--- apiVersion: v1 kind: List items: - apiVersion: v1 kind: ServiceAccount metadata: name: weave-net labels: name: weave-net namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: weave-net labels: name: weave-net rules: - apiGroups: - '' resources: - pods - namespaces - nodes verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - '' resources: - nodes/status verbs: - patch - update - apiGroups: - policy resourceNames: - privileged resources: - podsecuritypolicies verbs: - use - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: weave-net labels: name: weave-net roleRef: kind: ClusterRole name: weave-net apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: weave-net namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: weave-net labels: name: weave-net namespace: kube-system rules: - apiGroups: - '' resourceNames: - weave-net resources: - configmaps verbs: - get - update - apiGroups: - '' resources: - configmaps verbs: - create - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: weave-net labels: name: weave-net namespace: kube-system roleRef: kind: Role name: weave-net apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: weave-net namespace: kube-system - apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: weave-net labels: name: weave-net namespace: kube-system spec: minReadySeconds: 5 template: metadata: labels: name: weave-net annotations: # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12) scheduler.alpha.kubernetes.io/critical-pod: '' spec: {% if kube_version is version('v1.11.1', '>=') %} priorityClassName: system-node-critical {% endif %} containers: - name: weave command: - /home/weave/launch.sh env: - name: HOSTNAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: WEAVE_PASSWORD valueFrom: secretKeyRef: name: weave-net key: WEAVE_PASSWORD - name: CHECKPOINT_DISABLE value: "{{ weave_checkpoint_disable | bool | int }}" - name: CONN_LIMIT value: "{{ weave_conn_limit | int }}" - name: HAIRPIN_MODE value: "{{ weave_hairpin_mode | bool | lower }}" - name: IPALLOC_RANGE value: "{{ weave_ipalloc_range }}" - name: EXPECT_NPC value: "{{ weave_expect_npc | bool | int }}" {% if weave_kube_peers %} - name: KUBE_PEERS value: "{{ weave_kube_peers }}" {% endif %} {% if weave_ipalloc_init %} - name: IPALLOC_INIT value: "{{ weave_ipalloc_init }}" {% endif %} {% if weave_expose_ip %} - name: WEAVE_EXPOSE_IP value: "{{ weave_expose_ip }}" {% endif %} {% if weave_metrics_addr %} - name: WEAVE_METRICS_ADDR value: "{{ weave_metrics_addr }}" {% endif %} {% if weave_status_addr %} - name: WEAVE_STATUS_ADDR value: "{{ weave_status_addr }}" {% endif %} - name: WEAVE_MTU value: "{{ weave_mtu | int }}" - name: NO_MASQ_LOCAL value: "{{ weave_no_masq_local | bool | int }}" {% if weave_extra_args %} - name: EXTRA_ARGS value: "{{ weave_extra_args }}" {% endif %} image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} readinessProbe: httpGet: host: 127.0.0.1 path: /status port: 6784 resources: requests: cpu: 10m securityContext: privileged: true volumeMounts: - name: weavedb mountPath: /weavedb - name: cni-bin mountPath: /host/opt - name: cni-bin2 mountPath: /host/home - name: cni-conf mountPath: /host/etc - name: dbus mountPath: /host/var/lib/dbus - name: lib-modules mountPath: /lib/modules - name: xtables-lock mountPath: /run/xtables.lock - name: weave-npc env: - name: HOSTNAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: {{ weave_npc_image_repo }}:{{ weave_npc_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} resources: requests: cpu: 10m securityContext: privileged: true volumeMounts: - name: xtables-lock mountPath: /run/xtables.lock hostNetwork: true hostPID: true restartPolicy: Always securityContext: seLinuxOptions: {} serviceAccountName: weave-net tolerations: - operator: Exists # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12) - key: CriticalAddonsOnly operator: "Exists" volumes: - name: weavedb hostPath: path: /var/lib/weave - name: cni-bin hostPath: path: /opt - name: cni-bin2 hostPath: path: /home - name: cni-conf hostPath: path: /etc - name: dbus hostPath: path: /var/lib/dbus - name: lib-modules hostPath: path: /lib/modules - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate updateStrategy: rollingUpdate: maxUnavailable: {{ serial | default('20%') }} type: RollingUpdate - apiVersion: v1 kind: Secret metadata: name: weave-net namespace: kube-system data: WEAVE_PASSWORD: "{{ weave_password | default("") | b64encode }}"