Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

fix cilium cluster config #4202

Merged
merged 2 commits into from
Nov 7, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 28 additions & 28 deletions parts/k8s/addons/kubernetesmasteraddons-cilium-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: cilium-config
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you uncomment the ca-file line and add the respective
Expand All @@ -17,12 +17,12 @@ data:
#
# In case you want to use TLS in etcd, uncomment the following line
# and add the certificate as explained in the comment labeled "ETCD-CERT"
ca-file: /var/lib/etcd-secrets/etcd-ca
ca-file: '/var/lib/etcd-secrets/etcd-ca'
#
# In case you want client to server authentication, uncomment the following
# lines and add the certificate and key in cilium-etcd-secrets below
key-file: /var/lib/etcd-secrets/etcd-client-key
cert-file: /var/lib/etcd-secrets/etcd-client-crt
key-file: '/var/lib/etcd-secrets/etcd-client-key'
cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
# If you want to run cilium in debug mode change this value to true
debug: "false"
Expand All @@ -37,29 +37,29 @@ metadata:
name: cilium-etcd-secrets
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
data:
# ETCD-CERT: Each value should contain the whole certificate in base64, on a
# single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
# (the "-w 0" generates the output on a single line)
etcd-ca: <ETCD_CA>
etcd-client-key: <ETCD_CLIENT_KEY>
etcd-client-crt: <ETCD_CLIENT_CERT>
etcd-ca: "<ETCD_CA>"
etcd-client-key: "<ETCD_CLIENT_KEY>"
etcd-client-crt: "<ETCD_CLIENT_CERT>"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cilium
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -77,7 +77,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
spec:
updateStrategy:
type: "RollingUpdate"
Expand Down Expand Up @@ -114,44 +114,44 @@ spec:
name: cilium-agent
command: [ "cilium-agent" ]
args:
- --debug=$(CILIUM_DEBUG)
- -t
- vxlan
- --kvstore
- etcd
- --kvstore-opt
- etcd.config=/var/lib/etcd-config/etcd.config
- --disable-ipv4=$(DISABLE_IPV4)
- "--debug=$(CILIUM_DEBUG)"
- "-t"
- "vxlan"
- "--kvstore"
- "etcd"
- "--kvstore-opt"
- "etcd.config=/var/lib/etcd-config/etcd.config"
- "--disable-ipv4=$(DISABLE_IPV4)"
ports:
- name: prometheus
containerPort: 9090
lifecycle:
postStart:
exec:
command:
- /cni-install.sh
- "/cni-install.sh"
preStop:
exec:
command:
- /cni-uninstall.sh
- "/cni-uninstall.sh"
env:
- name: K8S_NODE_NAME
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CILIUM_DEBUG
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: DISABLE_IPV4
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: CILIUM_PROMETHEUS_SERVE_ADDR
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
Expand Down Expand Up @@ -196,7 +196,7 @@ spec:
securityContext:
capabilities:
add:
- NET_ADMIN
- "NET_ADMIN"
privileged: true
hostNetwork: true
volumes:
Expand Down Expand Up @@ -238,7 +238,7 @@ metadata:
name: cilium
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
addonmanager.kubernetes.io/mode: "EnsureExists"
rules:
- apiGroups:
- "networking.k8s.io"
Expand Down Expand Up @@ -297,4 +297,4 @@ rules:
- ciliumnetworkpolicies
- ciliumendpoints
verbs:
- "*"
- "*"
2 changes: 1 addition & 1 deletion parts/k8s/kubernetesmastercustomdata.yml
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ MASTER_ARTIFACTS_CONFIG_PLACEHOLDER
sed -i "s|<kubeClusterCidr>|{{WrapAsParameter "kubeClusterCidr"}}|g" /etc/kubernetes/addons/flannel-daemonset.yaml
{{end}}
{{if eq .OrchestratorProfile.KubernetesConfig.NetworkPolicy "cilium"}}
a=/etc/kubernetes/addons/cilium-daemonset.yaml
a=/etc/kubernetes/addons/cilium-daemonset.yaml
{{if IsMasterVirtualMachineScaleSets}}
sed -i "s|<ETCD_URL>|"https://$PRIVATE_IP:$ETCD_CLIENT_PORT"|g" $a
{{else}}
Expand Down
4 changes: 2 additions & 2 deletions test/e2e/kubernetes/kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -830,9 +830,9 @@ var _ = Describe("Azure Container Cluster using the Kubernetes Orchestrator", fu
})
})

Describe("with calico or azure network policy enabled", func() {
Describe("with NetworkPolicy enabled", func() {
It("should apply various network policies and enforce access to nginx pod", func() {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") {
if eng.HasNetworkPolicy("calico") || eng.HasNetworkPolicy("azure") || eng.HasNetworkPolicy("cilium") {
nsClientOne, nsClientTwo, nsServer := "client-one", "client-two", "server"
By("Creating namespaces")
_, err := namespace.Create(nsClientOne)
Expand Down