Remove registry-proxy (#8327)
This commit is contained in:
parent
02a89543d6
commit
c3c128352f
7 changed files with 1 additions and 142 deletions
|
@ -704,8 +704,6 @@ dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}"
|
|||
|
||||
registry_image_repo: "{{ docker_image_repo }}/library/registry"
|
||||
registry_image_tag: "2.7.1"
|
||||
registry_proxy_image_repo: "{{ kube_image_repo }}/kube-registry-proxy"
|
||||
registry_proxy_image_tag: "0.4"
|
||||
metrics_server_version: "v0.5.0"
|
||||
metrics_server_image_repo: "{{ kube_image_repo }}/metrics-server/metrics-server"
|
||||
metrics_server_image_tag: "{{ metrics_server_version }}"
|
||||
|
@ -1232,15 +1230,6 @@ downloads:
|
|||
groups:
|
||||
- kube_node
|
||||
|
||||
registry_proxy:
|
||||
enabled: "{{ registry_enabled }}"
|
||||
container: true
|
||||
repo: "{{ registry_proxy_image_repo }}"
|
||||
tag: "{{ registry_proxy_image_tag }}"
|
||||
sha256: "{{ registry_proxy_digest_checksum|default(None) }}"
|
||||
groups:
|
||||
- kube_node
|
||||
|
||||
metrics_server:
|
||||
enabled: "{{ metrics_server_enabled }}"
|
||||
container: true
|
||||
|
|
|
@ -38,23 +38,18 @@
|
|||
registry_templates:
|
||||
- { name: registry-ns, file: registry-ns.yml, type: ns }
|
||||
- { name: registry-sa, file: registry-sa.yml, type: sa }
|
||||
- { name: registry-proxy-sa, file: registry-proxy-sa.yml, type: sa }
|
||||
- { name: registry-svc, file: registry-svc.yml, type: svc }
|
||||
- { name: registry-secrets, file: registry-secrets.yml, type: secrets }
|
||||
- { name: registry-cm, file: registry-cm.yml, type: cm }
|
||||
- { name: registry-rs, file: registry-rs.yml, type: rs }
|
||||
- { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds }
|
||||
registry_templates_for_psp:
|
||||
- { name: registry-psp, file: registry-psp.yml, type: psp }
|
||||
- { name: registry-cr, file: registry-cr.yml, type: clusterrole }
|
||||
- { name: registry-crb, file: registry-crb.yml, type: rolebinding }
|
||||
- { name: registry-proxy-psp, file: registry-proxy-psp.yml, type: psp }
|
||||
- { name: registry-proxy-cr, file: registry-proxy-cr.yml, type: clusterrole }
|
||||
- { name: registry-proxy-crb, file: registry-proxy-crb.yml, type: rolebinding }
|
||||
|
||||
- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy
|
||||
set_fact:
|
||||
registry_templates: "{{ registry_templates[:3] + registry_templates_for_psp + registry_templates[3:] }}"
|
||||
registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}"
|
||||
when:
|
||||
- podsecuritypolicy_enabled
|
||||
- registry_namespace != "kube-system"
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: psp:registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- policy
|
||||
resourceNames:
|
||||
- registry-proxy
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
|
@ -1,13 +0,0 @@
|
|||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: psp:registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: psp:registry-proxy
|
||||
apiGroup: rbac.authorization.k8s.io
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
||||
labels:
|
||||
k8s-app: registry-proxy
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: registry-proxy
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: registry-proxy
|
||||
kubernetes.io/name: "registry-proxy"
|
||||
version: v{{ registry_proxy_image_tag }}
|
||||
spec:
|
||||
priorityClassName: {% if registry_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{''}}
|
||||
serviceAccountName: registry-proxy
|
||||
containers:
|
||||
- name: registry-proxy
|
||||
image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
env:
|
||||
- name: REGISTRY_HOST
|
||||
value: registry.{{ registry_namespace }}.svc.{{ dns_domain }}
|
||||
- name: REGISTRY_PORT
|
||||
value: "{{ registry_port }}"
|
||||
ports:
|
||||
- name: registry
|
||||
containerPort: 80
|
||||
hostPort: {{ registry_port }}
|
|
@ -1,56 +0,0 @@
|
|||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: registry-proxy
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
{% if apparmor_enabled %}
|
||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||
{% endif %}
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- SETPCAP
|
||||
- MKNOD
|
||||
- AUDIT_WRITE
|
||||
- NET_RAW
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- FSETID
|
||||
- KILL
|
||||
- SYS_CHROOT
|
||||
- SETFCAP
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'persistentVolumeClaim'
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: {{ registry_port }}
|
||||
max: {{ registry_port }}
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
|
@ -1,5 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: registry-proxy
|
||||
namespace: {{ registry_namespace }}
|
Loading…
Reference in a new issue