--- apiVersion: v1 kind: ServiceAccount metadata: name: ovn-ovs namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.k8s.io/system-only: "true" name: system:ovn-ovs rules: - apiGroups: - "" resources: - pods verbs: - get - patch - apiGroups: - "" resources: - services - endpoints verbs: - get - apiGroups: - apps resources: - controllerrevisions verbs: - get - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ovn-ovs roleRef: name: system:ovn-ovs kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: ovn-ovs namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: ovn namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.k8s.io/system-only: "true" name: system:ovn rules: - apiGroups: - "kubeovn.io" resources: - vpcs - vpcs/status - vpc-nat-gateways - vpc-nat-gateways/status - subnets - subnets/status - ippools - ippools/status - ips - vips - vips/status - vlans - vlans/status - provider-networks - provider-networks/status - security-groups - security-groups/status - iptables-eips - iptables-fip-rules - iptables-dnat-rules - iptables-snat-rules - iptables-eips/status - iptables-fip-rules/status - iptables-dnat-rules/status - iptables-snat-rules/status - ovn-eips - ovn-fips - ovn-snat-rules - ovn-eips/status - ovn-fips/status - ovn-snat-rules/status - ovn-dnat-rules - ovn-dnat-rules/status - switch-lb-rules - switch-lb-rules/status - vpc-dnses - vpc-dnses/status - qos-policies - qos-policies/status verbs: - "*" - apiGroups: - "" resources: - pods - namespaces verbs: - get - list - patch - watch - apiGroups: - "" resources: - nodes verbs: - get - list - patch - update - watch - apiGroups: - "" resources: - pods/exec verbs: - create - apiGroups: - "k8s.cni.cncf.io" resources: - network-attachment-definitions verbs: - get - apiGroups: - "" - networking.k8s.io resources: - networkpolicies - configmaps verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets verbs: - get - apiGroups: - "" resources: - services - services/status verbs: - get - list - update - create - delete - watch - apiGroups: - "" resources: - endpoints verbs: - create - update - get - list - watch - apiGroups: - apps resources: - statefulsets - deployments - deployments/scale verbs: - get - list - create - delete - update - apiGroups: - "" resources: - events verbs: - create - patch - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - "*" - apiGroups: - "kubevirt.io" resources: - virtualmachines - virtualmachineinstances verbs: - get - list - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ovn roleRef: name: system:ovn kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: ovn namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ovn namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: ovn namespace: kube-system --- kind: Service apiVersion: v1 metadata: name: ovn-nb namespace: kube-system spec: ports: - name: ovn-nb protocol: TCP port: 6641 targetPort: 6641 type: ClusterIP {% if enable_dual_stack_networks %} ipFamilyPolicy: PreferDualStack {% endif %} selector: app: ovn-central ovn-nb-leader: "true" sessionAffinity: None --- kind: Service apiVersion: v1 metadata: name: ovn-sb namespace: kube-system spec: ports: - name: ovn-sb protocol: TCP port: 6642 targetPort: 6642 type: ClusterIP {% if enable_dual_stack_networks %} ipFamilyPolicy: PreferDualStack {% endif %} selector: app: ovn-central ovn-sb-leader: "true" sessionAffinity: None --- kind: Service apiVersion: v1 metadata: name: ovn-northd namespace: kube-system spec: ports: - name: ovn-northd protocol: TCP port: 6643 targetPort: 6643 type: ClusterIP {% if enable_dual_stack_networks %} ipFamilyPolicy: PreferDualStack {% endif %} selector: app: ovn-central ovn-northd-leader: "true" sessionAffinity: None --- kind: Deployment apiVersion: apps/v1 metadata: name: ovn-central namespace: kube-system annotations: kubernetes.io/description: | OVN components: northd, nb and sb. spec: replicas: {{ kube_ovn_central_replics }} strategy: rollingUpdate: maxSurge: 0 maxUnavailable: 1 type: RollingUpdate selector: matchLabels: app: ovn-central template: metadata: labels: app: ovn-central component: network type: infra spec: tolerations: - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists - key: CriticalAddonsOnly operator: Exists affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app: ovn-central topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical serviceAccountName: ovn-ovs hostNetwork: true containers: - name: ovn-central image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} command: ["/kube-ovn/start-db.sh"] securityContext: capabilities: add: - NET_BIND_SERVICE - SYS_NICE env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" - name: NODE_IPS value: "{{ kube_ovn_central_ips }}" - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_IPS valueFrom: fieldRef: fieldPath: status.podIPs - name: ENABLE_BIND_LOCAL_IP value: "{{ kube_ovn_bind_local_ip_enabled }}" - name: PROBE_INTERVAL value: "180000" - name: OVN_NORTHD_PROBE_INTERVAL value: "5000" - name: OVN_LEADER_PROBE_INTERVAL value: "5" resources: requests: cpu: {{ kube_ovn_db_cpu_request }} memory: {{ kube_ovn_db_memory_request }} limits: cpu: {{ kube_ovn_db_cpu_limit }} memory: {{ kube_ovn_db_memory_limit }} volumeMounts: - mountPath: /var/run/openvswitch name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - mountPath: /sys name: host-sys readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn name: host-config-ovn - mountPath: /var/log/openvswitch name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn - mountPath: /etc/localtime name: localtime - mountPath: /var/run/tls name: kube-ovn-tls readinessProbe: exec: command: - bash - /kube-ovn/ovn-healthcheck.sh periodSeconds: 15 timeoutSeconds: 45 livenessProbe: exec: command: - bash - /kube-ovn/ovn-healthcheck.sh initialDelaySeconds: 30 periodSeconds: 15 failureThreshold: 5 timeoutSeconds: 45 nodeSelector: kubernetes.io/os: "linux" kube-ovn/role: "master" volumes: - name: host-run-ovs hostPath: path: /run/openvswitch - name: host-run-ovn hostPath: path: /run/ovn - name: host-sys hostPath: path: /sys - name: host-config-openvswitch hostPath: path: /etc/origin/openvswitch - name: host-config-ovn hostPath: path: /etc/origin/ovn - name: host-log-ovs hostPath: path: /var/log/openvswitch - name: host-log-ovn hostPath: path: /var/log/ovn - name: localtime hostPath: path: /etc/localtime - name: kube-ovn-tls secret: optional: true secretName: kube-ovn-tls --- kind: DaemonSet apiVersion: apps/v1 metadata: name: ovs-ovn namespace: kube-system annotations: kubernetes.io/description: | This daemon set launches the openvswitch daemon. spec: selector: matchLabels: app: ovs updateStrategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 template: metadata: labels: app: ovs component: network type: infra spec: tolerations: - effect: NoSchedule operator: Exists - effect: NoExecute operator: Exists - key: CriticalAddonsOnly operator: Exists priorityClassName: system-node-critical serviceAccountName: ovn-ovs hostNetwork: true hostPID: true containers: - name: openvswitch image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %} imagePullPolicy: {{ k8s_image_pull_policy }} command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}] securityContext: runAsUser: 0 privileged: false capabilities: add: - NET_ADMIN - NET_BIND_SERVICE - SYS_MODULE - SYS_NICE env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {% if not kube_ovn_dpdk_enabled %} - name: HW_OFFLOAD value: "{{ kube_ovn_hw_offload | string | lower }}" - name: TUNNEL_TYPE value: "{{ kube_ovn_tunnel_type }}" {% endif %} - name: KUBE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: OVN_DB_IPS value: "{{ kube_ovn_central_ips }}" volumeMounts: - mountPath: /var/run/netns name: host-ns mountPropagation: HostToContainer - mountPath: /lib/modules name: host-modules readOnly: true - mountPath: /var/run/openvswitch name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - mountPath: /sys name: host-sys readOnly: true - mountPath: /etc/cni/net.d name: cni-conf - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn name: host-config-ovn - mountPath: /var/log/openvswitch name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn {% if kube_ovn_dpdk_enabled %} - mountPath: /opt/ovs-config name: host-config-ovs - mountPath: /dev/hugepages name: hugepage {% endif %} - mountPath: /etc/localtime name: localtime - mountPath: /var/run/tls name: kube-ovn-tls - mountPath: /var/run/containerd name: cruntime readOnly: true readinessProbe: exec: command: - bash {% if kube_ovn_dpdk_enabled %} - /kube-ovn/ovs-dpdk-healthcheck.sh {% else %} - /kube-ovn/ovs-healthcheck.sh {% endif %} periodSeconds: 5 timeoutSeconds: 45 livenessProbe: exec: command: - bash {% if kube_ovn_dpdk_enabled %} - /kube-ovn/ovs-dpdk-healthcheck.sh {% else %} - /kube-ovn/ovs-healthcheck.sh {% endif %} initialDelaySeconds: 60 periodSeconds: 5 failureThreshold: 5 timeoutSeconds: 45 resources: {% if kube_ovn_dpdk_enabled %} requests: cpu: {{ kube_ovn_dpdk_node_cpu_request }} memory: {{ kube_ovn_dpdk_node_memory_request }} limits: cpu: {{ kube_ovn_dpdk_node_cpu_limit }} memory: {{ kube_ovn_dpdk_node_memory_limit }} hugepages-1Gi: 1Gi {% else %} requests: cpu: {{ kube_ovn_node_cpu_request }} memory: {{ kube_ovn_node_memory_request }} limits: cpu: {{ kube_ovn_node_cpu_limit }} memory: {{ kube_ovn_node_memory_limit }} {% endif %} nodeSelector: kubernetes.io/os: "linux" volumes: - name: host-modules hostPath: path: /lib/modules - name: host-run-ovs hostPath: path: /run/openvswitch - name: host-run-ovn hostPath: path: /run/ovn - name: host-sys hostPath: path: /sys - name: host-ns hostPath: path: /var/run/netns - name: cni-conf hostPath: path: /etc/cni/net.d - name: host-config-openvswitch hostPath: path: /etc/origin/openvswitch - name: host-config-ovn hostPath: path: /etc/origin/ovn - name: host-log-ovs hostPath: path: /var/log/openvswitch - name: host-log-ovn hostPath: path: /var/log/ovn {% if kube_ovn_dpdk_enabled %} - name: host-config-ovs hostPath: path: /opt/ovs-config type: DirectoryOrCreate - name: hugepage emptyDir: medium: HugePages {% endif %} - name: localtime hostPath: path: /etc/localtime - name: cruntime hostPath: path: /var/run/containerd - name: kube-ovn-tls secret: optional: true secretName: kube-ovn-tls