From 4bb6906ca4bf750b0d238f4e4ef70a66a7cb687a53625040d2df99e4a69495c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 12:32:34 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main flannel revision 2bd423cc9f2f6ec4df6b5471a7bbd27f --- .gitattributes | 23 +++ flannel.changes | 444 ++++++++++++++++++++++++++++++++++++++++++++++ flannel.spec | 109 ++++++++++++ kube-flannel.yaml | 223 +++++++++++++++++++++++ v0.14.0.tar.gz | 3 + 5 files changed, 802 insertions(+) create mode 100644 .gitattributes create mode 100644 flannel.changes create mode 100644 flannel.spec create mode 100644 kube-flannel.yaml create mode 100644 v0.14.0.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/flannel.changes b/flannel.changes new file mode 100644 index 0000000..e7ec692 --- /dev/null +++ b/flannel.changes @@ -0,0 +1,444 @@ +------------------------------------------------------------------- +Fri Jul 23 08:54:45 UTC 2021 - Alexandre Vicenzi + +- Update to 0.14.0: + * Add tencent cloud VPC network support + * moving go modules to flannel-io/flannel and updating to go 1.16 + * fix(windows): nil pointer panic + * Preserve environment for extension backend + * Fix flannel hang if lease expired + * Documentation for the Flannel upgrade/downgrade procedure + * Move from glog to klog + * fix(host-gw): failed to restart if gateway hnsep existed + * ipsec: use well known paths of charon daemon + * upgrade client-go to 1.19.4 + * move from juju/errors to pkg/errors + * subnets: move forward the cursor to skip illegal subnet + * Fix Expired URL to Deploying Flannel with kubeadm + * Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1 + * preserve AccessKey & AccessKeySecret environment on sudo fix some typo in doc. + * iptables: handle errors that prevent rule deletes +- Sync kube-flannel.yaml manifest +- Change project URL to github.com/flannel-io/flannel + +------------------------------------------------------------------- +Wed Apr 28 13:20:33 UTC 2021 - Ralf Haferkamp + +- Sync manifest with upstream (0.13.0 release). Includes the + following changes: + * Fix typo and invalid indent in kube-flannel.yml + * Use stable os and arch label for node + * set priorityClassName to system-node-critical + * Add NET_RAW capability to support cri-o + * Use multi-arch Docker images in the Kubernetes manifest + +------------------------------------------------------------------- +Wed Mar 17 01:25:43 UTC 2021 - Jeff Kowalczyk + +- Set GO111MODULE=auto to build with go1.16+ + * Default changed to GO111MODULE=on in go1.16 + * Set temporarily until using upstream version with go.mod + +------------------------------------------------------------------- +Fri Feb 26 09:43:39 UTC 2021 - Alexandre Vicenzi + +- update to 0.13.0: + * Use multi-arch Docker images in the Kubernetes manifest + * Accept existing XMRF policies and update them intead of raising errors + * Add --no-sanity-check to iptables-wrapper-installer.sh for architectures other than amd64 + * Use "docker manifest" to publish multi-arch Docker images + * Add NET_RAW capability to support cri-o + * remove glide + * switch to go modules + * Add and implement iptables-wrapper-installer.sh from https://github.com/kubernetes-sigs/iptables-wrappers + * documentation: set priorityClassName to system-node-critical + * Added a hint for firewall rules + * Disabling ipv6 accept_ra explicitely on the created interface + * use alpine 3.12 everywhere + * windows: replace old netsh (rakelkar/gonetsh) with powershell commands + * fix CVE-2019-14697 + * Bugfix: VtepMac would be empty when lease re-acquire for windows + * Use stable os and arch label for node + * doc(awsvpc): correct the required permissions + +------------------------------------------------------------------- +Sun Aug 16 17:14:50 UTC 2020 - Dirk Mueller + +- update to 0.12.0: + * fix deleteLease + * Use publicIP lookup iface if --public-ip indicated + * kubernetes 1.16 cni error + * Add cniVersion to general CNI plugin configuration. + * Needs to clear NodeNetworkUnavailable flag on Kubernetes + * Replaces gorillalabs go-powershell with bhendo/go-powershell + * Make VXLAN device learning attribute configurable + * change nodeSelector to nodeAffinity and schedule the pod to linux node + * This PR adds the cni version to the cni-conf.yaml inside the kube-flannel-cfg configmap + * EnableNonPersistent flag for Windows Overlay networks + * snap package. + * Update lease with DR Mac + * main.go: add the "net-config-path" flag + * Deploy Flannel with unprivileged PSP + * Enable local host to local pod connectivity in Windows VXLAN + * Update hcsshim for HostRoute policy in Windows VXLAN + +------------------------------------------------------------------- +Tue Oct 29 13:30:38 UTC 2019 - Guillaume GARDET + +- Use Tumbleweed Kubic flannel containers instead of devel:kubic + containers. This fixes aarch64 and ppc64* (boo#1152185) + +------------------------------------------------------------------- +Fri Oct 11 07:46:20 UTC 2019 - Fabian Vogt + +- It's apps/v1, not apps/v1beta1 +- Fix some more typos + +------------------------------------------------------------------- +Thu Oct 10 15:03:40 UTC 2019 - Richard Brown + +- Fix typo in updated flannel manifest + +------------------------------------------------------------------- +Thu Oct 10 13:45:11 UTC 2019 - Richard Brown + +- Update flannel manifest to match upstream and support k8s 1.16 API + +------------------------------------------------------------------- +Fri Jul 19 10:56:20 CEST 2019 - kukuk@suse.de + +- Set cni version in flannel manifest + +------------------------------------------------------------------- +Thu Jul 18 09:06:33 UTC 2019 - Thorsten Kukuk + +- Use current kube-flannel.yaml from git to fix DNS problems + +------------------------------------------------------------------- +Sun Jun 9 15:24:02 UTC 2019 - Jan Engelhardt + +- Add missing words in descriptions. + +------------------------------------------------------------------- +Thu Jun 6 15:57:32 CEST 2019 - kukuk@suse.de + +- Fix path of flanneld in yaml file +- Cleanup filelist + +------------------------------------------------------------------- +Tue Apr 9 11:45:05 CEST 2019 - kukuk@suse.de + +- Require minimal set of used network utilities + +------------------------------------------------------------------- +Mon Apr 8 13:56:16 CEST 2019 - kukuk@suse.de + +- Add flannel-k8s-yaml sub-package with the yaml file to deploy + flannel. + +------------------------------------------------------------------- +Mon Apr 8 13:24:07 CEST 2019 - kukuk@suse.de + +- Update to flannel 0.11.0 +- Drop standalone support, it's only for containers +- Drop use-32-prefix-udp-backend.patch, included upstream + +------------------------------------------------------------------- +Wed Dec 19 16:55:33 UTC 2018 - clee@suse.com + +- Refactor go to go1.11 for BuildRequires + +------------------------------------------------------------------- +Wed Dec 19 01:18:01 UTC 2018 - clee@suse.com + +- Updated to a supported version of Go (due to security reasons) + * bsc#1118897 CVE-2018-16873 + go#29230 cmd/go: remote command execution during "go get -u" + * bsc#1118898 CVE-2018-16874 + go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths + * bsc#1118899 CVE-2018-16875 + go#29233 crypto/x509: CPU denial of service + +------------------------------------------------------------------- +Wed Dec 12 12:43:24 UTC 2018 - alvaro.saurin@suse.com + +- Updated to a supported version of Go (due to security reasons) + +------------------------------------------------------------------- +Tue Jun 5 09:33:44 UTC 2018 - dcassany@suse.com + +- Make use of %license macro + +------------------------------------------------------------------- +Tue May 29 11:11:34 UTC 2018 - rfernandezlopez@suse.com + +- Add use-32-prefix-udp-backend.patch: backend/udp: Use a /32 prefix for the flannel0 interface + This avoids the kernel's creation of broadcast routes, which prevent + communication from the host with the zeroth subnet to containers on any + other hosts. + +Fixes: bsc#1094364 + +------------------------------------------------------------------- +Thu Feb 1 16:58:22 CET 2018 - ro@suse.de + +- do not build on s390, only on s390x (no go on s390) + +------------------------------------------------------------------- +Mon Nov 27 09:28:36 UTC 2017 - opensuse-packaging@opensuse.org + +- Update to version 0.9.1: + * kube: Update manifests to v0.9.1 + * network/iptables: Add iptables rules to FORWARD chain + * kube-flannel.yml: Update to v0.9.0 and improve docs + * Update README.md + * Fix horrendous README typo + * Always ensure iptables masquerade rules are installed + * Makefile: Stop pulling the unused lib from kube-cross + * subnet/*: Remove unused reservations code + * use init container to install cni on flannel daemonset + +------------------------------------------------------------------- +Thu Nov 23 13:48:19 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Aug 29 08:27:54 UTC 2017 - mmeister@suse.com + +- build with go1.8 + this fixes the golang.org/x/net/context conflict + +------------------------------------------------------------------- +Thu Aug 24 07:56:44 UTC 2017 - vrothberg@suse.com + +- Update to version 0.8.0: + * flannel reads from created subnet.env file on startup + * Fix a bug with the iface-regex that always returned an error + * Fix a bug where previously leased subnets would not update etcd leases + * main.go: Fix logging options + * Allow kube subnet manager to run outside of kubernetes + * Added ability to specify multiple ifaces and iface regexes + * Docs: Add kubernetes and troubleshooting info + * Update manifest to v0.8.0 + +------------------------------------------------------------------- +Thu Aug 17 13:32:34 UTC 2017 - vrothberg@suse.com + +- Fix bsc#1054097 + * We need to patch the Version variable to align with the package version + * Do this by using `gofmt` (linker flags can't be set without changing the build) + +------------------------------------------------------------------- +Wed Apr 19 09:29:33 UTC 2017 - opensuse-packaging@opensuse.org + +- Update to version 0.7.1: + * Add Kubernetes RBAC support + * vendor: Revendor with more sensible pinnings + * vendor: Make code compatible again + * Simplify rbac creation process + * Tolerate flannel running on master nodes + * backend/vxlan: Don't recreate vxlan device on flanneld restart + * backend/hostgw: Fix memory leak + * Build tar.gz for ppc64le, arm and arm64 arch + * kube-flannel: Add namespace for compatibility with RBAC rules + * Explicitly state operator: Exists for master node toleration - as tolleration defaults to Equal by default which will result in the non scheduling of flannel on the master nodes + * switch kube subnet manager to PATCH + * Bump k8s manifest version to v0.7.1 + * Correct the image in the k8s manifest files + +------------------------------------------------------------------- +Fri Jan 20 15:53:14 UTC 2017 - opensuse-packaging@opensuse.org + +- Update to version 0.7.0: + * version: bump to v0.5.3+git + * subnet: add infrastructure and tests for network watches + * Refactoring: single ctx and pull out LeaseRenewer + * Bug fix: remote mode errors out with bad backend type + * Use a map for backend lookups + * Split backend Init operation into New/Init and AddNetwork + * Fix etcd implementation of getNetworks() + * vendor: update etcd/client + * aws-vpc: migrate to official AWS SDK + * aws-vpc: use SDK to get metadata + * Add network package to testing + * Add/remove networks when registry changes + * bug fix: no specified networks still led to multi-network path + * Fix running multiple networks + * Fix network watches when subnets change + * Better handling of Ctrl+C + * Add UnregisterNetwork backend method + * Notify systemd service when server is ready to listen + * Fix/improve docs + * Masquerade host to flannel traffic. + * Change copyright from CoreOS to flannel authors + * remote: close response body during watch() + * Refactor the backend interfaces for multi-networks + * Go 1.5 compat change + * test: add license header check + missing headers + * travis: add logo to README, switch to go 1.4/1.5 + * build: use `git describe` output in version + * file rename as separate commit for better diffs + * Use jonboulle/clockwork + * Have registry deal with subnet and not etcd types + * Actually track backends in the active map + * Fix subnet watch key creation + * Periodically retry getting initial networks + * Version embedding for Go 1.4 and 1.5 + * Ability to revoke lease + * Add reservations to admin control subnet allocs + * Revendor netlink library + * Add mock etcd and etcd-backed registry testcases + * tests: fix bug due to random numbers being used + * Fixes a number of races + * backend/udp: bind to the advertised interface + * Add cli args for etcd basic auth + * MAINTAINERS: remove eyakubovich; add tomdee, philips, steveej + * DOCS: Add note to AWS docs about why it might be used + * BUILDS: Use vendor directory instead of Godeps + * Updating code.google.com/p/... dependencies + * Add glide file + * Add glide.lock and update GCE dependencies + * Support quorum read option + * vendor: bump netlink to latest master + * network/ipmasq: RETURN instead of ACCEPT to allowe other rules + * vendor: coreos/pkg: -> v2 + * vendor: bump netlink to latest + * vxlan: support group-based policy + * scripts/build: compat header + * hostgw: Check existence of and compare routes before attempting to add/update them + * backend/hostgw: don't filter by LinkIndex + * BUILDS: Replace some shell scripts with Makefile + * deps: Update go-iptables version + * mk-docker-opts.sh: replace with busybox shell compatible version + * BUILDS: Overhaul build process + * vxlan: error on sysctl fail + * Fix a typo in format error. + * Makefile: Disable static builds of flanneld + * Makefile: Make the ARCH part of the tag name not the image name + * Builds: Insert libpthread into busybox images + * The docker daemon syntax change addressed + * Makefile: gzip the dist tar.gz file + * Add functional (end-to-end) testing + * README: Update build instructions + * Makefile: Push "latest" to flannel-git on quay.io + * Run e2e tests on travis + * glide: cfg change + * glide: add k8s deps + * fixup after etcd client update + * add kube backed subnet manager + * Update aws-vpc-backend.md + * README: Kubernetes rename + * Documentation: Fix sample kube-flannel config + * backend: do not log in Register + * Makefile: Push tags to flannel-git for all builds + * Makefile: clean before flannel-git build + * Makefile: Also push :latest for flannel-git + * Fixed #521: flanneld hang on at initialEvtsBatch := <-evts because of empty batch list in WatchLeases of subnet/watch.go + * Make the flannel daemonset multiarch + * aws-vpc: Fix crash when route has vpc-endpoints + * aws-vpc: remove "blackholes" + * deps: update aws-sdk version to latest stable + * backend: fixes and cleanups in awsvpc backend + * vxlan: user verbose logging macros + * subnet/kube: Use informer callbacks for lease events + * subnet/kube: wait for cache sync before using subnet manager + * network manager: Improve logging + * subnet/kube: modify a copy of node object, rather than the cached object + * Fix a typo in backend/vxlan/network.go + * Documention: Add information on leases and reservations + * e2e: Allow the backend list to be overridden + * backend/vxlan: Improve the comments and logging + * backend/vxlan: Set the netmask of the IP used for the vxlan device + * Add a flag to configure the subnet lease renewal margin. (#559) + * Replacing the user id with group id. + * Removing the -it flag from the docker build commands. + * Update kube-flannel.yaml + * Add note to readme about -kube-subnet-mgr + +------------------------------------------------------------------- +Fri Nov 18 08:53:01 UTC 2016 - opensuse-packaging@opensuse.org + +- Update to version 0.5.5: + * Remove code dup and use coreos/pkg/flagutil + * version: bump to v0.5.3 + * aws-vpc: migrate to official AWS SDK + * aws-vpc: use SDK to get metadata + * Notify systemd service when server is ready to listen + * Masquerade host to flannel traffic. + * remote: close response body during watch() + * version: bump to v0.5.4 + * Bug fix: running out of memory with vxlan+bonding + * version: bump to v0.5.5 + +------------------------------------------------------------------- +Wed Sep 14 10:10:05 UTC 2016 - opensuse-packaging@opensuse.org + +- Update to version 0.6.1: + * Support quorum read option + * deps: Update go-iptables version + * mk-docker-opts.sh: replace with busybox shell compatible version + * BUILDS: Overhaul build process + * vxlan: error on sysctl fail + * Fix a typo in format error. + * Makefile: Disable static builds of flanneld + * Makefile: Make the ARCH part of the tag name not the image name + * Builds: Insert libpthread into busybox images + * Support VXLAN GBP + * Add cli args for etcd basic auth + * Add reservations to admin control subnet allocs + * Ability to revoke lease + * small docs changes + * overhaul of the build system + * improvements to stability and UX tweaks + * refactoring mainly driven by reservation support + +------------------------------------------------------------------- +Fri Jul 15 15:45:36 UTC 2016 - kstreitova@suse.com + +- clean specfile by spec-cleaner +- change 'PreReq: %fillup_prereq' to 'Requires(post)' + +------------------------------------------------------------------- +Thu Jul 7 11:37:03 UTC 2016 - tboerger@suse.com + +- Dropped rpmlintrc +- Refactoring of the spec based on golang-packaging + +------------------------------------------------------------------- +Wed Jul 6 14:12:51 UTC 2016 - msabate@suse.com + +- Added go_provides + +------------------------------------------------------------------- +Wed Jul 6 13:24:52 UTC 2016 - msabate@suse.com + +- Removed kernel-devel build requirement + +I've also added golang-packaging as a build requirement and we will be using +the %{go_nostrip} macro from that package. Moreover, I've done some minor +improvements here and