kubespray/roles/network_plugin/calico/templates/calico-apiserver.yml.j2

321 lines
6.0 KiB
Django/Jinja

# Policy to ensure the API server isn't cut off. Can be modified, but ensure
# that the main API server is always able to reach the Calico API server.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-apiserver
namespace: calico-apiserver
spec:
podSelector:
matchLabels:
apiserver: "true"
ingress:
- ports:
- protocol: TCP
port: 5443
---
apiVersion: v1
kind: Service
metadata:
name: calico-api
namespace: calico-apiserver
spec:
ports:
- name: apiserver
port: 443
protocol: TCP
targetPort: 5443
selector:
apiserver: "true"
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
apiserver: "true"
k8s-app: calico-apiserver
name: calico-apiserver
namespace: calico-apiserver
spec:
replicas: 1
selector:
matchLabels:
apiserver: "true"
strategy:
type: Recreate
template:
metadata:
labels:
apiserver: "true"
k8s-app: calico-apiserver
name: calico-apiserver
namespace: calico-apiserver
spec:
containers:
- args:
- --secure-port=5443
- -v=5
env:
- name: DATASTORE_TYPE
value: kubernetes
image: {{ calico_apiserver_image_repo }}:{{ calico_apiserver_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
livenessProbe:
httpGet:
path: /version
port: 5443
scheme: HTTPS
initialDelaySeconds: 90
periodSeconds: 10
name: calico-apiserver
readinessProbe:
exec:
command:
- /code/filecheck
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
securityContext:
privileged: false
runAsUser: 0
volumeMounts:
- mountPath: /code/apiserver.local.config/certificates
name: calico-apiserver-certs
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Always
serviceAccount: calico-apiserver
serviceAccountName: calico-apiserver
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- name: calico-apiserver-certs
secret:
secretName: calico-apiserver-certs
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-apiserver
namespace: calico-apiserver
---
# Cluster-scoped resources below here.
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v3.projectcalico.org
spec:
group: projectcalico.org
groupPriorityMinimum: 1500
caBundle: {{ calico_apiserver_cabundle }}
service:
name: calico-api
namespace: calico-apiserver
port: 443
version: v3
versionPriority: 200
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-crds
rules:
- apiGroups:
- extensions
- networking.k8s.io
- ""
resources:
- networkpolicies
- nodes
- namespaces
- pods
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- crd.projectcalico.org
resources:
- globalnetworkpolicies
- networkpolicies
- clusterinformations
- hostendpoints
- globalnetworksets
- networksets
- bgpconfigurations
- bgppeers
- felixconfigurations
- kubecontrollersconfigurations
- ippools
- ipreservations
- ipamblocks
- blockaffinities
- caliconodestatuses
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- policy
resourceNames:
- calico-apiserver
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-extension-apiserver-auth-access
rules:
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- list
- watch
- get
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: calico-webhook-reader
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-access-crds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-crds
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-delegate-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-apiserver-webhook-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-webhook-reader
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-extension-apiserver-auth-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-extension-apiserver-auth-access
subjects:
- kind: ServiceAccount
name: calico-apiserver
namespace: calico-apiserver
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
name: calico-apiserver
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
hostPorts:
- max: 65535
min: 0
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- secret