Remove registry-proxy (#8327)

This commit is contained in:
zhengtianbao 2021-12-22 01:55:35 -06:00 committed by GitHub
parent 02a89543d6
commit c3c128352f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 1 additions and 142 deletions

View file

@ -704,8 +704,6 @@ dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}"
registry_image_repo: "{{ docker_image_repo }}/library/registry"
registry_image_tag: "2.7.1"
registry_proxy_image_repo: "{{ kube_image_repo }}/kube-registry-proxy"
registry_proxy_image_tag: "0.4"
metrics_server_version: "v0.5.0"
metrics_server_image_repo: "{{ kube_image_repo }}/metrics-server/metrics-server"
metrics_server_image_tag: "{{ metrics_server_version }}"
@ -1232,15 +1230,6 @@ downloads:
groups:
- kube_node
registry_proxy:
enabled: "{{ registry_enabled }}"
container: true
repo: "{{ registry_proxy_image_repo }}"
tag: "{{ registry_proxy_image_tag }}"
sha256: "{{ registry_proxy_digest_checksum|default(None) }}"
groups:
- kube_node
metrics_server:
enabled: "{{ metrics_server_enabled }}"
container: true

View file

@ -38,23 +38,18 @@
registry_templates:
- { name: registry-ns, file: registry-ns.yml, type: ns }
- { name: registry-sa, file: registry-sa.yml, type: sa }
- { name: registry-proxy-sa, file: registry-proxy-sa.yml, type: sa }
- { name: registry-svc, file: registry-svc.yml, type: svc }
- { name: registry-secrets, file: registry-secrets.yml, type: secrets }
- { name: registry-cm, file: registry-cm.yml, type: cm }
- { name: registry-rs, file: registry-rs.yml, type: rs }
- { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds }
registry_templates_for_psp:
- { name: registry-psp, file: registry-psp.yml, type: psp }
- { name: registry-cr, file: registry-cr.yml, type: clusterrole }
- { name: registry-crb, file: registry-crb.yml, type: rolebinding }
- { name: registry-proxy-psp, file: registry-proxy-psp.yml, type: psp }
- { name: registry-proxy-cr, file: registry-proxy-cr.yml, type: clusterrole }
- { name: registry-proxy-crb, file: registry-proxy-crb.yml, type: rolebinding }
- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy
set_fact:
registry_templates: "{{ registry_templates[:3] + registry_templates_for_psp + registry_templates[3:] }}"
registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}"
when:
- podsecuritypolicy_enabled
- registry_namespace != "kube-system"

View file

@ -1,15 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:registry-proxy
namespace: {{ registry_namespace }}
rules:
- apiGroups:
- policy
resourceNames:
- registry-proxy
resources:
- podsecuritypolicies
verbs:
- use

View file

@ -1,13 +0,0 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:registry-proxy
namespace: {{ registry_namespace }}
subjects:
- kind: ServiceAccount
name: registry-proxy
namespace: {{ registry_namespace }}
roleRef:
kind: ClusterRole
name: psp:registry-proxy
apiGroup: rbac.authorization.k8s.io

View file

@ -1,36 +0,0 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: registry-proxy
namespace: {{ registry_namespace }}
labels:
k8s-app: registry-proxy
version: v{{ registry_proxy_image_tag }}
spec:
selector:
matchLabels:
k8s-app: registry-proxy
version: v{{ registry_proxy_image_tag }}
template:
metadata:
labels:
k8s-app: registry-proxy
kubernetes.io/name: "registry-proxy"
version: v{{ registry_proxy_image_tag }}
spec:
priorityClassName: {% if registry_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
serviceAccountName: registry-proxy
containers:
- name: registry-proxy
image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
env:
- name: REGISTRY_HOST
value: registry.{{ registry_namespace }}.svc.{{ dns_domain }}
- name: REGISTRY_PORT
value: "{{ registry_port }}"
ports:
- name: registry
containerPort: 80
hostPort: {{ registry_port }}

View file

@ -1,56 +0,0 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: registry-proxy
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- SETPCAP
- MKNOD
- AUDIT_WRITE
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- SYS_CHROOT
- SETFCAP
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: true
hostPorts:
- min: {{ registry_port }}
max: {{ registry_port }}
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false

View file

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: registry-proxy
namespace: {{ registry_namespace }}