Merge pull request #540 from aateem/enable-network-policy

Add possibility to enable network policy via Calico network controller
This commit is contained in:
Smaine Kahlouch 2016-10-11 12:10:56 +02:00 committed by GitHub
commit c9769965b8
5 changed files with 62 additions and 0 deletions

View file

@ -0,0 +1,10 @@
- name: Write calico-policy-controller yaml
template: src=calico-policy-controller.yml.j2 dest=/etc/kubernetes/calico-policy-controller.yml
when: inventory_hostname == groups['kube-master'][0]
- name: Start of Calico policy controller
kube:
kubectl: "{{bin_dir}}/kubectl"
filename: /etc/kubernetes/calico-policy-controller.yml
when: inventory_hostname == groups['kube-master'][0]

View file

@ -17,3 +17,7 @@
state: "{{item.changed | ternary('latest','present') }}" state: "{{item.changed | ternary('latest','present') }}"
with_items: "{{ manifests.results }}" with_items: "{{ manifests.results }}"
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
- include: tasks/calico-policy-controller.yml
when: enable_network_policy is defined and enable_network_policy == True

View file

@ -0,0 +1,40 @@
apiVersion: extensions/v1beta1
kind: ReplicaSet
metadata:
name: calico-policy-controller
namespace: kube-system
labels:
k8s-app: calico-policy
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
matchLabels:
kubernetes.io/cluster-service: "true"
k8s-app: calico-policy
template:
metadata:
name: calico-policy-controller
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
k8s-app: calico-policy
spec:
hostNetwork: true
containers:
- name: calico-policy-controller
image: calico/kube-policy-controller:latest
env:
- name: ETCD_ENDPOINTS
value: "{{ etcd_endpoint }}"
# Location of the Kubernetes API - this shouldn't need to be
# changed so long as it is used in conjunction with
# CONFIGURE_ETC_HOSTS="true".
- name: K8S_API
value: "https://kubernetes.default:443"
# Configure /etc/hosts within the container to resolve
# the kubernetes.default Service to the correct clusterIP
# using the environment provided by the kubelet.
# This removes the need for KubeDNS to resolve the Service.
- name: CONFIGURE_ETC_HOSTS
value: "true"

View file

@ -30,6 +30,9 @@ spec:
{% for conf in kube_api_runtime_config %} {% for conf in kube_api_runtime_config %}
- --runtime-config={{ conf }} - --runtime-config={{ conf }}
{% endfor %} {% endfor %}
{% endif %}
{% if enable_network_policy is defined and enable_network_policy == True %}
- --runtime-config=extensions/v1beta1/networkpolicies=true
{% endif %} {% endif %}
- --v={{ kube_log_level | default('2') }} - --v={{ kube_log_level | default('2') }}
- --allow-privileged=true - --allow-privileged=true

View file

@ -5,6 +5,11 @@
"ipam": { "ipam": {
"type": "calico-ipam" "type": "calico-ipam"
}, },
{% if enable_network_policy is defined and enable_network_policy == True %}
"policy": {
"type": "k8s"
},
{% endif %}
"kubernetes": { "kubernetes": {
"kubeconfig": "{{ kube_config_dir }}/node-kubeconfig.yaml" "kubeconfig": "{{ kube_config_dir }}/node-kubeconfig.yaml"
} }