-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcrd-ipkeeper.yaml
134 lines (130 loc) · 3.37 KB
/
crd-ipkeeper.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
apiVersion: v1
kind: ServiceAccount
metadata:
name: crd-ipkeeper
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crd-ipkeeper
rules:
## 注意: 在此处修改了某一资源的权限并更新后,
## SA 账号对应的 Pod(这里是crd-ipkeeper的各 Pod)权限将立刻生效, 无需重启这些 Pod.
- apiGroups: [""]
## configmap用于创建分布式资源锁
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["ipkeeper.generals.space"]
## 自定义类型资源也需要通过 rbac 赋予权限.
resources: ["staticips"]
verbs: ["get", "list", "watch", "create", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crd-ipkeeper
roleRef:
name: crd-ipkeeper
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: crd-ipkeeper
namespace: kube-system
---
## 由于 crd-ipkeeper 会监听 deployment/daemonset 等,
## 然后可能创建并修改 StaticIP 资源, 所以必须要事先创建 CRD,
## 同时在 RBAC 配置中添加上对 staticips 类型资源的访问权限
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
## metadata.name = plural值 + group值
name: staticips.ipkeeper.generals.space
spec:
group: ipkeeper.generals.space
version: v1
## Namespaced 或 Cluster
scope: Namespaced
names:
kind: StaticIP
## 单数
singular: staticip
## 复数
plural: staticips
## 缩写
shortNames: ["sip"]
## `kubectl get sip`时的额外输出列
additionalPrinterColumns:
- name: OwnerKind
type: string
description: 所属资源(Pod, Deployment, Daemonset等)
JSONPath: .spec.ownerKind
- name: Namespace
type: string
JSONPath: .spec.namespace
- name: Used
type: string
description: 使用比例
JSONPath: .spec.ratio
- name: IPPool
type: string
description: IP池
JSONPath: .spec.ipPool
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: crd-ipkeeper
namespace: kube-system
spec:
selector:
matchLabels:
app: crd-ipkeeper
template:
metadata:
labels:
app: crd-ipkeeper
component: network
type: infra
spec:
tolerations:
- effect: NoSchedule
operator: Exists
serviceAccountName: crd-ipkeeper
hostNetwork: true
hostPID: true
containers:
- name: crd-ipkeeper
image: registry.cn-hangzhou.aliyuncs.com/generals-kuber/crd-ipkeeper:0.0.84
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN", "SYS_PTRACE", "SYS_ADMIN"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NS
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- mountPath: /var/run
name: socket
- mountPath: /var/run/netns
name: host-netns
volumes:
- name: socket
hostPath:
path: /var/run
- name: host-netns
hostPath:
path: /var/run/netns