Add a prototypical network-daemonset

Author: smarterclayton

contrib/kubernetes/controllers.yaml

@@ -0,0 +1,51 @@
+allowDisabledDocker: false
+apiVersion: v1
+authConfig:
+  authenticationCacheSize: 1000
+  authenticationCacheTTL: 5m
+  authorizationCacheSize: 1000
+  authorizationCacheTTL: 5m
+dnsDomain: cluster.local
+dnsIP: 0.0.0.0
+dnsBindAddress: 0.0.0.0:53
+dnsRecursiveResolvConf: ""
+dockerConfig:
+  dockerShimRootDirectory: /var/lib/dockershim
+  dockerShimSocket: /var/run/kubernetes/dockershim.sock
+  execHandlerName: native
+enableUnidling: true
+imageConfig:
+  format: openshift/origin-${component}:${version}
+  latest: false
+iptablesSyncPeriod: 30s
+kind: NodeConfig
+kubeletArguments:
+  cert-dir:
+  - ./certificates
+  feature-gates:
+  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true
+masterClientConnectionOverrides:
+  acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
+  burst: 40
+  contentType: application/vnd.kubernetes.protobuf
+  qps: 20
+masterKubeConfig: node.kubeconfig
+networkConfig:
+  mtu: 1450
+  networkPluginName: redhat/openshift-ovs-multitenant
+nodeIP: ""
+proxyArguments:
+  healthz-bind-address: 
+  - 0.0.0.0
+  healthz-port:
+  - "10256"
+  metrics-bind-address:
+  - 0.0.0.0:10257
+servingInfo:
+  bindAddress: 0.0.0.0:10250
+  bindNetwork: tcp4
+  namedCertificates: null
+volumeConfig:
+  localQuota:
+    perFSGroup: null
+volumeDirectory: /var/lib/origin/volumes

contrib/kubernetes/default-node-config.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
   - name: controllers
-    image: openshift/origin:v3.6.0-rc.0
+    image: openshift/origin:v3.6.0
     command: ["/usr/bin/openshift", "start", "master", "controllers"]
     args:
     - "--config=/etc/origin/master/master-config.yaml"

contrib/kubernetes/static/controllers-pod.yaml

@@ -0,0 +1,157 @@
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: sdn
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the OpenShift networking components (kube-proxy, DNS, and openshift-sdn).
+      It expects that OVS is running on the node.
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        component: network
+        type: infra
+        openshift.io/role: network
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      # Requires fairly broad permissions - ability to read all services and network functions as well
+      # as all pods.
+      serviceAccountName: sdn
+      hostNetwork: true
+      hostPID: true
+      containers:
+      - name: network
+        image: openshift/node:v3.7.0-alpha.1
+        command: 
+        - /bin/bash
+        - -c
+        - |
+          #!/bin/sh
+          set -o errexit
+          # Take over network functions on the node
+          rm -Rf /etc/cni/net.d/*
+          rm -Rf /host/opt/cni/bin/*
+          cp -Rf /opt/cni/bin/* /host/opt/cni/bin/
+          # Use whichever node-config exists
+          cfg=/etc/openshift/node
+          if [[ ! -f "${cfg}/node-config.yaml" ]]; then
+            cfg=/etc/origin/node
+          fi
+          # Use the same config as the node, but with the service account token
+          openshift cli config "--config=${cfg}/node.kubeconfig" view --flatten > /tmp/kubeconfig
+          openshift cli config --config=/tmp/kubeconfig set-credentials sa "--token=$( cat /var/run/secrets/kubernetes.io/serviceaccount/token )"
+          openshift cli config --config=/tmp/kubeconfig set-context "$( openshift cli config current-context)" --user=sa
+          # Launch the network process
+          exec openshift start network "--config=${cfg}/node-config.yaml" --kubeconfig=/tmp/kubeconfig --loglevel=5
+
+        securityContext:
+          runAsUser: 0
+          # Permission could be reduced by selecting an appropriate SELinux policy
+          privileged: true
+        # TODO: debugging only
+        imagePullPolicy: Never
+        volumeMounts:
+        # Directory which contains the host configuration. We look at both locations
+        # to simplify setup.
+        - mountPath: /etc/origin/node/
+          name: host-config
+          readOnly: true
+        - mountPath: /etc/openshift/node/
+          name: host-config-alt
+          readOnly: true
+        # Run directories where we need to be able to access sockets
+        - mountPath: /var/run/dbus/
+          name: host-var-run-dbus
+          readOnly: true
+        - mountPath: /var/run/openvswitch/
+          name: host-var-run-ovs
+          readOnly: true
+        - mountPath: /var/run/kubernetes/
+          name: host-var-run-kubernetes
+          readOnly: true
+        # We mount our socket here
+        - mountPath: /var/run/openshift-sdn
+          name: host-var-run-openshift-sdn
+        # CNI related mounts which we take over
+        - mountPath: /host/opt/cni/bin
+          name: host-opt-cni-bin
+        - mountPath: /etc/cni/net.d
+          name: host-etc-cni-netd
+        - mountPath: /var/lib/cni/networks/openshift-sdn
+          name: host-var-lib-cni-networks-openshift-sdn
+
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        env:
+        - name: OPENSHIFT_DNS_DOMAIN
+          value: cluster.local
+        ports:
+        - name: healthz
+          containerPort: 10256
+        livenessProbe:
+          initialDelaySeconds: 10
+          httpGet:
+            path: /healthz
+            port: 10256
+            scheme: HTTP
+        lifecycle:
+          # postStart:
+          #   exec:
+          #     command:
+          #     - /usr/bin/dbus-send
+          #     - --system
+          #     - --dest=uk.org.thekelleys.dnsmasq
+          #     - /uk/org/thekelleys/dnsmasq
+          #     - uk.org.thekelleys.SetDomainServers
+          #     - array:string:/in-addr.arpa/127.0.0.1,/$(OPENSHIFT_DNS_DOMAIN)/127.0.0.1
+          # preStop:
+          #   exec:
+          #     command:
+          #     - /usr/bin/dbus-send
+          #     - --system
+          #     - --dest=uk.org.thekelleys.dnsmasq
+          #     - /uk/org/thekelleys/dnsmasq
+          #     - uk.org.thekelleys.SetDomainServers
+          #     - "array:string:"
+
+      volumes:
+      # In bootstrap mode, the host config contains information not easily available
+      # from other locations.
+      - name: host-config
+        hostPath:
+          path: /etc/origin/node
+      - name: host-config-alt
+        hostPath:
+          path: /etc/openshift/node
+      - name: host-modules
+        hostPath:
+          path: /lib/modules
+
+      - name: host-var-run-ovs
+        hostPath:
+          path: /var/run/openvswitch
+      - name: host-var-run-kubernetes
+        hostPath:
+          path: /var/run/kubernetes
+      - name: host-var-run-dbus
+        hostPath:
+          path: /var/run/dbus
+      - name: host-var-run-openshift-sdn
+        hostPath:
+          path: /var/run/openshift-sdn
+
+      - name: host-opt-cni-bin
+        hostPath:
+          path: /opt/cni/bin
+      - name: host-etc-cni-netd
+        hostPath:
+          path: /etc/cni/net.d
+      - name: host-var-lib-cni-networks-openshift-sdn
+        hostPath:
+          path: /var/lib/cni/networks/openshift-sdn