there. + +------------------------------------------------------------------- +Tue Jul 5 09:27:54 UTC 2016 - cbrauner@suse.com + +- add %ghost instruction: Files that are put into /run should be generated on + the fly during runtime. To prevent them from getting installed we use + %ghost. + +------------------------------------------------------------------- +Tue Jul 5 09:16:42 UTC 2016 - cbrauner@suse.com + +- add _constraints file to get more disk space on aarch64 + +------------------------------------------------------------------- +Tue Mar 22 14:35:36 UTC 2016 - fcastelli@suse.com + +- Fix issue inside of systemd unit file + +------------------------------------------------------------------- +Mon Mar 21 21:50:17 UTC 2016 - fcastelli@suse.com + +- First release v0.5.5 + diff --git a/flannel.spec b/flannel.spec new file mode 100644 index 0000000..f615e20 --- /dev/null +++ b/flannel.spec @@ -0,0 +1,109 @@ +# +# spec file for package flannel +# +# Copyright (c) 2017, 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + +# Use Tumbleweed Kubic containers +%define flannel_container_path registry.opensuse.org/kubic/flannel + +Name: flannel +Version: 0.14.0 +Release: 0 +Summary: An etcd backed network fabric for containers +License: Apache-2.0 +Group: System/Management +Url: https://github.com/flannel-io/flannel +Source: https://github.com/flannel-io/flannel/archive/v%{version}.tar.gz +Source1: kube-flannel.yaml +Requires: iproute2 +# arp is used: +Requires: net-tools-deprecated +Requires: iptables +BuildRequires: golang-packaging +BuildRequires: golang(API) >= 1.16 +BuildRoot: %{_tmppath}/%{name}-%{version}-build +ExcludeArch: s390 +%{go_nostrip} +%{go_provides} + +%description +flannel is a virtual network that gives a subnet to each host for use with +container runtimes. + +Platforms like Google's Kubernetes assume that each container (pod) has a +unique, routable IP address inside the cluster. The advantage of this model is that it +reduces the complexity of doing port mapping. + +This package contains the binary to be included into a container image + +%package k8s-yaml +Summary: Kubernetes yaml file to run flannel container +Group: System/Management +BuildArch: noarch + +%description k8s-yaml +This package contains the yaml file requried to download and run the +flannel container in a kubernetes cluster. + +flannel is a virtual network that gives a subnet to each host for use with +container runtimes. + +Platforms like Google's Kubernetes assume that each container (pod) has a +unique, routable IP address inside the cluster. The advantage of this model is that it +reduces the complexity of doing port mapping. + +%prep +%setup -q + +%build +gofmt -w -r "x -> \"%{version}\"" version/version.go +%{goprep} github.com/flannel-io/flannel +# go1.16+ default is GO111MODULE=on set to auto temporarily +# until using an upstream version with go.mod +export GO111MODULE=auto +%{gobuild} + +%install +%{goinstall} +rm -rf %{buildroot}/%{_libdir}/go/contrib + +# Install provided yaml file to download and run the flannel container +mkdir -p %{buildroot}%{_datadir}/k8s-yaml/flannel +#install -m 0644 Documentation/kube-flannel.yml %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml +install -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml +sed -i -e 's|image: quay.io/coreos/flannel:.*|image: %{flannel_container_path}:%{version}|g' %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml +sed -i -e 's|/opt/bin/flanneld|/usr/sbin/flanneld|g' %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml + +# Move +mkdir -p %{buildroot}%{_sbindir} +mv %{buildroot}%{_bindir}/flannel %{buildroot}%{_sbindir}/flanneld + +%files +%defattr(-,root,root) +%doc README.md DCO NOTICE +%license LICENSE +%{_sbindir}/flanneld + +%files k8s-yaml +%dir %{_datarootdir}/k8s-yaml +%dir %{_datarootdir}/k8s-yaml/flannel +%{_datarootdir}/k8s-yaml/flannel/kube-flannel.yaml + +%changelog diff --git a/kube-flannel.yaml b/kube-flannel.yaml new file mode 100644 index 0000000..0feba26 --- /dev/null +++ b/kube-flannel.yaml @@ -0,0 +1,223 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni + image: quay.io/coreos/flannel:v0.14.0 + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + image: quay.io/coreos/flannel:v0.14.0 + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg diff --git a/v0.14.0.tar.gz b/v0.14.0.tar.gz new file mode 100644 index 0000000..75e03b5 --- /dev/null +++ b/v0.14.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e17164db3b158d13ce5e40bb7b233790cb186762d929fa4f626baf586d4d63ca +size 8324790