MetalLB: update to v0.10.2 (#7925)

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
3 years ago · 48ceca4919
4 changed files with 74 additions and 48 deletions
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@ -157,11 +157,10 @@ metallb_speaker_enabled: true
 #     operator: "Equal"
 #     value: ""
 #     effect: "NoSchedule"
-# metallb_version: v0.9.6
+# metallb_version: v0.10.2
 # metallb_protocol: "layer2"
 # metallb_port: "7472"
-# metallb_limits_cpu: "100m"
-# metallb_limits_mem: "100Mi"
+# metallb_memberlist_port: "7946"
 # metallb_additional_address_pools:
 #   kube_service_pool:
 #     ip_range:
--- a/roles/kubernetes-apps/metallb/defaults/main.yml
+++ b/roles/kubernetes-apps/metallb/defaults/main.yml
@ -1,10 +1,9 @@
 ---
 metallb_enabled: false
-metallb_version: v0.9.6
+metallb_version: v0.10.2
 metallb_protocol: "layer2"
 metallb_port: "7472"
-metallb_limits_cpu: "100m"
-metallb_limits_mem: "100Mi"
+metallb_memberlist_port: "7946"
 metallb_peers: []
 metallb_speaker_enabled: true
 metallb_speaker_nodeselector: {}
@ -12,6 +11,8 @@ metallb_controller_nodeselector: {}
 metallb_speaker_tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
+    operator: Exists
  - effect: NoSchedule
    key: node-role.kubernetes.io/control-plane
+    operator: Exists
 metallb_controller_tolerations: []
--- a/roles/kubernetes-apps/metallb/tasks/main.yml
+++ b/roles/kubernetes-apps/metallb/tasks/main.yml
@ -50,25 +50,3 @@
  with_items: "{{ rendering.results }}"
  when:
    - "inventory_hostname == groups['kube_control_plane'][0]"
-
- name: Kubernetes Apps | Check existing secret of MetalLB
-  command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist"
-  register: metallb_secret
-  become: true
-  ignore_errors: true  # noqa ignore-errors
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-
- name: Kubernetes Apps | Create random bytes for MetalLB
-  command: "openssl rand -base64 32"
-  register: metallb_rand
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-    - metallb_secret.rc != 0
-
- name: Kubernetes Apps | Install secret of MetalLB if not existing
-  command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}"
-  become: true
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-    - metallb_secret.rc != 0
--- a/roles/kubernetes-apps/metallb/templates/metallb.yml.j2
+++ b/roles/kubernetes-apps/metallb/templates/metallb.yml.j2
@ -58,9 +58,7 @@ metadata:
 spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
-  - NET_ADMIN
  - NET_RAW
-  - SYS_ADMIN
  allowedHostPaths: []
  defaultAddCapabilities: []
  defaultAllowPrivilegeEscalation: false
@ -72,6 +70,8 @@ spec:
  hostPorts:
  - max: {{ metallb_port }}
    min: {{ metallb_port }}
+  - max: {{ metallb_memberlist_port }}
+    min: {{ metallb_memberlist_port }}
  privileged: true
  readOnlyRootFilesystem: true
  requiredDropCapabilities:
@ -121,7 +121,6 @@ rules:
  - get
  - list
  - watch
-  - update
 - apiGroups:
  - ''
  resources:
@ -162,6 +161,13 @@ rules:
  - get
  - list
  - watch
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
  - ''
  resources:
@ -212,6 +218,37 @@ rules:
  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  resourceNames:
+  - memberlist
+  verbs:
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - controller
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
@ -275,6 +312,21 @@ subjects:
 - kind: ServiceAccount
  name: speaker
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+---
 {% if metallb_speaker_enabled %}
 apiVersion: apps/v1
 kind: DaemonSet
@ -316,36 +368,32 @@ spec:
            fieldRef:
              fieldPath: status.podIP
        # needed when another software is also using memberlist / port 7946
+        # when changing this default you also need to update the container ports definition
+        # and the PodSecurityPolicy hostPorts definition
        #- name: METALLB_ML_BIND_PORT
-        #  value: "7946"
+        #  value: "{{ metallb_memberlist_port }}"
        - name: METALLB_ML_LABELS
          value: "app=metallb,component=speaker"
-        - name: METALLB_ML_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
        - name: METALLB_ML_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: memberlist
              key: secretkey
        image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
-        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: speaker
        ports:
        - containerPort: {{ metallb_port }}
          name: monitoring
-        resources:
-          limits:
-            cpu: {{ metallb_limits_cpu }}
-            memory: {{ metallb_limits_mem }}
+        - containerPort: {{ metallb_memberlist_port }}
+          name: memberlist-tcp
+        - containerPort: {{ metallb_memberlist_port }}
+          name: memberlist-udp
+          protocol: UDP
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
-            - NET_ADMIN
            - NET_RAW
-            - SYS_ADMIN
            drop:
            - ALL
          readOnlyRootFilesystem: true
@ -399,16 +447,16 @@ spec:
      - args:
        - --port={{ metallb_port }}
        - --config=config
+        env:
+        - name: METALLB_ML_SECRET_NAME
+          value: memberlist
+        - name: METALLB_DEPLOYMENT
+          value: controller
        image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
-        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: controller
        ports:
        - containerPort: {{ metallb_port }}
          name: monitoring
-        resources:
-          limits:
-            cpu: {{ metallb_limits_cpu }}
-            memory: {{ metallb_limits_mem }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities: