apiVersion: v1 kind: ConfigMap metadata: name: kube-router-cfg namespace: kube-system labels: tier: node k8s-app: kube-router data: cni-conf.json: | { "name":"kubernetes", "type":"bridge", "bridge":"kube-bridge", "isDefaultGateway":true, "ipam": { "type":"host-local" } } kubeconfig: | apiVersion: v1 kind: Config clusterCIDR: "{{ CLUSTER_CIDR }}" clusters: - name: cluster cluster: certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt server: {{ KUBE_APISERVER }} users: - name: kube-router user: tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token contexts: - context: cluster: cluster user: kube-router name: kube-router-context current-context: kube-router-context --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: labels: k8s-app: kube-router tier: node name: kube-router namespace: kube-system spec: template: metadata: labels: k8s-app: kube-router tier: node annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: serviceAccountName: kube-router containers: - name: kube-router image: cloudnativelabs/kube-router:{{ kube_router_ver }} imagePullPolicy: {{ PullPolicy }} args: - "--run-router=true" - "--run-firewall={{ FIREWALL_ENABLE }}" - "--run-service-proxy=true" - "--kubeconfig=/var/lib/kube-router/kubeconfig" env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName {% if NODE_WITH_MULTIPLE_NETWORKS == 'true' %} # if hosts have multiple net interfaces, set following two ENVs - name: KUBERNETES_SERVICE_HOST value: "{{ MASTER_IP }}" #value: "{{ KUBE_APISERVER.split(':')[1].lstrip('/') }}" - name: KUBERNETES_SERVICE_PORT value: "{{ KUBE_APISERVER.split(':')[2] }}" {% endif %} livenessProbe: httpGet: path: /healthz port: 20244 initialDelaySeconds: 10 periodSeconds: 3 resources: requests: cpu: 250m memory: 250Mi securityContext: privileged: true volumeMounts: - name: lib-modules mountPath: /lib/modules readOnly: true - name: cni-conf-dir mountPath: /etc/cni/net.d - name: kubeconfig mountPath: /var/lib/kube-router readOnly: true initContainers: - name: install-cni image: busybox:{{ busybox_ver }} imagePullPolicy: {{ PullPolicy }} command: - /bin/sh - -c - set -e -x; if [ ! -f /etc/cni/net.d/10-kuberouter.conf ]; then TMP=/etc/cni/net.d/.tmp-kuberouter-cfg; cp /etc/kube-router/cni-conf.json ${TMP}; mv ${TMP} /etc/cni/net.d/10-kuberouter.conf; fi; if [ ! -f /var/lib/kube-router/kubeconfig ]; then TMP=/var/lib/kube-router/.tmp-kubeconfig; cp /etc/kube-router/kubeconfig ${TMP}; mv ${TMP} /var/lib/kube-router/kubeconfig; fi volumeMounts: - mountPath: /etc/cni/net.d name: cni-conf-dir - mountPath: /etc/kube-router name: kube-router-cfg - name: kubeconfig mountPath: /var/lib/kube-router hostNetwork: true tolerations: - key: CriticalAddonsOnly operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists volumes: - name: lib-modules hostPath: path: /lib/modules - name: cni-conf-dir hostPath: path: /etc/cni/net.d - name: kube-router-cfg configMap: name: kube-router-cfg - name: kubeconfig hostPath: path: /var/lib/kube-router --- apiVersion: v1 kind: ServiceAccount metadata: name: kube-router namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kube-router namespace: kube-system rules: - apiGroups: - "" resources: - namespaces - pods - services - nodes - endpoints verbs: - list - get - watch - apiGroups: - "networking.k8s.io" resources: - networkpolicies verbs: - list - get - watch - apiGroups: - extensions resources: - networkpolicies verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kube-router roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-router subjects: - kind: ServiceAccount name: kube-router namespace: kube-system