Merge pull request #540 from aateem/enable-network-policy
Add possibility to enable network policy via Calico network controller
This commit is contained in:
commit
e0ca39330f
5 changed files with 62 additions and 0 deletions
|
@ -0,0 +1,10 @@
|
|||
- name: Write calico-policy-controller yaml
|
||||
template: src=calico-policy-controller.yml.j2 dest=/etc/kubernetes/calico-policy-controller.yml
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
|
||||
- name: Start of Calico policy controller
|
||||
kube:
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
filename: /etc/kubernetes/calico-policy-controller.yml
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
|
@ -17,3 +17,7 @@
|
|||
state: "{{item.changed | ternary('latest','present') }}"
|
||||
with_items: "{{ manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
|
||||
- include: tasks/calico-policy-controller.yml
|
||||
when: enable_network_policy is defined and enable_network_policy == True
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: extensions/v1beta1
|
||||
kind: ReplicaSet
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-policy
|
||||
kubernetes.io/cluster-service: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
k8s-app: calico-policy
|
||||
template:
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
k8s-app: calico-policy
|
||||
spec:
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: calico-policy-controller
|
||||
image: calico/kube-policy-controller:latest
|
||||
env:
|
||||
- name: ETCD_ENDPOINTS
|
||||
value: "{{ etcd_endpoint }}"
|
||||
# Location of the Kubernetes API - this shouldn't need to be
|
||||
# changed so long as it is used in conjunction with
|
||||
# CONFIGURE_ETC_HOSTS="true".
|
||||
- name: K8S_API
|
||||
value: "https://kubernetes.default:443"
|
||||
# Configure /etc/hosts within the container to resolve
|
||||
# the kubernetes.default Service to the correct clusterIP
|
||||
# using the environment provided by the kubelet.
|
||||
# This removes the need for KubeDNS to resolve the Service.
|
||||
- name: CONFIGURE_ETC_HOSTS
|
||||
value: "true"
|
|
@ -30,6 +30,9 @@ spec:
|
|||
{% for conf in kube_api_runtime_config %}
|
||||
- --runtime-config={{ conf }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if enable_network_policy is defined and enable_network_policy == True %}
|
||||
- --runtime-config=extensions/v1beta1/networkpolicies=true
|
||||
{% endif %}
|
||||
- --v={{ kube_log_level | default('2') }}
|
||||
- --allow-privileged=true
|
||||
|
|
|
@ -5,6 +5,11 @@
|
|||
"ipam": {
|
||||
"type": "calico-ipam"
|
||||
},
|
||||
{% if enable_network_policy is defined and enable_network_policy == True %}
|
||||
"policy": {
|
||||
"type": "k8s"
|
||||
},
|
||||
{% endif %}
|
||||
"kubernetes": {
|
||||
"kubeconfig": "{{ kube_config_dir }}/node-kubeconfig.yaml"
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue