richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
33 Branches
82 Tags
153 MiB
Tree: ae3a1d7c01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae3a1d7c01'
${ noResults }
kubespray/roles/network_plugin/cilium/templates/cilium-cr.yml.j2

188 lines
3.8 KiB
Raw Normal View History

Added cilium support (#2236) * Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
7 years ago
cilium v1.1.2 Update all configs to current upstream state. Add more resources (unable to pass tests now)...
6 years ago
Added cilium support (#2236) * Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
7 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Update cilium to 1.8.0 (#6314)
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Update cilium to 1.8.0 (#6314)
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Cilium updates (#5438) * Add resources needed to deploy 1.6.4 * Use cilium v1.6.4 * Change deprecated option name * Add update crd to clusterrole cilium * Cilium 1.6.4 -> 1.6.5 * Make monitor-aggregation config configurable as a variable * Change monitor-aggregation default none->medium * Cilium 1.6.5 -> 1.6.6 * Update to 1.7.0 * v1.7.0->v1.7.1
5 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Update cilium to 1.8.0 (#6314)
4 years ago
Update cilium-operator clusterrole (#7416) When upgrading cilium from 1.8.8 to 1.9.5 I ran into the following error: level=error msg="Unable to update CRD" error="customresourcedefinitions.apiextensions.k8s.io \"ciliumnodes.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" name=CiliumNode/v2 subsys=k8s The fix was to add the update verb to the clusterrole. I also added create to match the clusterrole created by the cilium helm chart.
3 years ago
Update cilium to 1.8.0 (#6314)
4 years ago
Update cilium-operator clusterrole (#7416) When upgrading cilium from 1.8.8 to 1.9.5 I ran into the following error: level=error msg="Unable to update CRD" error="customresourcedefinitions.apiextensions.k8s.io \"ciliumnodes.cilium.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" name=CiliumNode/v2 subsys=k8s The fix was to add the update verb to the clusterrole. I also added create to match the clusterrole created by the cilium helm chart.
3 years ago
Update cilium to 1.8.0 (#6314)
4 years ago
Added missing permissions for operator. (#6683) Related commit: https://github.com/cilium/cilium/commit/976337b750ac8110b128fa25105e2fcc91ccd223
4 years ago
Upgrade Cilium network plugin to v1.5.5. (#5014) * Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
5 years ago
Added cilium support (#2236) * Added cilium support * Fix typo in debian test config * Remove empty lines * Changed cilium version from <latest> to <v1.0.0-rc3> * Add missing changes for cilium * Add cilium to CI pipeline * Fix wrong file name * Check kernel version for cilium * fixed ci error * fixed cilium-ds.j2 template * added waiting for cilium pods to run * Fixed missing EOF * Fixed trailing spaces * Fixed trailing spaces * Fixed trailing spaces * Fixed too many blank lines * Updated tolerations,annotations in cilium DS template * Set cilium_version to iptables-1.9 to see if bug is fixed in CI * Update cilium image tag to v1.0.0-rc4 * Update Cilium test case CI vars filenames * Add optional prometheus flag, adjust initial readiness delay * Update README.md with cilium info
7 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
Support Cilium from version 1.5 (#6006)
4 years ago
Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
4 years ago
  1. ---
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRole
  4. metadata:
  5. name: cilium-operator
  6. rules:
  7. - apiGroups:
  8. - ""
  9. resources:
  10. # to automatically delete [core|kube]dns pods so that are starting to being
  11. # managed by Cilium
  12. - pods
  13. verbs:
  14. - get
  15. - list
  16. - watch
  17. - delete
  18. - apiGroups:
  19. - discovery.k8s.io
  20. resources:
  21. - endpointslices
  22. verbs:
  23. - get
  24. - list
  25. - watch
  26. - apiGroups:
  27. - ""
  28. resources:
  29. {% if cilium_version | regex_replace('v') is version('1.8', '<') %}
  30. # to automatically read from k8s and import the node's pod CIDR to cilium's
  31. # etcd so all nodes know how to reach another pod running in in a different
  32. # node.
