From 536c0c4ddcaf32a82ede5de7e52950a9213dbbc9 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Thu, 12 Jan 2023 20:53:23 +0100 Subject: [PATCH] flannel 0.20 upgrade --- _sys/kube-flannel.yml | 92 +++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 55 deletions(-) diff --git a/_sys/kube-flannel.yml b/_sys/kube-flannel.yml index 5a7a53c..f7a061e 100644 --- a/_sys/kube-flannel.yml +++ b/_sys/kube-flannel.yml @@ -1,60 +1,16 @@ --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy +kind: Namespace +apiVersion: v1 metadata: - name: psp.flannel.unprivileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default -spec: - privileged: false - volumes: - - configMap - - secret - - emptyDir - - hostPath - allowedHostPaths: - - pathPrefix: "/etc/cni/net.d" - - pathPrefix: "/etc/kube-flannel" - - pathPrefix: "/run/flannel" - readOnlyRootFilesystem: false - # Users and groups - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny - # Privilege Escalation - allowPrivilegeEscalation: false - defaultAllowPrivilegeEscalation: false - # Capabilities - allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] - defaultAddCapabilities: [] - requiredDropCapabilities: [] - # Host namespaces - hostPID: false - hostIPC: false - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - # SELinux - seLinux: - # SELinux is unused in CaaSP - rule: 'RunAsAny' + name: kube-flannel + labels: + pod-security.kubernetes.io/enforce: privileged --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flannel rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['psp.flannel.unprivileged'] - apiGroups: - "" resources: @@ -66,6 +22,7 @@ rules: resources: - nodes verbs: + - get - list - watch - apiGroups: @@ -86,19 +43,19 @@ roleRef: subjects: - kind: ServiceAccount name: flannel - namespace: kube-system + namespace: kube-flannel --- apiVersion: v1 kind: ServiceAccount metadata: name: flannel - namespace: kube-system + namespace: kube-flannel --- kind: ConfigMap apiVersion: v1 metadata: name: kube-flannel-cfg - namespace: kube-system + namespace: kube-flannel labels: tier: node app: flannel @@ -135,7 +92,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds - namespace: kube-system + namespace: kube-flannel labels: tier: node app: flannel @@ -165,8 +122,21 @@ spec: effect: NoSchedule serviceAccountName: flannel initContainers: + - name: install-cni-plugin + #image: flannelcni/flannel-cni-plugin:v1.1.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0 + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin - name: install-cni - image: quay.io/coreos/flannel:v0.14.0 + #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply) + image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2 command: - cp args: @@ -180,7 +150,8 @@ spec: mountPath: /etc/kube-flannel/ containers: - name: kube-flannel - image: quay.io/coreos/flannel:v0.14.0 + #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply) + image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2 command: - /opt/bin/flanneld args: @@ -206,18 +177,29 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: EVENT_QUEUE_DEPTH + value: "5000" volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ + - name: xtables-lock + mountPath: /run/xtables.lock volumes: - name: run hostPath: path: /run/flannel + - name: cni-plugin + hostPath: + path: /opt/cni/bin - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate