Skip to content

Commit 2db47a6

Browse files
BSWANGBSWANG
authored
Merge pull request #711 from l1b0k/feat/policy
policy: embed policy init to terway-cli
2 parents 16b2c2a + bc355c5 commit 2db47a6

File tree

15 files changed

+772
-454
lines changed

15 files changed

+772
-454
lines changed

charts/terway/templates/clusterrole.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -98,11 +98,5 @@ rules:
9898
- network.alibabacloud.com
9999
resources:
100100
- '*'
101-
verbs:
102-
- '*'
103-
- apiGroups:
104-
- alibabacloud.com
105-
resources:
106-
- '*'
107101
verbs:
108102
- '*'

charts/terway/templates/daemonset.yaml

Lines changed: 112 additions & 178 deletions
Original file line numberDiff line numberDiff line change
@@ -1,59 +1,4 @@
11
---
2-
{{if .Values.enableIPvlan }}
3-
apiVersion: batch/v1
4-
kind: Job
5-
metadata:
6-
name: terway-preflight
7-
spec:
8-
ttlSecondsAfterFinished: 300
9-
backoffLimit: 10
10-
template:
11-
spec:
12-
hostNetwork: true
13-
priorityClassName: system-node-critical
14-
tolerations:
15-
- operator: "Exists"
16-
affinity:
17-
nodeAffinity:
18-
requiredDuringSchedulingIgnoredDuringExecution:
19-
nodeSelectorTerms:
20-
- matchExpressions:
21-
- key: type
22-
operator: NotIn
23-
values:
24-
- virtual-kubelet
25-
- key: kubernetes.io/arch
26-
operator: In
27-
values:
28-
- amd64
29-
- arm64
30-
- key: kubernetes.io/os
31-
operator: In
32-
values:
33-
- linux
34-
containers:
35-
- name: preflight
36-
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
37-
command:
38-
- sh
39-
- "-ce"
40-
- "cilium preflight register-crd"
41-
volumeMounts:
42-
- name: configvolume
43-
mountPath: /etc/eni
44-
restartPolicy: OnFailure
45-
serviceAccountName: terway
46-
volumes:
47-
- name: configvolume
48-
configMap:
49-
name: eni-config
50-
items:
51-
- key: eni_conf
52-
path: eni.json
53-
- key: 10-terway.conf
54-
path: 10-terway.conf
55-
{{end}}
56-
---
572

