Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Switch KubeVIP to Static Pods #42

Merged
merged 1 commit into from
Feb 9, 2024
Merged

feat: Switch KubeVIP to Static Pods #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion kubernetes/kube-vip/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@ kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
resources:
- namespace.yaml
- daemonset.yaml
#- daemonset.yaml
- deployment.yaml
- rbac.yaml
- pdb.yaml
- network-policy.yaml
- machine-config.yaml
18 changes: 18 additions & 0 deletions kubernetes/kube-vip/base/machine-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
app.kubernetes.io/instance: okd-configuration
name: 71-kube-vip
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: data:text/plain;charset=utf-8;base64,YXBpVmVyc2lvbjogdjEKa2luZDogUG9kCm1ldGFkYXRhOgogIG5hbWU6IGt1YmUtdmlwCiAgbmFtZXNwYWNlOiBrdWJlLXZpcAogIGFubm90YXRpb25zOgogICAgY2hlY2tvdi5pby9za2lwMTogQ0tWX0s4U184PU5vdCBTdXBwb3J0ZWQKICAgIGNoZWNrb3YuaW8vc2tpcDI6IENLVl9LOFNfOT1Ob3QgU3VwcG9ydGVkCiAgICBjaGVja292LmlvL3NraXAzOiBDS1ZfSzhTXzM4PUxlYWRlciBFbGVjdGlvbiBhbmQgU2VydmljZXMKICAgIGNoZWNrb3YuaW8vc2tpcDQ6IENLVl9LOFNfNDA9TmVlZHMgdG8gcnVuIGFzIHJvb3QKICAgIGNoZWNrb3YuaW8vc2tpcDU6IENLVl9LOFNfMjM9TmVlZHMgdG8gcnVuIGFzIHJvb3QKICAgIGNoZWNrb3YuaW8vc2tpcDY6IENLVl9LOFNfMjU9TmVlZHMgTmV0d29yayBjYXBhYmlsaXRpZXMKICAgIGNoZWNrb3YuaW8vc2tpcDc6IENLVl9LOFNfMTk9TmVlZHMgSG9zdCBOZXR3b3JrIHRvIE1hbmFnZSBMb2FkIEJhbGFuY2luZwogIGxhYmVsczoKICAgIGFwcDoga3ViZS12aXAtZHMKc3BlYzoKICBhdXRvbW91bnRTZXJ2aWNlQWNjb3VudFRva2VuOiBmYWxzZQogIGNvbnRhaW5lcnM6CiAgICAtIGFyZ3M6CiAgICAgICAgLSBtYW5hZ2VyCiAgICAgIGVudjoKICAgICAgICAtIG5hbWU6IGFkZHJlc3MKICAgICAgICAgIHZhbHVlOiAxMC4wLjAuMTMwCiAgICAgICAgLSBuYW1lOiB2aXBfYXJwCiAgICAgICAgICB2YWx1ZTogInRydWUiCiAgICAgICAgLSBuYW1lOiBwb3J0CiAgICAgICAgICB2YWx1ZTogIjY0NDMiCiAgICAgICAgLSBuYW1lOiB2aXBfY2lkcgogICAgICAgICAgdmFsdWU6ICIzMiIKICAgICAgICAtIG5hbWU6IGNwX2VuYWJsZQogICAgICAgICAgdmFsdWU6ICJ0cnVlIgogICAgICAgIC0gbmFtZTogY3BfbmFtZXNwYWNlCiAgICAgICAgICB2YWx1ZToga3ViZS12aXAKICAgICAgICAtIG5hbWU6IHZpcF9kZG5zCiAgICAgICAgICB2YWx1ZTogImZhbHNlIgogICAgICAgIC0gbmFtZTogc3ZjX2VuYWJsZQogICAgICAgICAgdmFsdWU6ICJ0cnVlIgogICAgICAgIC0gbmFtZTogdmlwX2xlYWRlcmVsZWN0aW9uCiAgICAgICAgICB2YWx1ZTogInRydWUiCiAgICAgICAgLSBuYW1lOiB2aXBfbGVhc2VkdXJhdGlvbgogICAgICAgICAgdmFsdWU6ICIxNSIKICAgICAgICAtIG5hbWU6IHZpcF9yZW5ld2RlYWRsaW5lCiAgICAgICAgICB2YWx1ZTogIjEwIgogICAgICAgIC0gbmFtZTogdmlwX3JldHJ5cGVyaW9kCiAgICAgICAgICB2YWx1ZTogIjIiCiAgICAgIGltYWdlOiBnaGNyLmlvL2t1YmUtdmlwL2t1YmUtdmlwOnYwLjYuNEBzaGEyNTY6YWEwOTIzNDY0NmU1NDJkYzI2MjljM2RiZDU2OThhNzcxMjNhZWNiODhkM2IwMWExZDNiYTVhNzg2NDhjNDViOAogICAgICBpbWFnZVB1bGxQb2xpY3k6IElmTm90UHJlc2VudAogICAgICBuYW1lOiBrdWJlLXZpcAogICAgICByZXNvdXJjZXM6CiAgICAgICAgbGltaXRzOgogICAgICAgICAgY3B1OiAxMDBtCiAgICAgICAgICBlcGhlbWVyYWwtc3RvcmFnZTogMTVNaQogICAgICAgICAgbWVtb3J5OiAxMjhNaQogICAgICAgIHJlcXVlc3RzOgogICAgICAgICAgY3B1OiAyNW0KICAgICAgICAgIG1lbW9yeTogMzJNaQogICAgICBzZWN1cml0eUNvbnRleHQ6CiAgICAgICAgYWxsb3dQcml2aWxlZ2VFc2NhbGF0aW9uOiBmYWxzZQogICAgICAgIGNhcGFiaWxpdGllczoKICAgICAgICAgIGFkZDoKICAgICAgICAgICAgLSBORVRfQURNSU4KICAgICAgICAgICAgLSBORVRfUkFXCiAgICAgICAgICAgIC0gU1lTX1RJTUUKICAgICAgICAgIGRyb3A6CiAgICAgICAgICAgIC0gQUxMCiAgICAgICAgcmVhZE9ubHlSb290RmlsZXN5c3RlbTogdHJ1ZQogICAgICAgIHJ1bkFzTm9uUm9vdDogZmFsc2UKICAgICAgICBzZWNjb21wUHJvZmlsZToKICAgICAgICAgIHR5cGU6IFJ1bnRpbWVEZWZhdWx0CiAgICAgIHZvbHVtZU1vdW50czoKICAgICAgICAtIG1vdW50UGF0aDogL2V0Yy9rdWJlcm5ldGVzL2FkbWluLmNvbmYKICAgICAgICAgIG5hbWU6IGt1YmVjb25maWcKICBob3N0QWxpYXNlczoKICAgIC0gaG9zdG5hbWVzOgogICAgICAgIC0ga3ViZXJuZXRlcwogICAgICBpcDogMTI3LjAuMC4xCiAgaG9zdE5ldHdvcms6IHRydWUKICB2b2x1bWVzOgogICAgLSBob3N0UGF0aDoKICAgICAgICBwYXRoOiAvZXRjL2t1YmVybmV0ZXMvc3RhdGljLXBvZC1yZXNvdXJjZXMva3ViZS1hcGlzZXJ2ZXItY2VydHMvc2VjcmV0cy9ub2RlLWt1YmVjb25maWdzL2xvY2FsaG9zdC5rdWJlY29uZmlnICMgVE9ETyBVc2UgYSBkaWZmZXJlbnQgS3ViZUNvbmZpZwogICAgICBuYW1lOiBrdWJlY29uZmlnCnN0YXR1czoge30K
mode: 420
overwrite: true
path: /etc/kubernetes/manifests/kube-vip.yaml
2 changes: 1 addition & 1 deletion kubernetes/kube-vip/base/pdb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ spec:
maxUnavailable: 1
selector:
matchLabels:
name: kube-vip-ds
app: kube-vip-ds
---
apiVersion: policy/v1
kind: PodDisruptionBudget
Expand Down
82 changes: 82 additions & 0 deletions kubernetes/kube-vip/base/static-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
apiVersion: v1
kind: Pod
metadata:
name: kube-vip
namespace: kube-vip
annotations:
checkov.io/skip1: CKV_K8S_8=Not Supported
checkov.io/skip2: CKV_K8S_9=Not Supported
checkov.io/skip3: CKV_K8S_38=Leader Election and Services
checkov.io/skip4: CKV_K8S_40=Needs to run as root
checkov.io/skip5: CKV_K8S_23=Needs to run as root
checkov.io/skip6: CKV_K8S_25=Needs Network capabilities
checkov.io/skip7: CKV_K8S_19=Needs Host Network to Manage Load Balancing
labels:
app: kube-vip-ds
spec:
automountServiceAccountToken: false
containers:
- args:
- manager
env:
- name: address
value: 10.0.0.130
- name: vip_arp
value: "true"
- name: port
value: "6443"
- name: vip_cidr
value: "32"
- name: cp_enable
value: "true"
- name: cp_namespace
value: kube-vip
- name: vip_ddns
value: "false"
- name: svc_enable
value: "true"
- name: vip_leaderelection
value: "true"
- name: vip_leaseduration
value: "15"
- name: vip_renewdeadline
value: "10"
- name: vip_retryperiod
value: "2"
image: ghcr.io/kube-vip/kube-vip:v0.6.4@sha256:aa09234646e542dc2629c3dbd5698a77123aecb88d3b01a1d3ba5a78648c45b8
imagePullPolicy: IfNotPresent
name: kube-vip
resources:
limits:
cpu: 100m
ephemeral-storage: 15Mi
memory: 128Mi
requests:
cpu: 25m
memory: 32Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_TIME
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/kubernetes/admin.conf
name: kubeconfig
hostAliases:
- hostnames:
- kubernetes
ip: 127.0.0.1
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig # TODO Use a different KubeConfig
name: kubeconfig
status: {}