kubespray/roles/network_plugin/kube-router/templates/kube-router.yml.j2

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-router-cfg
  namespace: kube-system
  labels:
    tier: node
    k8s-app: kube-router
data:
  cni-conf.json: |
    {
      "name":"kubernetes",
      "type":"bridge",
      "bridge":"kube-bridge",
      "isDefaultGateway":true,
{% if kube_router_support_hairpin_mode %}
      "hairpinMode":true,
{% endif %}
      "ipam": {
        "type":"host-local"
      }
    }
  kubeconfig: |
    apiVersion: v1
    kind: Config
    clusterCIDR: {{ kube_pods_subnet }}
    clusters:
    - name: cluster
      cluster:
        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        server: {{ kube_apiserver_endpoint }}
    users:
    - name: kube-router
      user:
        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    contexts:
    - context:
        cluster: cluster
        user: kube-router
      name: kube-router-context
    current-context: kube-router-context

---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    k8s-app: kube-router
    tier: node
  name: kube-router
  namespace: kube-system
spec:
  minReadySeconds: 3
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: kube-router
        tier: node
    spec:
{% if kube_version is version('v1.11.1', '>=') %}
      priorityClassName: system-cluster-critical
{% endif %}
      serviceAccountName: kube-router
      containers:
      - name: kube-router
        image: {{ kube_router_image_repo }}:{{ kube_router_image_tag }}
        imagePullPolicy: IfNotPresent
        args:
        - --run-router={{ kube_router_run_router | bool }}
        - --run-firewall={{ kube_router_run_firewall | bool }}
        - --run-service-proxy={{ kube_router_run_service_proxy | bool }}
        - --kubeconfig=/var/lib/kube-router/kubeconfig
{% if kube_router_advertise_cluster_ip %}
        - --advertise-cluster-ip
{% endif %}
{% if kube_router_advertise_external_ip %}
        - --advertise-external-ip
{% endif %}
{% if kube_router_advertise_loadbalancer_ip %}
        - --advertise-loadbalancer-ip
{% endif %}
{% if kube_router_peer_router_asns %}
        - --peer-router-asns={{ kube_router_peer_router_asns }}
{% endif %}
{% if kube_router_peer_router_ips %}
        - --peer-router-ips={{ kube_router_peer_router_ips }}
{% endif %}
{% if kube_router_peer_router_ports %}
        - --peer-router-ports={{ kube_router_peer_router_ports }}
{% endif %}
{% for arg in kube_router_extra_args %}
        - "{{ arg }}"
{% endfor %}
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        livenessProbe:
          httpGet:
            path: /healthz
            port: 20244
          initialDelaySeconds: 10
          periodSeconds: 3
        resources:
          requests:
            cpu: 250m
            memory: 250Mi
        securityContext:
          privileged: true
        volumeMounts:
{% if kube_router_enable_dsr %}
        - name: docker-socket
          mountPath: /var/run/docker.sock
          readOnly: true
{% endif %}
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
        - name: cni-conf-dir
          mountPath: /etc/cni/net.d
        - name: kubeconfig
          mountPath: /var/lib/kube-router
          readOnly: true
      initContainers:
      - name: install-cni
        image: {{ busybox_image_repo }}:{{ busybox_image_tag }}
        imagePullPolicy: IfNotPresent
        command:
        - /bin/sh
        - -c
        - set -e -x;
          if [ ! -f /etc/cni/net.d/10-kuberouter.conf ]; then
            TMP=/etc/cni/net.d/.tmp-kuberouter-cfg;
            cp /etc/kube-router/cni-conf.json ${TMP};
            mv ${TMP} /etc/cni/net.d/10-kuberouter.conf;
          fi;
          if [ ! -f /var/lib/kube-router/kubeconfig ]; then
            TMP=/var/lib/kube-router/.tmp-kubeconfig;
            cp /etc/kube-router/kubeconfig ${TMP};
            mv ${TMP} /var/lib/kube-router/kubeconfig;
          fi
        volumeMounts:
        - mountPath: /etc/cni/net.d
          name: cni-conf-dir
        - mountPath: /etc/kube-router
          name: kube-router-cfg
        - name: kubeconfig
          mountPath: /var/lib/kube-router
      hostNetwork: true
{% if kube_router_enable_dsr %}
      hostIPC: true
      hostPID: true
{% endif %}
      tolerations:
      - operator: Exists
      # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12)
      - key: CriticalAddonsOnly
        operator: "Exists"
      volumes:
{% if kube_router_enable_dsr %}
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock
          type: Socket
{% endif %}
      - name: lib-modules
        hostPath:
          path: /lib/modules
      - name: cni-conf-dir
        hostPath:
          path: /etc/cni/net.d
      - name: kube-router-cfg
        configMap:
          name: kube-router-cfg
      - name: kubeconfig
        hostPath:
          path: /var/lib/kube-router

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-router
  namespace: kube-system

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-router
  namespace: kube-system
rules:
  - apiGroups:
    - ""
    resources:
      - namespaces
      - pods
      - services
      - nodes
      - endpoints
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - "networking.k8s.io"
    resources:
      - networkpolicies
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - extensions
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-router
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-router
subjects:
- kind: ServiceAccount
  name: kube-router
  namespace: kube-system