"Fossies" - the Fresh Open Source Software Archive

Member "magnum-8.2.0/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh" (6 Dec 2019, 8701 Bytes) of package /linux/misc/openstack/magnum-8.2.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "kube-apiserver-to-kubelet-role.sh": 8.1.0_vs_8.2.0.

    1 #!/bin/sh
    2 
    3 step="kube-apiserver-to-kubelet-role"
    4 printf "Starting to run ${step}\n"
    5 
    6 set +x
    7 . /etc/sysconfig/heat-params
    8 set -x
    9 
   10 echo "Waiting for Kubernetes API..."
   11 until  [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
   12 do
   13     sleep 5
   14 done
   15 
   16 cat <<EOF | kubectl apply --validate=false -f -
   17 apiVersion: rbac.authorization.k8s.io/v1beta1
   18 kind: ClusterRole
   19 metadata:
   20   annotations:
   21     rbac.authorization.kubernetes.io/autoupdate: "true"
   22   labels:
   23     kubernetes.io/bootstrapping: rbac-defaults
   24   name: system:kube-apiserver-to-kubelet
   25 rules:
   26   - apiGroups:
   27       - ""
   28     resources:
   29       - nodes/proxy
   30       - nodes/stats
   31       - nodes/log
   32       - nodes/spec
   33       - nodes/metrics
   34     verbs:
   35       - "*"
   36 EOF
   37 
   38 cat <<EOF | kubectl apply --validate=false -f -
   39 apiVersion: rbac.authorization.k8s.io/v1beta1
   40 kind: ClusterRoleBinding
   41 metadata:
   42   name: system:kube-apiserver
   43   namespace: ""
   44 roleRef:
   45   apiGroup: rbac.authorization.k8s.io
   46   kind: ClusterRole
   47   name: system:kube-apiserver-to-kubelet
   48 subjects:
   49   - apiGroup: rbac.authorization.k8s.io
   50     kind: User
   51     name: kubernetes
   52 EOF
   53 
   54 # Create an admin user and give it the cluster role.
   55 ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
   56 
   57 [ -f ${ADMIN_RBAC} ] || {
   58     echo "Writing File: $ADMIN_RBAC"
   59     mkdir -p $(dirname ${ADMIN_RBAC})
   60     cat << EOF > ${ADMIN_RBAC}
   61 apiVersion: v1
   62 kind: ServiceAccount
   63 metadata:
   64   name: admin
   65   namespace: kube-system
   66 ---
   67 apiVersion: rbac.authorization.k8s.io/v1beta1
   68 kind: ClusterRoleBinding
   69 metadata:
   70   name: admin
   71 roleRef:
   72   apiGroup: rbac.authorization.k8s.io
   73   kind: ClusterRole
   74   name: cluster-admin
   75 subjects:
   76 - kind: ServiceAccount
   77   name: admin
   78   namespace: kube-system
   79 EOF
   80 }
   81 kubectl apply --validate=false -f ${ADMIN_RBAC}
   82 
   83 POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
   84 # Pod Security Policies
   85 [ -f ${POD_SECURITY_POLICIES} ] || {
   86     echo "Writing File: $POD_SECURITY_POLICIES"
   87     mkdir -p $(dirname ${POD_SECURITY_POLICIES})
   88     cat > ${POD_SECURITY_POLICIES} <<EOF
   89 ---
   90 apiVersion: policy/v1beta1
   91 kind: PodSecurityPolicy
   92 metadata:
   93   name: magnum.privileged
   94   annotations:
   95     kubernetes.io/description: 'privileged allows full unrestricted access to
   96       pod features, as if the PodSecurityPolicy controller was not enabled.'
   97     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
   98   labels:
   99     kubernetes.io/cluster-service: "true"
  100     addonmanager.kubernetes.io/mode: Reconcile
  101 spec:
  102   privileged: true
  103   allowPrivilegeEscalation: true
  104   allowedCapabilities:
  105   - '*'
  106   volumes:
  107   - '*'
  108   hostNetwork: true
  109   hostPorts:
  110   - min: 0
  111     max: 65535
  112   hostIPC: true
  113   hostPID: true
  114   runAsUser:
  115     rule: 'RunAsAny'
  116   seLinux:
  117     rule: 'RunAsAny'
  118   supplementalGroups:
  119     rule: 'RunAsAny'
  120   fsGroup:
  121     rule: 'RunAsAny'
  122   readOnlyRootFilesystem: false
  123 ---
  124 apiVersion: rbac.authorization.k8s.io/v1
  125 kind: ClusterRole
  126 metadata:
  127   name: magnum:podsecuritypolicy:privileged
  128   labels:
  129     kubernetes.io/cluster-service: "true"
  130     addonmanager.kubernetes.io/mode: Reconcile
  131 rules:
  132 - apiGroups:
  133   - policy
  134   resourceNames:
  135   - magnum.privileged
  136   resources:
  137   - podsecuritypolicies
  138   verbs:
  139   - use
  140 EOF
  141 }
  142 kubectl apply -f ${POD_SECURITY_POLICIES}
  143 
  144 # Add the openstack trustee as a secret under kube-system
  145 kubectl -n kube-system create secret generic os-trustee \
  146     --from-literal=os-authURL=${AUTH_URL} \
  147     --from-literal=os-trustID=${TRUST_ID} \
  148     --from-literal=os-trusteeID=${TRUSTEE_USER_ID} \
  149     --from-literal=os-trusteePassword=${TRUSTEE_PASSWORD} \
  150     --from-literal=os-region=${REGION_NAME} \
  151     --from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
  152 
  153 #TODO: add heat variables for master count to determine leaderelect true/False ?
  154 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  155     occm_image="${CONTAINER_INFRA_PREFIX:-docker.io/k8scloudprovider/}openstack-cloud-controller-manager:${CLOUD_PROVIDER_TAG}"
  156     OCCM=/srv/magnum/kubernetes/openstack-cloud-controller-manager.yaml
  157 
  158     [ -f ${OCCM} ] || {
  159         echo "Writing File: ${OCCM}"
  160         mkdir -p $(dirname ${OCCM})
  161         cat << EOF > ${OCCM}
  162 ---
  163 apiVersion: v1
  164 kind: ServiceAccount
  165 metadata:
  166   name: cloud-controller-manager
  167   namespace: kube-system
  168 ---
  169 apiVersion: v1
  170 items:
  171 - apiVersion: rbac.authorization.k8s.io/v1
  172   kind: ClusterRole
  173   metadata:
  174     name: system:cloud-controller-manager
  175   rules:
  176   - apiGroups:
  177     - ""
  178     resources:
  179     - events
  180     verbs:
  181     - create
  182     - patch
  183     - update
  184   - apiGroups:
  185     - ""
  186     resources:
  187     - nodes
  188     verbs:
  189     - '*'
  190   - apiGroups:
  191     - ""
  192     resources:
  193     - nodes/status
  194     verbs:
  195     - patch
  196   - apiGroups:
  197     - ""
  198     resources:
  199     - services
  200     verbs:
  201     - list
  202     - patch
  203     - update
  204     - watch
  205   - apiGroups:
  206     - ""
  207     resources:
  208     - serviceaccounts
  209     verbs:
  210     - create
  211     - get
  212   - apiGroups:
  213     - ""
  214     resources:
  215     - persistentvolumes
  216     verbs:
  217     - '*'
  218   - apiGroups:
  219     - ""
  220     resources:
  221     - endpoints
  222     verbs:
  223     - create
  224     - get
  225     - list
  226     - watch
  227     - update
  228   - apiGroups:
  229     - ""
  230     resources:
  231     - configmaps
  232     verbs:
  233     - get
  234     - list
  235     - watch
  236   - apiGroups:
  237     - ""
  238     resources:
  239     - secrets
  240     verbs:
  241     - list
  242     - get
  243     - watch
  244 - apiVersion: rbac.authorization.k8s.io/v1
  245   kind: ClusterRole
  246   metadata:
  247     name: system:cloud-node-controller
  248   rules:
  249   - apiGroups:
  250     - ""
  251     resources:
  252     - nodes
  253     verbs:
  254     - '*'
  255   - apiGroups:
  256     - ""
  257     resources:
  258     - nodes/status
  259     verbs:
  260     - patch
  261   - apiGroups:
  262     - ""
  263     resources:
  264     - events
  265     verbs:
  266     - create
  267     - patch
  268     - update
  269 - apiVersion: rbac.authorization.k8s.io/v1
  270   kind: ClusterRole
  271   metadata:
  272     name: system:pvl-controller
  273   rules:
  274   - apiGroups:
  275     - ""
  276     resources:
  277     - persistentvolumes
  278     verbs:
  279     - '*'
  280   - apiGroups:
  281     - ""
  282     resources:
  283     - events
  284     verbs:
  285     - create
  286     - patch
  287     - update
  288 kind: List
  289 metadata: {}
  290 ---
  291 apiVersion: v1
  292 items:
  293 - apiVersion: rbac.authorization.k8s.io/v1
  294   kind: ClusterRoleBinding
  295   metadata:
  296     name: system:cloud-node-controller
  297   roleRef:
  298     apiGroup: rbac.authorization.k8s.io
  299     kind: ClusterRole
  300     name: system:cloud-node-controller
  301   subjects:
  302   - kind: ServiceAccount
  303     name: cloud-node-controller
  304     namespace: kube-system
  305 - apiVersion: rbac.authorization.k8s.io/v1
  306   kind: ClusterRoleBinding
  307   metadata:
  308     name: system:pvl-controller
  309   roleRef:
  310     apiGroup: rbac.authorization.k8s.io
  311     kind: ClusterRole
  312     name: system:pvl-controller
  313   subjects:
  314   - kind: ServiceAccount
  315     name: pvl-controller
  316     namespace: kube-system
  317 - apiVersion: rbac.authorization.k8s.io/v1
  318   kind: ClusterRoleBinding
  319   metadata:
  320     name: system:cloud-controller-manager
  321   roleRef:
  322     apiGroup: rbac.authorization.k8s.io
  323     kind: ClusterRole
  324     name: system:cloud-controller-manager
  325   subjects:
  326   - kind: ServiceAccount
  327     name: cloud-controller-manager
  328     namespace: kube-system
  329 kind: List
  330 metadata: {}
  331 ---
  332 apiVersion: apps/v1
  333 kind: DaemonSet
  334 metadata:
  335   labels:
  336     k8s-app: openstack-cloud-controller-manager
  337   name: openstack-cloud-controller-manager
  338   namespace: kube-system
  339 spec:
  340   selector:
  341     matchLabels:
  342       k8s-app: openstack-cloud-controller-manager
  343   template:
  344     metadata:
  345       labels:
  346         k8s-app: openstack-cloud-controller-manager
  347     spec:
  348       hostNetwork: true
  349       serviceAccountName: cloud-controller-manager
  350       containers:
  351       - name: openstack-cloud-controller-manager
  352         image: ${occm_image}
  353         command:
  354         - /bin/openstack-cloud-controller-manager
  355         - --v=2
  356         - --cloud-config=/etc/kubernetes/cloud-config
  357         - --cluster-name=${CLUSTER_UUID}
  358         - --use-service-account-credentials=true
  359         - --bind-address=127.0.0.1
  360         volumeMounts:
  361         - name: cloudconfig
  362           mountPath: /etc/kubernetes
  363           readOnly: true
  364       volumes:
  365       - name: cloudconfig
  366         hostPath:
  367           path: /etc/kubernetes
  368       tolerations:
  369       # this is required so CCM can bootstrap itself
  370       - key: node.cloudprovider.kubernetes.io/uninitialized
  371         value: "true"
  372         effect: NoSchedule
  373       # this is to have the daemonset runnable on master nodes
  374       # the taint may vary depending on your cluster setup
  375       - key: dedicated
  376         value: master
  377         effect: NoSchedule
  378       - key: CriticalAddonsOnly
  379         value: "True"
  380         effect: NoSchedule
  381       # this is to restrict CCM to only run on master nodes
  382       # the node selector may vary depending on your cluster setup
  383       nodeSelector:
  384         node-role.kubernetes.io/master: ""
  385 EOF
  386     }
  387 
  388     kubectl apply -f ${OCCM}
  389 fi
  390 
  391 printf "Finished running ${step}\n"