update
This commit is contained in:
havelight-ee
@@ -0,0 +1,9 @@
|
||||
---
|
||||
local_path_provisioner_enabled: false
|
||||
local_path_provisioner_namespace: "local-path-storage"
|
||||
local_path_provisioner_storage_class: "local-path"
|
||||
local_path_provisioner_reclaim_policy: Delete
|
||||
local_path_provisioner_claim_root: /opt/local-path-provisioner/
|
||||
local_path_provisioner_is_default_storageclass: "true"
|
||||
local_path_provisioner_debug: false
|
||||
local_path_provisioner_helper_image_tag: "latest"
|
||||
@@ -0,0 +1,58 @@
|
||||
---
|
||||
- name: Local Path Provisioner | Create addon dir
|
||||
file:
|
||||
path: "{{ kube_config_dir }}/addons/local_path_provisioner"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
when:
|
||||
- inventory_hostname == groups['kube_control_plane'][0]
|
||||
|
||||
- name: Local Path Provisioner | Create claim root dir
|
||||
file:
|
||||
path: "{{ local_path_provisioner_claim_root }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Local Path Provisioner | Render Template
|
||||
set_fact:
|
||||
local_path_provisioner_templates:
|
||||
- { name: local-path-storage-ns, file: local-path-storage-ns.yml, type: ns }
|
||||
- { name: local-path-storage-sa, file: local-path-storage-sa.yml, type: sa }
|
||||
- { name: local-path-storage-cr, file: local-path-storage-cr.yml, type: cr }
|
||||
- { name: local-path-storage-clusterrolebinding, file: local-path-storage-clusterrolebinding.yml, type: clusterrolebinding }
|
||||
- { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
|
||||
- { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
|
||||
- { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
|
||||
local_path_provisioner_templates_for_psp_not_system_ns:
|
||||
- { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
|
||||
- { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
|
||||
- { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
|
||||
|
||||
- name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
|
||||
set_fact:
|
||||
local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
|
||||
when:
|
||||
- podsecuritypolicy_enabled
|
||||
- local_path_provisioner_namespace != "kube-system"
|
||||
|
||||
- name: Local Path Provisioner | Create manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/addons/local_path_provisioner/{{ item.file }}"
|
||||
mode: 0644
|
||||
with_items: "{{ local_path_provisioner_templates }}"
|
||||
register: local_path_provisioner_manifests
|
||||
when: inventory_hostname == groups['kube_control_plane'][0]
|
||||
|
||||
- name: Local Path Provisioner | Apply manifests
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ local_path_provisioner_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/addons/local_path_provisioner/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ local_path_provisioner_manifests.results }}"
|
||||
when: inventory_hostname == groups['kube_control_plane'][0]
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: local-path-provisioner-bind
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: local-path-provisioner-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: local-path-provisioner-service-account
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
@@ -0,0 +1,59 @@
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: local-path-config
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
data:
|
||||
config.json: |-
|
||||
{
|
||||
"nodePathMap":[
|
||||
{
|
||||
"node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
|
||||
"paths":["{{ local_path_provisioner_claim_root }}"]
|
||||
}
|
||||
]
|
||||
}
|
||||
setup: |-
|
||||
#!/bin/sh
|
||||
while getopts "m:s:p:" opt
|
||||
do
|
||||
case $opt in
|
||||
p)
|
||||
absolutePath=$OPTARG
|
||||
;;
|
||||
s)
|
||||
sizeInBytes=$OPTARG
|
||||
;;
|
||||
m)
|
||||
volMode=$OPTARG
|
||||
;;
|
||||
esac
|
||||
done
|
||||
mkdir -m 0777 -p ${absolutePath}
|
||||
teardown: |-
|
||||
#!/bin/sh
|
||||
while getopts "m:s:p:" opt
|
||||
do
|
||||
case $opt in
|
||||
p)
|
||||
absolutePath=$OPTARG
|
||||
;;
|
||||
s)
|
||||
sizeInBytes=$OPTARG
|
||||
;;
|
||||
m)
|
||||
volMode=$OPTARG
|
||||
;;
|
||||
esac
|
||||
done
|
||||
rm -rf ${absolutePath}
|
||||
helperPod.yaml: |-
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: helper-pod
|
||||
spec:
|
||||
containers:
|
||||
- name: helper-pod
|
||||
image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %}
|
||||
@@ -0,0 +1,18 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: local-path-provisioner-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes", "persistentvolumeclaims", "configmaps"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints", "persistentvolumes", "pods"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
@@ -0,0 +1,41 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: local-path-provisioner
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: local-path-provisioner
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: local-path-provisioner
|
||||
spec:
|
||||
serviceAccountName: local-path-provisioner-service-account
|
||||
containers:
|
||||
- name: local-path-provisioner
|
||||
image: {{ local_path_provisioner_image_repo }}:{{ local_path_provisioner_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
command:
|
||||
- local-path-provisioner
|
||||
- start
|
||||
- --config
|
||||
- /etc/config/config.json
|
||||
{% if local_path_provisioner_debug|default(false) %}
|
||||
- --debug
|
||||
{% endif %}
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/config/
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
volumes:
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: local-path-config
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ local_path_provisioner_namespace }}
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: psp:local-path-provisioner
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resourceNames:
|
||||
- local-path-provisioner
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: psp:local-path-provisioner
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: local-path-provisioner-service-account
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: psp:local-path-provisioner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
@@ -0,0 +1,43 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: local-path-provisioner
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
{% if apparmor_enabled %}
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
{% endif %}
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: "{{ local_path_provisioner_claim_root }}"
|
||||
readOnly: false
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'RunAsAny'
|
||||
readOnlyRootFilesystem: false
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: local-path-provisioner-service-account
|
||||
namespace: {{ local_path_provisioner_namespace }}
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
name: {{ local_path_provisioner_storage_class }}
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "{{ local_path_provisioner_is_default_storageclass }}"
|
||||
provisioner: rancher.io/local-path
|
||||
volumeBindingMode: WaitForFirstConsumer
|
||||
reclaimPolicy: {{ local_path_provisioner_reclaim_policy }}
|
||||
Reference in New Issue
Block a user