SLFO-pool/flannel
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main flannel revision 2bd423cc9f2f6ec4df6b5471a7bbd27f

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 12:32:34 +02:00
commit 4bb6906ca4
5 changed files with 802 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

444
flannel.changes Normal file
View File

@ -0,0 +1,444 @@
-------------------------------------------------------------------
Fri Jul 23 08:54:45 UTC 2021 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
- Update to 0.14.0:
* Add tencent cloud VPC network support
* moving go modules to flannel-io/flannel and updating to go 1.16
* fix(windows): nil pointer panic
* Preserve environment for extension backend
* Fix flannel hang if lease expired
* Documentation for the Flannel upgrade/downgrade procedure
* Move from glog to klog
* fix(host-gw): failed to restart if gateway hnsep existed
* ipsec: use well known paths of charon daemon
* upgrade client-go to 1.19.4
* move from juju/errors to pkg/errors
* subnets: move forward the cursor to skip illegal subnet
* Fix Expired URL to Deploying Flannel with kubeadm
* Modify kube-flannel.yaml to use rbac.authorization.k8s.io/v1
* preserve AccessKey & AccessKeySecret environment on sudo fix some typo in doc.
* iptables: handle errors that prevent rule deletes
- Sync kube-flannel.yaml manifest
- Change project URL to github.com/flannel-io/flannel
-------------------------------------------------------------------
Wed Apr 28 13:20:33 UTC 2021 - Ralf Haferkamp <ralf@h4kamp.de>
- Sync manifest with upstream (0.13.0 release). Includes the
following changes:
* Fix typo and invalid indent in kube-flannel.yml
* Use stable os and arch label for node
* set priorityClassName to system-node-critical
* Add NET_RAW capability to support cri-o
* Use multi-arch Docker images in the Kubernetes manifest
-------------------------------------------------------------------
Wed Mar 17 01:25:43 UTC 2021 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Set GO111MODULE=auto to build with go1.16+
* Default changed to GO111MODULE=on in go1.16
* Set temporarily until using upstream version with go.mod
-------------------------------------------------------------------
Fri Feb 26 09:43:39 UTC 2021 - Alexandre Vicenzi <alexandre.vicenzi@suse.com>
- update to 0.13.0:
* Use multi-arch Docker images in the Kubernetes manifest
* Accept existing XMRF policies and update them intead of raising errors
* Add --no-sanity-check to iptables-wrapper-installer.sh for architectures other than amd64
* Use "docker manifest" to publish multi-arch Docker images
* Add NET_RAW capability to support cri-o
* remove glide
* switch to go modules
* Add and implement iptables-wrapper-installer.sh from https://github.com/kubernetes-sigs/iptables-wrappers
* documentation: set priorityClassName to system-node-critical
* Added a hint for firewall rules
* Disabling ipv6 accept_ra explicitely on the created interface
* use alpine 3.12 everywhere
* windows: replace old netsh (rakelkar/gonetsh) with powershell commands
* fix CVE-2019-14697
* Bugfix: VtepMac would be empty when lease re-acquire for windows
* Use stable os and arch label for node
* doc(awsvpc): correct the required permissions
-------------------------------------------------------------------
Sun Aug 16 17:14:50 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- update to 0.12.0:
* fix deleteLease
* Use publicIP lookup iface if --public-ip indicated
* kubernetes 1.16 cni error
* Add cniVersion to general CNI plugin configuration.
* Needs to clear NodeNetworkUnavailable flag on Kubernetes
* Replaces gorillalabs go-powershell with bhendo/go-powershell
* Make VXLAN device learning attribute configurable
* change nodeSelector to nodeAffinity and schedule the pod to linux node
* This PR adds the cni version to the cni-conf.yaml inside the kube-flannel-cfg configmap
* EnableNonPersistent flag for Windows Overlay networks
* snap package.
* Update lease with DR Mac
* main.go: add the "net-config-path" flag
* Deploy Flannel with unprivileged PSP
* Enable local host to local pod connectivity in Windows VXLAN
* Update hcsshim for HostRoute policy in Windows VXLAN
-------------------------------------------------------------------
Tue Oct 29 13:30:38 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Use Tumbleweed Kubic flannel containers instead of devel:kubic
containers. This fixes aarch64 and ppc64* (boo#1152185)
-------------------------------------------------------------------
Fri Oct 11 07:46:20 UTC 2019 - Fabian Vogt <fvogt@suse.com>
- It's apps/v1, not apps/v1beta1
- Fix some more typos
-------------------------------------------------------------------
Thu Oct 10 15:03:40 UTC 2019 - Richard Brown <rbrown@suse.com>
- Fix typo in updated flannel manifest
-------------------------------------------------------------------
Thu Oct 10 13:45:11 UTC 2019 - Richard Brown <rbrown@suse.com>
- Update flannel manifest to match upstream and support k8s 1.16 API
-------------------------------------------------------------------
Fri Jul 19 10:56:20 CEST 2019 - kukuk@suse.de
- Set cni version in flannel manifest
-------------------------------------------------------------------
Thu Jul 18 09:06:33 UTC 2019 - Thorsten Kukuk <kukuk@suse.com>
- Use current kube-flannel.yaml from git to fix DNS problems
-------------------------------------------------------------------
Sun Jun 9 15:24:02 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Add missing words in descriptions.
-------------------------------------------------------------------
Thu Jun 6 15:57:32 CEST 2019 - kukuk@suse.de
- Fix path of flanneld in yaml file
- Cleanup filelist
-------------------------------------------------------------------
Tue Apr 9 11:45:05 CEST 2019 - kukuk@suse.de
- Require minimal set of used network utilities
-------------------------------------------------------------------
Mon Apr 8 13:56:16 CEST 2019 - kukuk@suse.de
- Add flannel-k8s-yaml sub-package with the yaml file to deploy
flannel.
-------------------------------------------------------------------
Mon Apr 8 13:24:07 CEST 2019 - kukuk@suse.de
- Update to flannel 0.11.0
- Drop standalone support, it's only for containers
- Drop use-32-prefix-udp-backend.patch, included upstream
-------------------------------------------------------------------
Wed Dec 19 16:55:33 UTC 2018 - clee@suse.com
- Refactor go to go1.11 for BuildRequires
-------------------------------------------------------------------
Wed Dec 19 01:18:01 UTC 2018 - clee@suse.com
- Updated to a supported version of Go (due to security reasons)
* bsc#1118897 CVE-2018-16873
go#29230 cmd/go: remote command execution during "go get -u"
* bsc#1118898 CVE-2018-16874
go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths
* bsc#1118899 CVE-2018-16875
go#29233 crypto/x509: CPU denial of service
-------------------------------------------------------------------
Wed Dec 12 12:43:24 UTC 2018 - alvaro.saurin@suse.com
- Updated to a supported version of Go (due to security reasons)
-------------------------------------------------------------------
Tue Jun 5 09:33:44 UTC 2018 - dcassany@suse.com
- Make use of %license macro
-------------------------------------------------------------------
Tue May 29 11:11:34 UTC 2018 - rfernandezlopez@suse.com
- Add use-32-prefix-udp-backend.patch: backend/udp: Use a /32 prefix for the flannel0 interface
This avoids the kernel's creation of broadcast routes, which prevent
communication from the host with the zeroth subnet to containers on any
other hosts.
Fixes: bsc#1094364
-------------------------------------------------------------------
Thu Feb 1 16:58:22 CET 2018 - ro@suse.de
- do not build on s390, only on s390x (no go on s390)
-------------------------------------------------------------------
Mon Nov 27 09:28:36 UTC 2017 - opensuse-packaging@opensuse.org
- Update to version 0.9.1:
* kube: Update manifests to v0.9.1
* network/iptables: Add iptables rules to FORWARD chain
* kube-flannel.yml: Update to v0.9.0 and improve docs
* Update README.md
* Fix horrendous README typo
* Always ensure iptables masquerade rules are installed
* Makefile: Stop pulling the unused lib from kube-cross
* subnet/*: Remove unused reservations code
* use init container to install cni on flannel daemonset
-------------------------------------------------------------------
Thu Nov 23 13:48:19 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Tue Aug 29 08:27:54 UTC 2017 - mmeister@suse.com
- build with go1.8
this fixes the golang.org/x/net/context conflict
-------------------------------------------------------------------
Thu Aug 24 07:56:44 UTC 2017 - vrothberg@suse.com
- Update to version 0.8.0:
* flannel reads from created subnet.env file on startup
* Fix a bug with the iface-regex that always returned an error
* Fix a bug where previously leased subnets would not update etcd leases
* main.go: Fix logging options
* Allow kube subnet manager to run outside of kubernetes
* Added ability to specify multiple ifaces and iface regexes
* Docs: Add kubernetes and troubleshooting info
* Update manifest to v0.8.0
-------------------------------------------------------------------
Thu Aug 17 13:32:34 UTC 2017 - vrothberg@suse.com
- Fix bsc#1054097
* We need to patch the Version variable to align with the package version
* Do this by using `gofmt` (linker flags can't be set without changing the build)
-------------------------------------------------------------------
Wed Apr 19 09:29:33 UTC 2017 - opensuse-packaging@opensuse.org
- Update to version 0.7.1:
* Add Kubernetes RBAC support
* vendor: Revendor with more sensible pinnings
* vendor: Make code compatible again
* Simplify rbac creation process
* Tolerate flannel running on master nodes
* backend/vxlan: Don't recreate vxlan device on flanneld restart
* backend/hostgw: Fix memory leak
* Build tar.gz for ppc64le, arm and arm64 arch
* kube-flannel: Add namespace for compatibility with RBAC rules
* Explicitly state operator: Exists for master node toleration - as tolleration defaults to Equal by default which will result in the non scheduling of flannel on the master nodes
* switch kube subnet manager to PATCH
* Bump k8s manifest version to v0.7.1
* Correct the image in the k8s manifest files
-------------------------------------------------------------------
Fri Jan 20 15:53:14 UTC 2017 - opensuse-packaging@opensuse.org
- Update to version 0.7.0:
* version: bump to v0.5.3+git
* subnet: add infrastructure and tests for network watches
* Refactoring: single ctx and pull out LeaseRenewer
* Bug fix: remote mode errors out with bad backend type
* Use a map for backend lookups
* Split backend Init operation into New/Init and AddNetwork
* Fix etcd implementation of getNetworks()
* vendor: update etcd/client
* aws-vpc: migrate to official AWS SDK
* aws-vpc: use SDK to get metadata
* Add network package to testing
* Add/remove networks when registry changes
* bug fix: no specified networks still led to multi-network path
* Fix running multiple networks
* Fix network watches when subnets change
* Better handling of Ctrl+C
* Add UnregisterNetwork backend method
* Notify systemd service when server is ready to listen
* Fix/improve docs
* Masquerade host to flannel traffic.
* Change copyright from CoreOS to flannel authors
* remote: close response body during watch()
* Refactor the backend interfaces for multi-networks
* Go 1.5 compat change
* test: add license header check + missing headers
* travis: add logo to README, switch to go 1.4/1.5
* build: use `git describe` output in version
* file rename as separate commit for better diffs
* Use jonboulle/clockwork
* Have registry deal with subnet and not etcd types
* Actually track backends in the active map
* Fix subnet watch key creation
* Periodically retry getting initial networks
* Version embedding for Go 1.4 and 1.5
* Ability to revoke lease
* Add reservations to admin control subnet allocs
* Revendor netlink library
* Add mock etcd and etcd-backed registry testcases
* tests: fix bug due to random numbers being used
* Fixes a number of races
* backend/udp: bind to the advertised interface
* Add cli args for etcd basic auth
* MAINTAINERS: remove eyakubovich; add tomdee, philips, steveej
* DOCS: Add note to AWS docs about why it might be used
* BUILDS: Use vendor directory instead of Godeps
* Updating code.google.com/p/... dependencies
* Add glide file
* Add glide.lock and update GCE dependencies
* Support quorum read option
* vendor: bump netlink to latest master
* network/ipmasq: RETURN instead of ACCEPT to allowe other rules
* vendor: coreos/pkg: -> v2
* vendor: bump netlink to latest
* vxlan: support group-based policy
* scripts/build: compat header
* hostgw: Check existence of and compare routes before attempting to add/update them
* backend/hostgw: don't filter by LinkIndex
* BUILDS: Replace some shell scripts with Makefile
* deps: Update go-iptables version
* mk-docker-opts.sh: replace with busybox shell compatible version
* BUILDS: Overhaul build process
* vxlan: error on sysctl fail
* Fix a typo in format error.
* Makefile: Disable static builds of flanneld
* Makefile: Make the ARCH part of the tag name not the image name
* Builds: Insert libpthread into busybox images
* The docker daemon syntax change addressed
* Makefile: gzip the dist tar.gz file
* Add functional (end-to-end) testing
* README: Update build instructions
* Makefile: Push "latest" to flannel-git on quay.io
* Run e2e tests on travis
* glide: cfg change
* glide: add k8s deps
* fixup after etcd client update
* add kube backed subnet manager
* Update aws-vpc-backend.md
* README: Kubernetes rename
* Documentation: Fix sample kube-flannel config
* backend: do not log in Register
* Makefile: Push tags to flannel-git for all builds
* Makefile: clean before flannel-git build
* Makefile: Also push :latest for flannel-git
* Fixed #521: flanneld hang on at initialEvtsBatch := <-evts because of empty batch list in WatchLeases of subnet/watch.go
* Make the flannel daemonset multiarch
* aws-vpc: Fix crash when route has vpc-endpoints
* aws-vpc: remove "blackholes"
* deps: update aws-sdk version to latest stable
* backend: fixes and cleanups in awsvpc backend
* vxlan: user verbose logging macros
* subnet/kube: Use informer callbacks for lease events
* subnet/kube: wait for cache sync before using subnet manager
* network manager: Improve logging
* subnet/kube: modify a copy of node object, rather than the cached object
* Fix a typo in backend/vxlan/network.go
* Documention: Add information on leases and reservations
* e2e: Allow the backend list to be overridden
* backend/vxlan: Improve the comments and logging
* backend/vxlan: Set the netmask of the IP used for the vxlan device
* Add a flag to configure the subnet lease renewal margin. (#559)
* Replacing the user id with group id.
* Removing the -it flag from the docker build commands.
* Update kube-flannel.yaml
* Add note to readme about -kube-subnet-mgr
-------------------------------------------------------------------
Fri Nov 18 08:53:01 UTC 2016 - opensuse-packaging@opensuse.org
- Update to version 0.5.5:
* Remove code dup and use coreos/pkg/flagutil
* version: bump to v0.5.3
* aws-vpc: migrate to official AWS SDK
* aws-vpc: use SDK to get metadata
* Notify systemd service when server is ready to listen
* Masquerade host to flannel traffic.
* remote: close response body during watch()
* version: bump to v0.5.4
* Bug fix: running out of memory with vxlan+bonding
* version: bump to v0.5.5
-------------------------------------------------------------------
Wed Sep 14 10:10:05 UTC 2016 - opensuse-packaging@opensuse.org
- Update to version 0.6.1:
* Support quorum read option
* deps: Update go-iptables version
* mk-docker-opts.sh: replace with busybox shell compatible version
* BUILDS: Overhaul build process
* vxlan: error on sysctl fail
* Fix a typo in format error.
* Makefile: Disable static builds of flanneld
* Makefile: Make the ARCH part of the tag name not the image name
* Builds: Insert libpthread into busybox images
* Support VXLAN GBP
* Add cli args for etcd basic auth
* Add reservations to admin control subnet allocs
* Ability to revoke lease
* small docs changes
* overhaul of the build system
* improvements to stability and UX tweaks
* refactoring mainly driven by reservation support
-------------------------------------------------------------------
Fri Jul 15 15:45:36 UTC 2016 - kstreitova@suse.com
- clean specfile by spec-cleaner
- change 'PreReq: %fillup_prereq' to 'Requires(post)'
-------------------------------------------------------------------
Thu Jul 7 11:37:03 UTC 2016 - tboerger@suse.com
- Dropped rpmlintrc
- Refactoring of the spec based on golang-packaging
-------------------------------------------------------------------
Wed Jul 6 14:12:51 UTC 2016 - msabate@suse.com
- Added go_provides
-------------------------------------------------------------------
Wed Jul 6 13:24:52 UTC 2016 - msabate@suse.com
- Removed kernel-devel build requirement
I've also added golang-packaging as a build requirement and we will be using
the %{go_nostrip} macro from that package. Moreover, I've done some minor
improvements here and there.
