Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Commit

Permalink
fix cilium cluster config (#4202)
Browse files Browse the repository at this point in the history
  • Loading branch information
jackfrancis authored Nov 7, 2018
1 parent 61aac06 commit 1cef2e8
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 31 deletions.
56 changes: 28 additions & 28 deletions parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: cilium-config
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you uncomment the ca-file line and add the respective
Expand All @@ -17,12 +17,12 @@ data:
#
# In case you want to use TLS in etcd, uncomment the following line
# and add the certificate as explained in the comment labeled "ETCD-CERT"
ca-file: /var/lib/etcd-secrets/etcd-ca
ca-file: '/var/lib/etcd-secrets/etcd-ca'
#
# In case you want client to server authentication, uncomment the following
# lines and add the certificate and key in cilium-etcd-secrets below
key-file: /var/lib/etcd-secrets/etcd-client-key
cert-file: /var/lib/etcd-secrets/etcd-client-crt
key-file: '/var/lib/etcd-secrets/etcd-client-key'
cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
# If you want to run cilium in debug mode change this value to true
debug: "false"
Expand All @@ -37,29 +37,29 @@ metadata:
name: cilium-etcd-secrets
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# ETCD-CERT: Each value should contain the whole certificate in base64, on a
# single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
# (the "-w 0" generates the output on a single line)
etcd-ca: <ETCD_CA>
etcd-client-key: <ETCD_CLIENT_KEY>
etcd-client-crt: <ETCD_CLIENT_CERT>
etcd-ca: "<ETCD_CA>"
etcd-client-key: "<ETCD_CLIENT_KEY>"
etcd-client-crt: "<ETCD_CLIENT_CERT>"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cilium
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -77,7 +77,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
spec:
updateStrategy:
type: "RollingUpdate"
Expand Down Expand Up @@ -114,44 +114,44 @@ spec:
name: cilium-agent
command: [ "cilium-agent" ]
args:
- --debug=$(CILIUM_DEBUG)
- -t
- vxlan
- --kvstore
- etcd
- --kvstore-opt
- etcd.config=/var/lib/etcd-config/etcd.config
- --disable-ipv4=$(DISABLE_IPV4)
- "--debug=$(CILIUM_DEBUG)"
- "-t"
- "vxlan"
- "--kvstore"
- "etcd"
- "--kvstore-opt"
- "etcd.config=/var/lib/etcd-config/etcd.config"
- "--disable-ipv4=$(DISABLE_IPV4)"
ports:
- name: prometheus
containerPort: 9090
lifecycle:
postStart:
exec:
command:
- /cni-install.sh
- "/cni-install.sh"
preStop:
exec:
command:
- /cni-uninstall.sh
- "/cni-uninstall.sh"
env:
- name: K8S_NODE_NAME
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CILIUM_DEBUG
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: DISABLE_IPV4
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: CILIUM_PROMETHEUS_SERVE_ADDR
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
Expand Down Expand Up @@ -196,7 +196,7 @@ spec:
securityContext:
capabilities:
add:
- NET_ADMIN
- "NET_ADMIN"
privileged: true
hostNetwork: true
volumes:
Expand Down Expand Up @@ -238,7 +238,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
rules:
- apiGroups:
- "networking.k8s.io"
Expand Down Expand Up @@ -297,4 +297,4 @@ rules:
- ciliumnetworkpolicies
- ciliumendpoints
verbs:
- "*"
- "*"
2 changes: 1 addition & 1 deletion parts/k8s/kubernetesmastercustomdata.yml
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ MASTER_ARTIFACTS_CONFIG_PLACEHOLDER
sed -i "s|<kubeClusterCidr>|{{WrapAsParameter "kubeClusterCidr"}}|g" /etc/kubernetes/addons/flannel-daemonset.yaml
{{end}}
{{if eq .OrchestratorProfile.KubernetesConfig.NetworkPolicy "cilium"}}
a=/etc/kubernetes/addons/cilium-daemonset.yaml
a=/etc/kubernetes/addons/cilium-daemonset.yaml
{{if IsMasterVirtualMachineScaleSets}}
sed -i "s|<ETCD_URL>|"https://$PRIVATE_IP:$ETCD_CLIENT_PORT"|g" $a
{{else}}
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/kubernetes/kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -830,9 +830,9 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
})
})

Describe("with calico or azure network policy enabled", func() {
Describe("with NetworkPolicy enabled", func() {
It("should apply various network policies and enforce access to nginx pod", func() {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") || eng.HasNetworkPolicy("cilium") {
nsClientOne, nsClientTwo, nsServer := "client-one", "client-two", "server"
By("Creating namespaces")
_, err := namespace.Create(nsClientOne)
Expand Down

0 comments on commit 1cef2e8

Please sign in to comment.