Azure
/
acs-engine
зеркало из https://github.com/Azure/acs-engine.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fix cilium cluster config (#4202)

This commit is contained in:
Jack Francis 2018-11-07 10:20:05 -08:00 коммит произвёл GitHub
Родитель 61aac0686d
Коммит 1cef2e87e7
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 31 добавлений и 31 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

56
parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml
Просмотреть файл

@ -4,7 +4,7 @@ metadata:
name: cilium-config
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you uncomment the ca-file line and add the respective
@ -17,12 +17,12 @@ data:
#
# In case you want to use TLS in etcd, uncomment the following line
# and add the certificate as explained in the comment labeled "ETCD-CERT"
ca-file: /var/lib/etcd-secrets/etcd-ca
ca-file: '/var/lib/etcd-secrets/etcd-ca'
#
# In case you want client to server authentication, uncomment the following
# lines and add the certificate and key in cilium-etcd-secrets below
key-file: /var/lib/etcd-secrets/etcd-client-key
cert-file: /var/lib/etcd-secrets/etcd-client-crt
key-file: '/var/lib/etcd-secrets/etcd-client-key'
cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
# If you want to run cilium in debug mode change this value to true
debug: "false"
@ -37,14 +37,14 @@ metadata:
name: cilium-etcd-secrets
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# ETCD-CERT: Each value should contain the whole certificate in base64, on a
# single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
# (the "-w 0" generates the output on a single line)
etcd-ca: <ETCD_CA>
etcd-client-key: <ETCD_CLIENT_KEY>
etcd-client-crt: <ETCD_CLIENT_CERT>
etcd-ca: "<ETCD_CA>"
etcd-client-key: "<ETCD_CLIENT_KEY>"
etcd-client-crt: "<ETCD_CLIENT_CERT>"
---
apiVersion: v1
kind: ServiceAccount
@ -52,14 +52,14 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cilium
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@ -77,7 +77,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
spec:
updateStrategy:
type: "RollingUpdate"
@ -114,14 +114,14 @@ spec:
name: cilium-agent
command: [ "cilium-agent" ]
args:
- --debug=$(CILIUM_DEBUG)
- -t
- vxlan
- --kvstore
- etcd
- --kvstore-opt
- etcd.config=/var/lib/etcd-config/etcd.config
- --disable-ipv4=$(DISABLE_IPV4)
- "--debug=$(CILIUM_DEBUG)"
- "-t"
- "vxlan"
- "--kvstore"
- "etcd"
- "--kvstore-opt"
- "etcd.config=/var/lib/etcd-config/etcd.config"
- "--disable-ipv4=$(DISABLE_IPV4)"
ports:
- name: prometheus
containerPort: 9090
@ -129,29 +129,29 @@ spec:
postStart:
exec:
command:
- /cni-install.sh
- "/cni-install.sh"
preStop:
exec:
command:
- /cni-uninstall.sh
- "/cni-uninstall.sh"
env:
- name: K8S_NODE_NAME
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CILIUM_DEBUG
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: DISABLE_IPV4
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: CILIUM_PROMETHEUS_SERVE_ADDR
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
@ -196,7 +196,7 @@ spec:
securityContext:
capabilities:
add:
- NET_ADMIN
- "NET_ADMIN"
privileged: true
hostNetwork: true
volumes:
@ -238,7 +238,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
rules:
- apiGroups:
- "networking.k8s.io"
@ -297,4 +297,4 @@ rules:
- ciliumnetworkpolicies
- ciliumendpoints
verbs:
- "*"
- "*"

2
parts/k8s/kubernetesmastercustomdata.yml
Просмотреть файл

@ -361,7 +361,7 @@ MASTER_ARTIFACTS_CONFIG_PLACEHOLDER
sed -i "s|<kubeClusterCidr>|{{WrapAsParameter "kubeClusterCidr"}}|g" /etc/kubernetes/addons/flannel-daemonset.yaml
{{end}}
{{if eq .OrchestratorProfile.KubernetesConfig.NetworkPolicy "cilium"}}
a=/etc/kubernetes/addons/cilium-daemonset.yaml
a=/etc/kubernetes/addons/cilium-daemonset.yaml
{{if IsMasterVirtualMachineScaleSets}}
sed -i "s|<ETCD_URL>|"https://$PRIVATE_IP:$ETCD_CLIENT_PORT"|g" $a
{{else}}

4
test/e2e/kubernetes/kubernetes_test.go
Просмотреть файл

@ -830,9 +830,9 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
})
})
Describe("with calico or azure network policy enabled", func() {
Describe("with NetworkPolicy enabled", func() {
It("should apply various network policies and enforce access to nginx pod", func() {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") || eng.HasNetworkPolicy("cilium") {
nsClientOne, nsClientTwo, nsServer := "client-one", "client-two", "server"
By("Creating namespaces")
_, err := namespace.Create(nsClientOne)