagePullPolicy: Always
command: ["/install-cni.sh"]
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: istio-cni-config
key: cni_network_config
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
volumes:
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-cni
namespace: kube-system