dsk-dev kubespray 이동

ansible/kubespray/extra_playbooks/roles/kubernetes-apps/metallb/OWNERS

@@ -0,0 +1,5 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+reviewers:
+  - oomichi

ansible/kubespray/extra_playbooks/roles/kubernetes-apps/metallb/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+metallb_enabled: false
+metallb_log_level: info
+metallb_protocol: "layer2"
+metallb_port: "7472"
+metallb_memberlist_port: "7946"
+metallb_peers: []
+metallb_speaker_enabled: "{{ metallb_enabled }}"
+metallb_speaker_nodeselector:
+  kubernetes.io/os: "linux"
+metallb_controller_nodeselector:
+  kubernetes.io/os: "linux"
+metallb_speaker_tolerations:
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/master
+    operator: Exists
+  - effect: NoSchedule
+    key: node-role.kubernetes.io/control-plane
+    operator: Exists
+metallb_controller_tolerations: []
+metallb_pool_name: "loadbalanced"
+metallb_auto_assign: true
+metallb_avoid_buggy_ips: false

ansible/kubespray/extra_playbooks/roles/kubernetes-apps/metallb/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: Kubernetes Apps | Check cluster settings for MetalLB
+  fail:
+    msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132"
+  when:
+    - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp"
+
+- name: Kubernetes Apps | Check cluster settings for MetalLB
+  fail:
+    msg: "metallb_ip_range is mandatory to be specified for MetalLB"
+  when:
+    - metallb_ip_range is not defined or not metallb_ip_range
+
+- name: Kubernetes Apps | Check BGP peers for MetalLB
+  fail:
+    msg: "metallb_peers is mandatory when metallb_protocol is bgp and metallb_speaker_enabled"
+  when:
+    - metallb_protocol == 'bgp' and metallb_speaker_enabled
+    - metallb_peers is not defined or not metallb_peers
+
+- name: Kubernetes Apps | Check that the deprecated 'matallb_auto_assign' variable is not used anymore
+  fail:
+    msg: "'matallb_auto_assign' configuration variable is deprecated, please use 'metallb_auto_assign' instead"
+  when:
+    - matallb_auto_assign is defined
+
+- name: Kubernetes Apps | Check AppArmor status
+  command: which apparmor_parser
+  register: apparmor_status
+  when:
+    - podsecuritypolicy_enabled
+    - inventory_hostname == groups['kube_control_plane'][0]
+  failed_when: false
+
+- name: Kubernetes Apps | Set apparmor_enabled
+  set_fact:
+    apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
+  when:
+    - podsecuritypolicy_enabled
+    - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: Kubernetes Apps | Lay Down MetalLB
+  become: true
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0644
+  with_items: ["metallb.yml", "metallb-config.yml"]
+  register: "rendering"
+  when:
+    - "inventory_hostname == groups['kube_control_plane'][0]"
+
+- name: Kubernetes Apps | Install and configure MetalLB
+  kube:
+    name: "MetalLB"
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/{{ item.item }}"
+    state: "{{ item.changed | ternary('latest','present') }}"
+  become: true
+  with_items: "{{ rendering.results }}"
+  when:
+    - "inventory_hostname == groups['kube_control_plane'][0]"

ansible/kubespray/extra_playbooks/roles/kubernetes-apps/metallb/templates/metallb-config.yml.j2

