diff --git a/cluster/addons/kube-network-policies/OWNERS b/cluster/addons/kube-network-policies/OWNERS new file mode 100644 index 00000000000..379ea7c4739 --- /dev/null +++ b/cluster/addons/kube-network-policies/OWNERS @@ -0,0 +1,8 @@ +# See the OWNERS docs at https://go.k8s.io/owners + +approvers: + - aojea + - danwinship +reviewers: + - aojea + - danwinship diff --git a/cluster/addons/kube-network-policies/kube-network-policies-rbac.yaml b/cluster/addons/kube-network-policies/kube-network-policies-rbac.yaml new file mode 100644 index 00000000000..f0128d32259 --- /dev/null +++ b/cluster/addons/kube-network-policies/kube-network-policies-rbac.yaml @@ -0,0 +1,49 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:network-policies + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - watch + - list + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kube-network-policies + labels: + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:network-policies +subjects: +- kind: ServiceAccount + name: kube-network-policies + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-network-policies + namespace: kube-system + labels: + k8s-app: kube-network-policies + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile \ No newline at end of file diff --git a/cluster/addons/kube-network-policies/kube-network-policies.yaml b/cluster/addons/kube-network-policies/kube-network-policies.yaml new file mode 100644 index 00000000000..ba8146aa1d6 --- /dev/null +++ b/cluster/addons/kube-network-policies/kube-network-policies.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-network-policies + namespace: kube-system + labels: + tier: node + app: kube-network-policies + k8s-app: kube-network-policies + addonmanager.kubernetes.io/mode: Reconcile +spec: + selector: + matchLabels: + app: kube-network-policies + template: + metadata: + labels: + tier: node + app: kube-network-policies + k8s-app: kube-network-policies + spec: + hostNetwork: true + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: kube-network-policies + containers: + - name: kube-network-policies + image: registry.k8s.io/networking/kube-network-policies:v0.1.0 + command: + - /bin/sh + - -c + - /bin/netpol -v 4 1>>/var/log/kube-network-policies.log 2>&1 + resources: + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/log + name: varlog + readOnly: false + - mountPath: /lib/modules + name: lib-modules + readOnly: true + volumes: + - name: varlog + hostPath: + path: /var/log + - name: lib-modules + hostPath: + path: /lib/modules diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 168115a4424..bb34dd574e5 100755 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -2984,6 +2984,9 @@ EOF local -r ds_file="${dst_dir}/calico-policy-controller/calico-node-daemonset.yaml" sed -i -e "s@__CALICO_CNI_DIR__@/home/kubernetes/bin@g" "${ds_file}" fi + if [[ "${NETWORK_POLICY_PROVIDER:-}" == "kube-network-policies" ]]; then + setup-addon-manifests "addons" "kube-network-policies" + fi if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then setup-addon-manifests "addons" "storage-class/gce" fi @@ -3249,8 +3252,8 @@ function setup-containerd { } EOF if [[ "${KUBERNETES_MASTER:-}" != "true" ]]; then - if [[ "${NETWORK_POLICY_PROVIDER:-"none"}" != "none" || "${ENABLE_NETD:-}" == "true" ]]; then - # Use Kubernetes cni daemonset on node if network policy provider is specified + if [[ "${NETWORK_POLICY_PROVIDER:-"none"}" == "calico" || "${ENABLE_NETD:-}" == "true" ]]; then + # Use Kubernetes cni daemonset on node if network policy provider calico is specified # or netd is enabled. cni_template_path="" fi diff --git a/cluster/log-dump/log-dump.sh b/cluster/log-dump/log-dump.sh index 03049ca0e3b..69469d1bf39 100755 --- a/cluster/log-dump/log-dump.sh +++ b/cluster/log-dump/log-dump.sh @@ -42,7 +42,7 @@ readonly node_ssh_supported_providers="gce gke aws" readonly gcloud_supported_providers="gce gke" readonly master_logfiles="kube-apiserver.log kube-apiserver-audit.log kube-scheduler.log kube-controller-manager.log cloud-controller-manager.log etcd.log etcd-events.log glbc.log cluster-autoscaler.log kube-addon-manager.log konnectivity-server.log fluentd.log kubelet.cov" -readonly node_logfiles="kube-proxy.log containers/konnectivity-agent-*.log fluentd.log node-problem-detector.log kubelet.cov" +readonly node_logfiles="kube-proxy.log containers/konnectivity-agent-*.log fluentd.log node-problem-detector.log kubelet.cov kube-network-policies.log" readonly node_systemd_services="node-problem-detector" readonly hollow_node_logfiles="kubelet-hollow-node-*.log kubeproxy-hollow-node-*.log npd-hollow-node-*.log" readonly aws_logfiles="cloud-init-output.log"