From 1cef2e87e72b1ab5e15a293d72e8b8bd2ddb6048 Mon Sep 17 00:00:00 2001 From: Jack Francis Date: Wed, 7 Nov 2018 10:20:05 -0800 Subject: [PATCH] fix cilium cluster config (#4202) --- ...bernetesmasteraddons-cilium-daemonset.yaml | 56 +++++++++---------- parts/k8s/kubernetesmastercustomdata.yml | 2 +- test/e2e/kubernetes/kubernetes_test.go | 4 +- 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml b/parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml index 5b9f28602..b5c19b121 100644 --- a/parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml +++ b/parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml @@ -4,7 +4,7 @@ metadata: name: cilium-config namespace: kube-system labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" data: # This etcd-config contains the etcd endpoints of your cluster. If you use # TLS please make sure you uncomment the ca-file line and add the respective @@ -17,12 +17,12 @@ data: # # In case you want to use TLS in etcd, uncomment the following line # and add the certificate as explained in the comment labeled "ETCD-CERT" - ca-file: /var/lib/etcd-secrets/etcd-ca + ca-file: '/var/lib/etcd-secrets/etcd-ca' # # In case you want client to server authentication, uncomment the following # lines and add the certificate and key in cilium-etcd-secrets below - key-file: /var/lib/etcd-secrets/etcd-client-key - cert-file: /var/lib/etcd-secrets/etcd-client-crt + key-file: '/var/lib/etcd-secrets/etcd-client-key' + cert-file: '/var/lib/etcd-secrets/etcd-client-crt' # If you want to run cilium in debug mode change this value to true debug: "false" @@ -37,14 +37,14 @@ metadata: name: cilium-etcd-secrets namespace: kube-system labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" data: # ETCD-CERT: Each value should contain the whole certificate in base64, on a # single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem # (the "-w 0" generates the output on a single line) - etcd-ca: - etcd-client-key: - etcd-client-crt: + etcd-ca: "" + etcd-client-key: "" + etcd-client-crt: "" --- apiVersion: v1 kind: ServiceAccount @@ -52,14 +52,14 @@ metadata: name: cilium namespace: kube-system labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: cilium labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -77,7 +77,7 @@ metadata: name: cilium namespace: kube-system labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" spec: updateStrategy: type: "RollingUpdate" @@ -114,14 +114,14 @@ spec: name: cilium-agent command: [ "cilium-agent" ] args: - - --debug=$(CILIUM_DEBUG) - - -t - - vxlan - - --kvstore - - etcd - - --kvstore-opt - - etcd.config=/var/lib/etcd-config/etcd.config - - --disable-ipv4=$(DISABLE_IPV4) + - "--debug=$(CILIUM_DEBUG)" + - "-t" + - "vxlan" + - "--kvstore" + - "etcd" + - "--kvstore-opt" + - "etcd.config=/var/lib/etcd-config/etcd.config" + - "--disable-ipv4=$(DISABLE_IPV4)" ports: - name: prometheus containerPort: 9090 @@ -129,29 +129,29 @@ spec: postStart: exec: command: - - /cni-install.sh + - "/cni-install.sh" preStop: exec: command: - - /cni-uninstall.sh + - "/cni-uninstall.sh" env: - - name: K8S_NODE_NAME + - name: "K8S_NODE_NAME" valueFrom: fieldRef: fieldPath: spec.nodeName - - name: CILIUM_DEBUG + - name: "CILIUM_DEBUG" valueFrom: configMapKeyRef: name: cilium-config key: debug - - name: DISABLE_IPV4 + - name: "DISABLE_IPV4" valueFrom: configMapKeyRef: name: cilium-config key: disable-ipv4 # Note: this variable is a no-op if not defined, and is used in the # prometheus examples. - - name: CILIUM_PROMETHEUS_SERVE_ADDR + - name: "CILIUM_PROMETHEUS_SERVE_ADDR" valueFrom: configMapKeyRef: name: cilium-metrics-config @@ -196,7 +196,7 @@ spec: securityContext: capabilities: add: - - NET_ADMIN + - "NET_ADMIN" privileged: true hostNetwork: true volumes: @@ -238,7 +238,7 @@ metadata: name: cilium namespace: kube-system labels: - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: "EnsureExists" rules: - apiGroups: - "networking.k8s.io" @@ -297,4 +297,4 @@ rules: - ciliumnetworkpolicies - ciliumendpoints verbs: - - "*" + - "*" \ No newline at end of file diff --git a/parts/k8s/kubernetesmastercustomdata.yml b/parts/k8s/kubernetesmastercustomdata.yml index 1eb02ea81..62f3d3dad 100644 --- a/parts/k8s/kubernetesmastercustomdata.yml +++ b/parts/k8s/kubernetesmastercustomdata.yml @@ -361,7 +361,7 @@ MASTER_ARTIFACTS_CONFIG_PLACEHOLDER sed -i "s||{{WrapAsParameter "kubeClusterCidr"}}|g" /etc/kubernetes/addons/flannel-daemonset.yaml {{end}} {{if eq .OrchestratorProfile.KubernetesConfig.NetworkPolicy "cilium"}} - a=/etc/kubernetes/addons/cilium-daemonset.yaml + a=/etc/kubernetes/addons/cilium-daemonset.yaml {{if IsMasterVirtualMachineScaleSets}} sed -i "s||"https://$PRIVATE_IP:$ETCD_CLIENT_PORT"|g" $a {{else}} diff --git a/test/e2e/kubernetes/kubernetes_test.go b/test/e2e/kubernetes/kubernetes_test.go index 683dd3795..109f49f48 100644 --- a/test/e2e/kubernetes/kubernetes_test.go +++ b/test/e2e/kubernetes/kubernetes_test.go @@ -830,9 +830,9 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu }) }) - Describe("with calico or azure network policy enabled", func() { + Describe("with NetworkPolicy enabled", func() { It("should apply various network policies and enforce access to nginx pod", func() { - if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") { + if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") || eng.HasNetworkPolicy("cilium") { nsClientOne, nsClientTwo, nsServer := "client-one", "client-two", "server" By("Creating namespaces") _, err := namespace.Create(nsClientOne)