-------------------------------------------------------------------
Tue Jul 5 09:27:54 UTC 2016 - cbrauner@suse.com
- add %ghost instruction: Files that are put into /run should be generated on
the fly during runtime. To prevent them from getting installed we use
%ghost.
-------------------------------------------------------------------
Tue Jul 5 09:16:42 UTC 2016 - cbrauner@suse.com
- add _constraints file to get more disk space on aarch64
-------------------------------------------------------------------
Tue Mar 22 14:35:36 UTC 2016 - fcastelli@suse.com
- Fix issue inside of systemd unit file
-------------------------------------------------------------------
Mon Mar 21 21:50:17 UTC 2016 - fcastelli@suse.com
- First release v0.5.5

109
flannel.spec Normal file
View File

@ -0,0 +1,109 @@
#
# spec file for package flannel
#
# Copyright (c) 2017, 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
# Use Tumbleweed Kubic containers
%define flannel_container_path registry.opensuse.org/kubic/flannel
Name: flannel
Version: 0.14.0
Release: 0
Summary: An etcd backed network fabric for containers
License: Apache-2.0
Group: System/Management
Url: https://github.com/flannel-io/flannel
Source: https://github.com/flannel-io/flannel/archive/v%{version}.tar.gz
Source1: kube-flannel.yaml
Requires: iproute2
# arp is used:
Requires: net-tools-deprecated
Requires: iptables
BuildRequires: golang-packaging
BuildRequires: golang(API) >= 1.16
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExcludeArch: s390
%{go_nostrip}
%{go_provides}
%description
flannel is a virtual network that gives a subnet to each host for use with
container runtimes.
Platforms like Google's Kubernetes assume that each container (pod) has a
unique, routable IP address inside the cluster. The advantage of this model is that it
reduces the complexity of doing port mapping.
This package contains the binary to be included into a container image
%package k8s-yaml
Summary: Kubernetes yaml file to run flannel container
Group: System/Management
BuildArch: noarch
%description k8s-yaml
This package contains the yaml file requried to download and run the
flannel container in a kubernetes cluster.
flannel is a virtual network that gives a subnet to each host for use with
container runtimes.
Platforms like Google's Kubernetes assume that each container (pod) has a
unique, routable IP address inside the cluster. The advantage of this model is that it
reduces the complexity of doing port mapping.
%prep
%setup -q
%build
gofmt -w -r "x -> \"%{version}\"" version/version.go
%{goprep} github.com/flannel-io/flannel
# go1.16+ default is GO111MODULE=on set to auto temporarily
# until using an upstream version with go.mod
export GO111MODULE=auto
%{gobuild}
%install
%{goinstall}
rm -rf %{buildroot}/%{_libdir}/go/contrib
# Install provided yaml file to download and run the flannel container
mkdir -p %{buildroot}%{_datadir}/k8s-yaml/flannel
#install -m 0644 Documentation/kube-flannel.yml %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml
install -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml
sed -i -e 's|image: quay.io/coreos/flannel:.*|image: %{flannel_container_path}:%{version}|g' %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml
sed -i -e 's|/opt/bin/flanneld|/usr/sbin/flanneld|g' %{buildroot}%{_datadir}/k8s-yaml/flannel/kube-flannel.yaml
# Move
mkdir -p %{buildroot}%{_sbindir}
mv %{buildroot}%{_bindir}/flannel %{buildroot}%{_sbindir}/flanneld
%files
%defattr(-,root,root)
%doc README.md DCO NOTICE
%license LICENSE
%{_sbindir}/flanneld
%files k8s-yaml
%dir %{_datarootdir}/k8s-yaml
%dir %{_datarootdir}/k8s-yaml/flannel
%{_datarootdir}/k8s-yaml/flannel/kube-flannel.yaml
%changelog

223
kube-flannel.yaml Normal file
View File

@ -0,0 +1,223 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: quay.io/coreos/flannel:v0.14.0
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.14.0
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg

BIN
v0.14.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.