583
apiVersion: apps/v1
594
kind: DaemonSet
@@ -106,40 +51,43 @@ spec:
10651
command:
10752
- /bin/init.sh
10853
env:
109-
- name: TERWAY_DAEMON_MODE
110-
value: "{{.Values.daemonMode}}"
111-
- name: K8S_NODE_NAME
112-
valueFrom:
113-
fieldRef:
114-
fieldPath: spec.nodeName
115-
- name: DISABLE_POLICY
116-
valueFrom:
117-
configMapKeyRef:
118-
name: eni-config
119-
key: disable_network_policy
120-
optional: true
54+
- name: K8S_NODE_NAME
55+
valueFrom:
56+
fieldRef:
57+
fieldPath: spec.nodeName
58+
- name: DISABLE_POLICY
59+
valueFrom:
60+
configMapKeyRef:
61+
name: eni-config
62+
key: disable_network_policy
63+
optional: true
12164
volumeMounts:
122-
- name: config
123-
mountPath: /etc/eni
124-
- mountPath: /var-run-eni
125-
name: var-run-eni
126-
- name: configvolume
127-
mountPath: /tmp/eni
128-
- name: cni-bin
129-
mountPath: /opt/cni/bin/
130-
- name: cni
131-
mountPath: /etc/cni/net.d/
132-
- mountPath: /lib/modules
133-
name: lib-modules
134-
- mountPath: /host
135-
name: host-root
136-
- mountPath: /var/run/
137-
name: eni-run
65+
- name: eni-config
66+
mountPath: /etc/eni
67+
- mountPath: /var-run-eni
68+
name: var-run-eni
69+
- name: cni-bin
70+
mountPath: /opt/cni/bin/
71+
- name: cni-config-project
72+
mountPath: /etc/cni/net.d/
73+
- mountPath: /lib/modules
74+
name: lib-modules
75+
- mountPath: /host
76+
name: host-root
77+
- mountPath: /var/run/
78+
name: eni-run
13879
containers:
13980
- name: terway
14081
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
14182
imagePullPolicy: IfNotPresent
142-
command: [ "/usr/bin/terwayd", "-log-level", "info", "-daemon-mode", "{{.Values.daemonMode}}" ]
83+
command:
84+
- "/usr/bin/terwayd"
85+
- "-log-level"
86+
- "info"
87+
- "-daemon-mode"
88+
- "{{.Values.daemonMode}}"
89+
- "-config"
90+
- "/etc/eni/eni_conf"
14391
securityContext:
14492
capabilities:
14593
add:
@@ -164,27 +112,25 @@ spec:
164112
fieldRef:
165113
fieldPath: metadata.namespace
166114
volumeMounts:
167-
- name: config
168-
mountPath: /etc/eni
169-
readOnly: true
170-
- mountPath: /var/run/
171-
name: eni-run
172-
- mountPath: /lib/modules
173-
name: lib-modules
174-
- mountPath: /var/lib/cni/networks
175-
name: cni-networks
176-
- mountPath: /var/lib/cni/terway
177-
name: cni-terway
178-
- mountPath: /etc/cni/net.d
179-
name: cni
180-
readOnly: true
181-
- mountPath: /host-etc-net.d
182-
name: host-cni
183-
- mountPath: /var/lib/kubelet/device-plugins
184-
name: device-plugin-path
185-
- name: addon-token
186-
mountPath: "/var/addon"
187-
readOnly: true
115+
- name: configvolume
116+
mountPath: /etc/eni
117+
readOnly: true
118+
- mountPath: /var/run/
119+
name: eni-run
120+
- mountPath: /lib/modules
121+
name: lib-modules
122+
- mountPath: /var/lib/cni/terway
123+
name: cni-terway
124+
- mountPath: /etc/cni/net.d
125+
name: cni-config-project
126+
readOnly: true
127+
- mountPath: /host-etc-net.d
128+
name: cni-config
129+
- mountPath: /var/lib/kubelet/device-plugins
130+
name: device-plugin-path
131+
- name: addon-token
132+
mountPath: "/var/addon"
133+
readOnly: true
188134
- name: policy
189135
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
190136
imagePullPolicy: IfNotPresent
@@ -218,12 +164,6 @@ spec:
218164
fieldPath: metadata.namespace
219165
- name: CILIUM_CNI_CHAINING_MODE
220166
value: terway-chainer
221-
- name: IN_CLUSTER_LOADBALANCE
222-
valueFrom:
223-
configMapKeyRef:
224-
name: eni-config
225-
key: in_cluster_loadbalance
226-
optional: true
227167
securityContext:
228168
privileged: false
229169
capabilities:
@@ -233,7 +173,7 @@ spec:
233173
- SYS_ADMIN
234174
- NET_RAW
235175
- SYS_MODULE
236-
{{if .Values.enableIPvlan }}