  33. - nodes
  34. {% endif %}
  35. # to perform the translation of a CNP that contains `ToGroup` to its endpoints
  36. - services
  37. - endpoints
  38. # to check apiserver connectivity
  39. - namespaces
  40. {% if cilium_version | regex_replace('v') is version('1.7', '<') %}
  41. - componentstatuses
  42. {% endif %}
  43. verbs:
  44. - get
  45. - list
  46. - watch
  47. - apiGroups:
  48. - cilium.io
  49. resources:
  50. - ciliumnetworkpolicies
  51. - ciliumnetworkpolicies/status
  52. - ciliumclusterwidenetworkpolicies
  53. - ciliumclusterwidenetworkpolicies/status
  54. - ciliumendpoints
  55. - ciliumendpoints/status
  56. {% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
  57. - ciliumnodes
  58. - ciliumnodes/status
  59. - ciliumidentities
  60. - ciliumidentities/status
  61. {% endif %}
  62. verbs:
  63. - '*'
  64. - apiGroups:
  65. - apiextensions.k8s.io
  66. resources:
  67. - customresourcedefinitions
  68. verbs:
  69. - create
  70. - get
  71. - list
  72. - update
  73. - watch
  74. {% if cilium_version | regex_replace('v') is version('1.8', '>=') %}
  75. # For cilium-operator running in HA mode.
  76. #
  77. # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
  78. # between mulitple running instances.
  79. # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
  80. # common and fewer objects in the cluster watch "all Leases".
  81. # The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release.
  82. # In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure
  83. # that we only authorize access to leases resources in supported K8s versions.
  84. - apiGroups:
  85. - coordination.k8s.io
  86. resources:
  87. - leases
  88. verbs:
  89. - create
  90. - get
  91. - update
  92. {% endif %}
  93. ---
  94. apiVersion: rbac.authorization.k8s.io/v1
  95. kind: ClusterRole
  96. metadata:
  97. name: cilium
  98. rules:
  99. - apiGroups:
  100. - networking.k8s.io
  101. resources:
  102. {% if cilium_version | regex_replace('v') is version('1.7', '<') %}
  103. - ingresses
  104. {% endif %}
  105. - networkpolicies
  106. verbs:
  107. - get
  108. - list
  109. - watch
  110. - apiGroups:
  111. - discovery.k8s.io
  112. resources:
  113. - endpointslices
  114. verbs:
  115. - get
  116. - list
  117. - watch
  118. - apiGroups:
  119. - ""
  120. resources:
  121. - namespaces
  122. - services
  123. - nodes
  124. - endpoints
  125. {% if cilium_version | regex_replace('v') is version('1.7', '<') %}
  126. - componentstatuses
  127. {% endif %}
  128. verbs:
  129. - get
  130. - list
  131. - watch
  132. {% if cilium_version | regex_replace('v') is version('1.7', '<') %}
  133. - apiGroups:
  134. - extensions
  135. resources:
  136. - ingresses
  137. verbs:
  138. - create
  139. - get
  140. - list
  141. - watch
  142. {% endif %}
  143. - apiGroups:
  144. - ""
  145. resources:
  146. - pods
  147. - nodes
  148. verbs:
  149. - get
  150. - list
  151. - watch
  152. - update
  153. - apiGroups:
  154. - ""
  155. resources:
  156. - nodes
  157. - nodes/status
  158. verbs:
  159. - patch
  160. - apiGroups:
  161. - apiextensions.k8s.io
  162. resources:
  163. - customresourcedefinitions
  164. verbs:
  165. - create
  166. - get
  167. - list
  168. - watch
  169. - update
  170. - apiGroups:
  171. - cilium.io
  172. resources:
  173. - ciliumnetworkpolicies
  174. - ciliumnetworkpolicies/status
  175. {% if cilium_version | regex_replace('v') is version('1.7', '>=') %}
  176. - ciliumclusterwidenetworkpolicies
  177. - ciliumclusterwidenetworkpolicies/status
  178. {% endif %}
  179. - ciliumendpoints
  180. - ciliumendpoints/status
  181. {% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
  182. - ciliumnodes
  183. - ciliumnodes/status
  184. - ciliumidentities
  185. - ciliumidentities/status
  186. {% endif %}
  187. verbs:
  188. - '*'