From 79f2dc6ac4a44d1ffebc8f17711b8c1805dc34fd Mon Sep 17 00:00:00 2001 From: Zihong Zheng Date: Mon, 21 Aug 2017 17:12:24 -0700 Subject: [PATCH] Add kube-proxy daemonset as a cluster addon. --- cluster/addons/kube-proxy/kube-proxy-ds.yaml | 76 +++++++++++++++++++ .../addons/kube-proxy/kube-proxy-rbac.yaml | 22 ++++++ .../salt/kube-proxy/kube-proxy.manifest | 3 + 3 files changed, 101 insertions(+) create mode 100644 cluster/addons/kube-proxy/kube-proxy-ds.yaml create mode 100644 cluster/addons/kube-proxy/kube-proxy-rbac.yaml diff --git a/cluster/addons/kube-proxy/kube-proxy-ds.yaml b/cluster/addons/kube-proxy/kube-proxy-ds.yaml new file mode 100644 index 00000000000..a84f838f912 --- /dev/null +++ b/cluster/addons/kube-proxy/kube-proxy-ds.yaml @@ -0,0 +1,76 @@ +# Please keep kube-proxy configuration in-sync with: +# cluster/saltbase/salt/kube-proxy/kube-proxy.manifest + +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + labels: + k8s-app: kube-proxy + addonmanager.kubernetes.io/mode: Reconcile + name: kube-proxy + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: kube-proxy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + template: + metadata: + labels: + k8s-app: kube-proxy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + hostNetwork: true + nodeSelector: + beta.kubernetes.io/kube-proxy-ds-ready: "true" + initContainers: + - name: touch-lock + image: busybox + command: ['/bin/touch', '/run/xtables.lock'] + securityContext: + privileged: true + volumeMounts: + - mountPath: /run + name: run + readOnly: false + containers: + - name: kube-proxy + image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}} + resources: + requests: + cpu: {{ cpurequest }} + command: + - /bin/sh + - -c + - echo -998 > /proc/$$$/oom_score_adj && kube-proxy {{kubeconfig}} {{cluster_cidr}} --resource-container="" {{params}} 1>>/var/log/kube-proxy.log 2>&1 + {{container_env}} + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/log + name: varlog + readOnly: false + - mountPath: /var/lib/kube-proxy/kubeconfig + name: kubeconfig + readOnly: false + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + volumes: + - name: varlog + hostPath: + path: /var/log + - name: kubeconfig + hostPath: + path: /var/lib/kube-proxy/kubeconfig + - name: xtables-lock + hostPath: + path: /run/xtables.lock + - name: run + hostPath: + path: /run + serviceAccountName: kube-proxy diff --git a/cluster/addons/kube-proxy/kube-proxy-rbac.yaml b/cluster/addons/kube-proxy/kube-proxy-rbac.yaml new file mode 100644 index 00000000000..a12ef9d3bfe --- /dev/null +++ b/cluster/addons/kube-proxy/kube-proxy-rbac.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-proxy + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: system:kube-proxy + labels: + addonmanager.kubernetes.io/mode: Reconcile +subjects: + - kind: ServiceAccount + name: kube-proxy + namespace: kube-system +roleRef: + kind: ClusterRole + name: system:node-proxier + apiGroup: rbac.authorization.k8s.io diff --git a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest index b07ff649e36..0befd5b6457 100644 --- a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest +++ b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest @@ -1,3 +1,6 @@ +# Please keep kube-proxy configuration in-sync with: +# cluster/addons/kube-proxy/kube-proxy-ds.yaml + {% set kubeconfig = "--kubeconfig=/var/lib/kube-proxy/kubeconfig" -%} {% if grains.api_servers is defined -%} {% set api_servers = "--master=https://" + grains.api_servers -%}