176+
{{- if .Values.enableIPvlan }}
237177
- CHOWN
238178
- KILL
239179
- IPC_LOCK
@@ -263,12 +203,15 @@ spec:
263203
host: 127.0.0.1
264204
periodSeconds: 10
265205
volumeMounts:
206+
- mountPath: /etc/eni
207+
name: configvolume
208+
readOnly: true
266209
- mountPath: /var-run-eni
267210
name: var-run-eni
268211
- mountPath: /lib/modules
269212
name: lib-modules
270213
- mountPath: /etc/cni/net.d
271-
name: cni
214+
name: cni-config-project
272215
readOnly: true
273216
# volumes use by cilium
274217
- mountPath: /sys/fs
@@ -279,71 +222,62 @@ spec:
279222
- mountPath: /run/xtables.lock
280223
name: xtables-lock
281224
volumes:
282-
- name: config
283-
emptyDir: {}
284-
- name: var-run-eni
285-
emptyDir: { }
286-
- name: configvolume
287-
configMap:
288-
name: eni-config
289-
items: null
290-
- name: cni-bin
291-
hostPath:
292-
path: /opt/cni/bin
293-
type: "Directory"
294-
- name: host-cni
295-
hostPath:
296-
path: /etc/cni/net.d
297-
- name: cni
298-
emptyDir: {}
299-
- name: eni-run
300-
hostPath:
301-
path: /var/run/
302-
type: "Directory"
303-
- name: lib-modules
304-
hostPath:
305-
path: /lib/modules
306-
- name: cni-networks
307-
hostPath:
308-
path: /var/lib/cni/networks
309-
- name: cni-terway
310-
hostPath:
311-
path: /var/lib/cni/terway
312-
- name: device-plugin-path
313-
hostPath:
314-
path: /var/lib/kubelet/device-plugins
315-
type: "Directory"
316-
- name: host-root
317-
hostPath:
318-
path: /
319-
type: "Directory"
320-
- name: addon-token
321-
secret:
322-
secretName: addon.network.token
323-
items:
324-
- key: addon.token.config
325-
path: token-config
326-
optional: true
327-
- name: alibaba-addon-secret
328-
secret:
329-
secretName: alibaba-addon-secret
330-
optional: true
331-
# used by cilium
332-
# To keep state between restarts / upgrades
333-
- hostPath:
334-
path: /var/run/cilium
335-
type: DirectoryOrCreate
336-
name: cilium-run
337-
# To keep state between restarts / upgrades for bpf maps
338-
- hostPath:
339-
path: /sys/fs/
340-
type: DirectoryOrCreate
341-
name: sys-fs
342-
# To access iptables concurrently with other processes (e.g. kube-proxy)
343-
- hostPath:
344-
path: /run/xtables.lock
345-
type: FileOrCreate
346-
name: xtables-lock
225+
- name: var-run-eni
226+
emptyDir: { }
227+
- name: configvolume
228+
configMap:
229+
name: eni-config
230+
items: null
231+
- name: cni-bin
232+
hostPath:
233+
path: /opt/cni/bin
234+
type: "Directory"
235+
- name: cni-config
236+
hostPath:
237+
path: /etc/cni/net.d
238+
- name: cni-config-project
239+
emptyDir: { }
240+
- name: eni-run
241+
hostPath:
242+
path: /var/run/
243+
type: "Directory"
244+
- name: lib-modules
245+
hostPath:
246+
path: /lib/modules
247+
- name: cni-terway
248+
hostPath:
249+
path: /var/lib/cni/terway
250+
- name: device-plugin-path
251+
hostPath:
252+
path: /var/lib/kubelet/device-plugins
253+
type: "Directory"
254+
- name: host-root
255+
hostPath:
256+
path: /
257+
type: "Directory"
258+
- name: addon-token
259+
secret:
260+
secretName: addon.network.token
261+
items:
262+
- key: addon.token.config
263+
path: token-config
264+
optional: true
265+
# used by cilium
266+
# To keep state between restarts / upgrades
267+
- hostPath:
268+
path: /var/run/cilium
269+
type: DirectoryOrCreate
270+
name: cilium-run
271+
# To keep state between restarts / upgrades for bpf maps
272+
- hostPath:
273+
path: /sys/fs/
274+
type: DirectoryOrCreate
275+
name: sys-fs
276+
# To access iptables concurrently with other processes (e.g. kube-proxy)
277+
- hostPath:
278+
path: /run/xtables.lock
279+
type: FileOrCreate
280+
name: xtables-lock
347281

348282
---
349283

0 commit comments

Comments
 (0)