@@ -0,0 +1,54 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+{% if metallb_peers | length > 0 %}
+    peers:
+{% for peer in metallb_peers %}
+    - peer-address: {{ peer.peer_address }}
+      peer-asn: {{ peer.peer_asn }}
+      my-asn: {{ peer.my_asn }}
+{% if peer.password is defined %}
+      password: "{{ peer.password }}"
+{% endif %}
+{% if peer.source_address is defined %}
+      source-address: {{ peer.source_address }}
+{% endif %}
+{% if peer.node_selectors is defined %}
+      node-selectors:
+        {{ peer.node_selectors | to_yaml(indent=2, width=1337) | indent(8) }}
+{% endif %}
+{% endfor %}
+{% endif %}
+    address-pools:
+    - name: {{ metallb_pool_name }}
+      protocol: {{ metallb_protocol }}
+      addresses:
+{% for ip_range in metallb_ip_range %}
+      - {{ ip_range }}
+{% endfor %}
+{% if metallb_auto_assign == false %}
+      auto-assign: false
+{% endif %}
+{% if metallb_avoid_buggy_ips == true %}
+      avoid-buggy-ips: true
+{% endif %}
+{% if metallb_additional_address_pools is defined %}{% for pool in metallb_additional_address_pools %}
+    - name: {{ pool }}
+      protocol: {{ metallb_additional_address_pools[pool].protocol }}
+      addresses:
+{% for ip_range in metallb_additional_address_pools[pool].ip_range %}
+      - {{ ip_range }}
+{% endfor %}
+{% if metallb_additional_address_pools[pool].auto_assign is defined %}
+      auto-assign: {{ metallb_additional_address_pools[pool].auto_assign }}
+{% endif %}
+{% if metallb_additional_address_pools[pool].avoid_buggy_ips is defined %}
+      avoid-buggy-ips: {{ metallb_additional_address_pools[pool].avoid_buggy_ips }}
+{% endif %}
+{% endfor %}
+{% endif %}

ansible/kubespray/extra_playbooks/roles/kubernetes-apps/metallb/templates/metallb.yml.j2

@@ -0,0 +1,425 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: metallb-system
+  labels:
+    app: metallb
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+---
+{% if metallb_speaker_enabled %}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+{% endif %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - controller
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+{% if metallb_speaker_enabled %}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{% endif %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  resourceNames:
+  - memberlist
+  verbs:
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - controller
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: metallb-system
+---
+{% if metallb_speaker_enabled %}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
+{% endif %}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
+subjects:
+- kind: ServiceAccount
+  name: controller
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-lister
+subjects:
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+---
+{% if metallb_speaker_enabled %}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: metallb
+    component: speaker
+  name: speaker
+  namespace: metallb-system
+spec:
+  selector:
+    matchLabels:
+      app: metallb
+      component: speaker
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '{{ metallb_port }}'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: speaker
+    spec:
+      containers:
+      - args:
+        - --port={{ metallb_port }}
+        - --config=config
+        - --log-level={{ metallb_log_level }}
+        env:
+        - name: METALLB_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # needed when another software is also using memberlist / port 7946
+        # when changing this default you also need to update the container ports definition
+        # and the PodSecurityPolicy hostPorts definition
+        #- name: METALLB_ML_BIND_PORT
+        #  value: "{{ metallb_memberlist_port }}"
+        - name: METALLB_ML_LABELS
+          value: "app=metallb,component=speaker"
+        - name: METALLB_ML_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: memberlist
+              key: secretkey
+        image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
+        name: speaker
+        ports:
+        - containerPort: {{ metallb_port }}
+          name: monitoring
+        - containerPort: {{ metallb_memberlist_port }}
+          name: memberlist-tcp
+        - containerPort: {{ metallb_memberlist_port }}
+          name: memberlist-udp
+          protocol: UDP
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_RAW
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+{% if metallb_speaker_nodeselector %}
+      nodeSelector:
+        {{ metallb_speaker_nodeselector | to_nice_yaml | indent(width=8) }}
+{%- endif %}
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 2
+{% if metallb_speaker_tolerations %}
+      tolerations:
+        {{ metallb_speaker_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+{% endif %}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: metallb
+    component: controller
+  name: controller
+  namespace: metallb-system
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: metallb
+      component: controller
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '{{ metallb_port }}'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: controller
+    spec:
+      priorityClassName: system-cluster-critical
+{% if metallb_controller_tolerations %}
+      tolerations:
+        {{ metallb_controller_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
+{% endif %}
+      containers:
+      - args:
+        - --port={{ metallb_port }}
+        - --config=config
+        - --log-level={{ metallb_log_level }}
+        env:
+        - name: METALLB_ML_SECRET_NAME
+          value: memberlist
+        - name: METALLB_DEPLOYMENT
+          value: controller
+        image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
+        name: controller
+        ports:
+        - containerPort: {{ metallb_port }}
+          name: monitoring
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+{% if metallb_controller_nodeselector %}
+      nodeSelector:
+        {{ metallb_controller_nodeselector | to_nice_yaml | indent(width=8) }}
+{%- endif %}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0