C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

MetalLB: update to v0.10.2 (#7925)

Browse source 
Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
This commit is contained in:
Maciej Wereski 2021-09-01 12:00:59 +02:00 committed by GitHub
parent 0171c71de0
commit 48ceca4919
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 74 additions and 48 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
inventory/sample/group_vars/k8s_cluster/addons.yml
View file

@ -157,11 +157,10 @@ metallb_speaker_enabled: true
# operator: "Equal" # operator: "Equal"
# value: "" # value: ""
# effect: "NoSchedule" # effect: "NoSchedule"
# metallb_version: v0.9.6 # metallb_version: v0.10.2
# metallb_protocol: "layer2" # metallb_protocol: "layer2"
# metallb_port: "7472" # metallb_port: "7472"
# metallb_limits_cpu: "100m" # metallb_memberlist_port: "7946"
# metallb_limits_mem: "100Mi"
# metallb_additional_address_pools: # metallb_additional_address_pools:
# kube_service_pool: # kube_service_pool:
# ip_range: # ip_range:

7
roles/kubernetes-apps/metallb/defaults/main.yml
View file

@ -1,10 +1,9 @@
--- ---
metallb_enabled: false metallb_enabled: false
metallb_version: v0.9.6 metallb_version: v0.10.2
metallb_protocol: "layer2" metallb_protocol: "layer2"
metallb_port: "7472" metallb_port: "7472"
metallb_limits_cpu: "100m" metallb_memberlist_port: "7946"
metallb_limits_mem: "100Mi"
metallb_peers: [] metallb_peers: []
metallb_speaker_enabled: true metallb_speaker_enabled: true
metallb_speaker_nodeselector: {} metallb_speaker_nodeselector: {}
@ -12,6 +11,8 @@ metallb_controller_nodeselector: {}
metallb_speaker_tolerations: metallb_speaker_tolerations:
- effect: NoSchedule - effect: NoSchedule
key: node-role.kubernetes.io/master key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule - effect: NoSchedule
key: node-role.kubernetes.io/control-plane key: node-role.kubernetes.io/control-plane
operator: Exists
metallb_controller_tolerations: [] metallb_controller_tolerations: []

22
roles/kubernetes-apps/metallb/tasks/main.yml
View file

@ -50,25 +50,3 @@
with_items: "{{ rendering.results }}" with_items: "{{ rendering.results }}"
when: when:
- "inventory_hostname == groups['kube_control_plane'][0]" - "inventory_hostname == groups['kube_control_plane'][0]"
- name: Kubernetes Apps | Check existing secret of MetalLB
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist"
register: metallb_secret
become: true
ignore_errors: true # noqa ignore-errors
when:
- inventory_hostname == groups['kube_control_plane'][0]
- name: Kubernetes Apps | Create random bytes for MetalLB
command: "openssl rand -base64 32"
register: metallb_rand
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0
- name: Kubernetes Apps | Install secret of MetalLB if not existing
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}"
become: true
when:
- inventory_hostname == groups['kube_control_plane'][0]
- metallb_secret.rc != 0

88
roles/kubernetes-apps/metallb/templates/metallb.yml.j2
View file

@ -58,9 +58,7 @@ metadata:
spec: spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
allowedCapabilities: allowedCapabilities:
- NET_ADMIN
- NET_RAW - NET_RAW
- SYS_ADMIN
allowedHostPaths: [] allowedHostPaths: []
defaultAddCapabilities: [] defaultAddCapabilities: []
defaultAllowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: false
@ -72,6 +70,8 @@ spec:
hostPorts: hostPorts:
- max: {{ metallb_port }} - max: {{ metallb_port }}
min: {{ metallb_port }} min: {{ metallb_port }}
- max: {{ metallb_memberlist_port }}
min: {{ metallb_memberlist_port }}
privileged: true privileged: true
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
requiredDropCapabilities: requiredDropCapabilities:
@ -121,7 +121,6 @@ rules:
- get - get
- list - list
- watch - watch
- update
- apiGroups: - apiGroups:
- '' - ''
resources: resources:
@ -162,6 +161,13 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- '' - ''
resources: resources:
@ -212,6 +218,37 @@ rules:
- list - list
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- apiGroups:
- ''
resources:
- secrets
resourceNames:
- memberlist
verbs:
- list
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- controller
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
labels: labels:
@ -275,6 +312,21 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: speaker name: speaker
--- ---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: controller
subjects:
- kind: ServiceAccount
name: controller
---
{% if metallb_speaker_enabled %} {% if metallb_speaker_enabled %}
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
@ -316,36 +368,32 @@ spec:
fieldRef: fieldRef:
fieldPath: status.podIP fieldPath: status.podIP
# needed when another software is also using memberlist / port 7946 # needed when another software is also using memberlist / port 7946
# when changing this default you also need to update the container ports definition
# and the PodSecurityPolicy hostPorts definition
#- name: METALLB_ML_BIND_PORT #- name: METALLB_ML_BIND_PORT
# value: "7946" # value: "{{ metallb_memberlist_port }}"
- name: METALLB_ML_LABELS - name: METALLB_ML_LABELS
value: "app=metallb,component=speaker" value: "app=metallb,component=speaker"
- name: METALLB_ML_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METALLB_ML_SECRET_KEY - name: METALLB_ML_SECRET_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: memberlist name: memberlist
key: secretkey key: secretkey
image: {{ metallb_speaker_image_repo }}:{{ metallb_version }} image: {{ metallb_speaker_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: speaker name: speaker
ports: ports:
- containerPort: {{ metallb_port }} - containerPort: {{ metallb_port }}
name: monitoring name: monitoring
resources: - containerPort: {{ metallb_memberlist_port }}
limits: name: memberlist-tcp
cpu: {{ metallb_limits_cpu }} - containerPort: {{ metallb_memberlist_port }}
memory: {{ metallb_limits_mem }} name: memberlist-udp
protocol: UDP
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add: add:
- NET_ADMIN
- NET_RAW - NET_RAW
- SYS_ADMIN
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
@ -399,16 +447,16 @@ spec:
- args: - args:
- --port={{ metallb_port }} - --port={{ metallb_port }}
- --config=config - --config=config
env:
- name: METALLB_ML_SECRET_NAME
value: memberlist
- name: METALLB_DEPLOYMENT
value: controller
image: {{ metallb_controller_image_repo }}:{{ metallb_version }} image: {{ metallb_controller_image_repo }}:{{ metallb_version }}
imagePullPolicy: {{ k8s_image_pull_policy }}
name: controller name: controller
ports: ports:
- containerPort: {{ metallb_port }} - containerPort: {{ metallb_port }}
name: monitoring name: monitoring
resources:
limits:
cpu: {{ metallb_limits_cpu }}
memory: {{ metallb_limits_mem }}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities: