diff --git a/kubernetes/kube-vip/base/kustomization.yaml b/kubernetes/kube-vip/base/kustomization.yaml index ed26b8488..0e9fde849 100644 --- a/kubernetes/kube-vip/base/kustomization.yaml +++ b/kubernetes/kube-vip/base/kustomization.yaml @@ -2,8 +2,9 @@ kind: Kustomization apiVersion: kustomize.config.k8s.io/v1beta1 resources: - namespace.yaml - - daemonset.yaml + #- daemonset.yaml - deployment.yaml - rbac.yaml - pdb.yaml - network-policy.yaml + - machine-config.yaml diff --git a/kubernetes/kube-vip/base/machine-config.yaml b/kubernetes/kube-vip/base/machine-config.yaml new file mode 100644 index 000000000..7ade258bc --- /dev/null +++ b/kubernetes/kube-vip/base/machine-config.yaml @@ -0,0 +1,18 @@ +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + labels: + machineconfiguration.openshift.io/role: master + app.kubernetes.io/instance: okd-configuration + name: 71-kube-vip +spec: + config: + ignition: + version: 3.2.0 + storage: + files: + - contents: + source: data:text/plain;charset=utf-8;base64,YXBpVmVyc2lvbjogdjEKa2luZDogUG9kCm1ldGFkYXRhOgogIG5hbWU6IGt1YmUtdmlwCiAgbmFtZXNwYWNlOiBrdWJlLXZpcAogIGFubm90YXRpb25zOgogICAgY2hlY2tvdi5pby9za2lwMTogQ0tWX0s4U184PU5vdCBTdXBwb3J0ZWQKICAgIGNoZWNrb3YuaW8vc2tpcDI6IENLVl9LOFNfOT1Ob3QgU3VwcG9ydGVkCiAgICBjaGVja292LmlvL3NraXAzOiBDS1ZfSzhTXzM4PUxlYWRlciBFbGVjdGlvbiBhbmQgU2VydmljZXMKICAgIGNoZWNrb3YuaW8vc2tpcDQ6IENLVl9LOFNfNDA9TmVlZHMgdG8gcnVuIGFzIHJvb3QKICAgIGNoZWNrb3YuaW8vc2tpcDU6IENLVl9LOFNfMjM9TmVlZHMgdG8gcnVuIGFzIHJvb3QKICAgIGNoZWNrb3YuaW8vc2tpcDY6IENLVl9LOFNfMjU9TmVlZHMgTmV0d29yayBjYXBhYmlsaXRpZXMKICAgIGNoZWNrb3YuaW8vc2tpcDc6IENLVl9LOFNfMTk9TmVlZHMgSG9zdCBOZXR3b3JrIHRvIE1hbmFnZSBMb2FkIEJhbGFuY2luZwogIGxhYmVsczoKICAgIGFwcDoga3ViZS12aXAtZHMKc3BlYzoKICBhdXRvbW91bnRTZXJ2aWNlQWNjb3VudFRva2VuOiBmYWxzZQogIGNvbnRhaW5lcnM6CiAgICAtIGFyZ3M6CiAgICAgICAgLSBtYW5hZ2VyCiAgICAgIGVudjoKICAgICAgICAtIG5hbWU6IGFkZHJlc3MKICAgICAgICAgIHZhbHVlOiAxMC4wLjAuMTMwCiAgICAgICAgLSBuYW1lOiB2aXBfYXJwCiAgICAgICAgICB2YWx1ZTogInRydWUiCiAgICAgICAgLSBuYW1lOiBwb3J0CiAgICAgICAgICB2YWx1ZTogIjY0NDMiCiAgICAgICAgLSBuYW1lOiB2aXBfY2lkcgogICAgICAgICAgdmFsdWU6ICIzMiIKICAgICAgICAtIG5hbWU6IGNwX2VuYWJsZQogICAgICAgICAgdmFsdWU6ICJ0cnVlIgogICAgICAgIC0gbmFtZTogY3BfbmFtZXNwYWNlCiAgICAgICAgICB2YWx1ZToga3ViZS12aXAKICAgICAgICAtIG5hbWU6IHZpcF9kZG5zCiAgICAgICAgICB2YWx1ZTogImZhbHNlIgogICAgICAgIC0gbmFtZTogc3ZjX2VuYWJsZQogICAgICAgICAgdmFsdWU6ICJ0cnVlIgogICAgICAgIC0gbmFtZTogdmlwX2xlYWRlcmVsZWN0aW9uCiAgICAgICAgICB2YWx1ZTogInRydWUiCiAgICAgICAgLSBuYW1lOiB2aXBfbGVhc2VkdXJhdGlvbgogICAgICAgICAgdmFsdWU6ICIxNSIKICAgICAgICAtIG5hbWU6IHZpcF9yZW5ld2RlYWRsaW5lCiAgICAgICAgICB2YWx1ZTogIjEwIgogICAgICAgIC0gbmFtZTogdmlwX3JldHJ5cGVyaW9kCiAgICAgICAgICB2YWx1ZTogIjIiCiAgICAgIGltYWdlOiBnaGNyLmlvL2t1YmUtdmlwL2t1YmUtdmlwOnYwLjYuNEBzaGEyNTY6YWEwOTIzNDY0NmU1NDJkYzI2MjljM2RiZDU2OThhNzcxMjNhZWNiODhkM2IwMWExZDNiYTVhNzg2NDhjNDViOAogICAgICBpbWFnZVB1bGxQb2xpY3k6IElmTm90UHJlc2VudAogICAgICBuYW1lOiBrdWJlLXZpcAogICAgICByZXNvdXJjZXM6CiAgICAgICAgbGltaXRzOgogICAgICAgICAgY3B1OiAxMDBtCiAgICAgICAgICBlcGhlbWVyYWwtc3RvcmFnZTogMTVNaQogICAgICAgICAgbWVtb3J5OiAxMjhNaQogICAgICAgIHJlcXVlc3RzOgogICAgICAgICAgY3B1OiAyNW0KICAgICAgICAgIG1lbW9yeTogMzJNaQogICAgICBzZWN1cml0eUNvbnRleHQ6CiAgICAgICAgYWxsb3dQcml2aWxlZ2VFc2NhbGF0aW9uOiBmYWxzZQogICAgICAgIGNhcGFiaWxpdGllczoKICAgICAgICAgIGFkZDoKICAgICAgICAgICAgLSBORVRfQURNSU4KICAgICAgICAgICAgLSBORVRfUkFXCiAgICAgICAgICAgIC0gU1lTX1RJTUUKICAgICAgICAgIGRyb3A6CiAgICAgICAgICAgIC0gQUxMCiAgICAgICAgcmVhZE9ubHlSb290RmlsZXN5c3RlbTogdHJ1ZQogICAgICAgIHJ1bkFzTm9uUm9vdDogZmFsc2UKICAgICAgICBzZWNjb21wUHJvZmlsZToKICAgICAgICAgIHR5cGU6IFJ1bnRpbWVEZWZhdWx0CiAgICAgIHZvbHVtZU1vdW50czoKICAgICAgICAtIG1vdW50UGF0aDogL2V0Yy9rdWJlcm5ldGVzL2FkbWluLmNvbmYKICAgICAgICAgIG5hbWU6IGt1YmVjb25maWcKICBob3N0QWxpYXNlczoKICAgIC0gaG9zdG5hbWVzOgogICAgICAgIC0ga3ViZXJuZXRlcwogICAgICBpcDogMTI3LjAuMC4xCiAgaG9zdE5ldHdvcms6IHRydWUKICB2b2x1bWVzOgogICAgLSBob3N0UGF0aDoKICAgICAgICBwYXRoOiAvZXRjL2t1YmVybmV0ZXMvc3RhdGljLXBvZC1yZXNvdXJjZXMva3ViZS1hcGlzZXJ2ZXItY2VydHMvc2VjcmV0cy9ub2RlLWt1YmVjb25maWdzL2xvY2FsaG9zdC5rdWJlY29uZmlnICMgVE9ETyBVc2UgYSBkaWZmZXJlbnQgS3ViZUNvbmZpZwogICAgICBuYW1lOiBrdWJlY29uZmlnCnN0YXR1czoge30K + mode: 420 + overwrite: true + path: /etc/kubernetes/manifests/kube-vip.yaml diff --git a/kubernetes/kube-vip/base/pdb.yaml b/kubernetes/kube-vip/base/pdb.yaml index f7b91b476..30a3cdd4c 100644 --- a/kubernetes/kube-vip/base/pdb.yaml +++ b/kubernetes/kube-vip/base/pdb.yaml @@ -7,7 +7,7 @@ spec: maxUnavailable: 1 selector: matchLabels: - name: kube-vip-ds + app: kube-vip-ds --- apiVersion: policy/v1 kind: PodDisruptionBudget diff --git a/kubernetes/kube-vip/base/static-pod.yaml b/kubernetes/kube-vip/base/static-pod.yaml new file mode 100644 index 000000000..6cae4f699 --- /dev/null +++ b/kubernetes/kube-vip/base/static-pod.yaml @@ -0,0 +1,82 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kube-vip + namespace: kube-vip + annotations: + checkov.io/skip1: CKV_K8S_8=Not Supported + checkov.io/skip2: CKV_K8S_9=Not Supported + checkov.io/skip3: CKV_K8S_38=Leader Election and Services + checkov.io/skip4: CKV_K8S_40=Needs to run as root + checkov.io/skip5: CKV_K8S_23=Needs to run as root + checkov.io/skip6: CKV_K8S_25=Needs Network capabilities + checkov.io/skip7: CKV_K8S_19=Needs Host Network to Manage Load Balancing + labels: + app: kube-vip-ds +spec: + automountServiceAccountToken: false + containers: + - args: + - manager + env: + - name: address + value: 10.0.0.130 + - name: vip_arp + value: "true" + - name: port + value: "6443" + - name: vip_cidr + value: "32" + - name: cp_enable + value: "true" + - name: cp_namespace + value: kube-vip + - name: vip_ddns + value: "false" + - name: svc_enable + value: "true" + - name: vip_leaderelection + value: "true" + - name: vip_leaseduration + value: "15" + - name: vip_renewdeadline + value: "10" + - name: vip_retryperiod + value: "2" + image: ghcr.io/kube-vip/kube-vip:v0.6.4@sha256:aa09234646e542dc2629c3dbd5698a77123aecb88d3b01a1d3ba5a78648c45b8 + imagePullPolicy: IfNotPresent + name: kube-vip + resources: + limits: + cpu: 100m + ephemeral-storage: 15Mi + memory: 128Mi + requests: + cpu: 25m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_TIME + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/kubernetes/admin.conf + name: kubeconfig + hostAliases: + - hostnames: + - kubernetes + ip: 127.0.0.1 + hostNetwork: true + volumes: + - hostPath: + path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig # TODO Use a different KubeConfig + name: kubeconfig +status: {}