contrib/kubernetes/static/network-daemonset.yaml

@@ -0,0 +1,61 @@
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: ovs
+  annotations:
+    kubernetes.io/description: |
+      This daemon set launches the openvswitch daemon.
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        component: network
+        type: infra
+        openshift.io/role: network
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      # Requires fairly broad permissions - ability to read all services and network functions as well
+      # as all pods.
+      serviceAccountName: sdn
+      hostNetwork: true
+      containers:
+      - name: openvswitch
+        image: openshift/openvswitch:v3.7.0-alpha.1
+        securityContext:
+          runAsUser: 0
+          privileged: true
+        volumeMounts:
+        - mountPath: /lib/modules
+          name: host-modules
+          readOnly: true
+        - mountPath: /run/openvswitch
+          name: host-run-ovs
+        - mountPath: /sys
+          name: host-sys
+          readOnly: true
+        - mountPath: /etc/openvswitch
+          name: host-config-openvswitch
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+          limits:
+            cpu: 200m
+            memory: 300Mi
+
+      volumes:
+      - name: host-modules
+        hostPath:
+          path: /lib/modules
+      - name: host-run-ovs
+        hostPath:
+          path: /run/openvswitch
+      - name: host-sys
+        hostPath:
+          path: /sys
+      - name: host-config-openvswitch
+        hostPath:
+          path: /etc/origin/openvswitch

contrib/kubernetes/static/network-ovs.yaml

@@ -0,0 +1,29 @@
+kind: List
+apiVersion: v1
+items:
+- kind: ServiceAccount
+  apiVersion: v1
+  metadata:
+    name: sdn
+    namespace: openshift-node
+- apiVersion: authorization.openshift.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: sdn-cluster-reader
+  roleRef:
+    name: cluster-reader
+  subjects:
+  - kind: ServiceAccount
+    name: sdn
+    namespace: openshift-node
+- apiVersion: authorization.openshift.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: sdn-reader
+  roleRef:
+    name: system:sdn-reader
+  subjects:
+  - kind: ServiceAccount
+    name: sdn
+    namespace: openshift-node
+# TODO: PSP binding

contrib/kubernetes/static/network-policy.yaml

@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# This script is expected to be run with:
+#
+#   $ oc observe csr -a '{.status.conditions[*].type}' -a '{.status.certificate}' -- PATH_TO_SCRIPT
+#
+# It will approve any CSR that is not approved yet, and delete any CSR that expired more than 60 seconds
+# ago.
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+name=${1}
+condition=${2}
+certificate=${3}
+
+# auto approve
+if [[ -z "${condition}" ]]; then
+  oc adm certificate approve "${name}"
+  exit 0
+fi
+
+# check certificate age
+if [[ -n "${certificate}" ]]; then
+  text="$( echo "${certificate}" | base64 -D - )"
+  if ! echo "${text}" | openssl x509 -checkend -60 > /dev/null; then
+    echo "Certificate is expired, deleting"
+    oc delete csr "${name}"
+  fi
+  exit 0
+fi

contrib/kubernetes/static/sign.sh

@@ -21,6 +21,7 @@ import (
 	kubeletoptions "k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+	"k8s.io/kubernetes/pkg/master/ports"
 
 	"github.com/openshift/origin/pkg/cmd/server/admin"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
@@ -126,6 +127,7 @@ func NewCommandStartNetwork(basename string, out, errout io.Writer) (*cobra.Comm
 	flags.StringVar(&options.ConfigFile, "config", "", "Location of the node configuration file to run from. When running from a configuration file, all other command-line arguments are ignored.")
 
 	options.NodeArgs = NewDefaultNodeArgs()
+	options.NodeArgs.ListenArg.ListenAddr.DefaultPort = ports.ProxyHealthzPort
 	options.NodeArgs.Components = NewNetworkComponentFlag()
 	BindNodeNetworkArgs(options.NodeArgs, flags, "")
 	BindImageFormatArgs(options.NodeArgs.ImageFormatArgs, flags, "")