diff --git a/config/yurtadm/cloudimage/README.md b/config/yurtadm/cloudimage/README.md new file mode 100644 index 00000000000..70aed4f5b6f --- /dev/null +++ b/config/yurtadm/cloudimage/README.md @@ -0,0 +1,13 @@ +# Build an OpenYurt CloudImage + +`yurtadm init` is implemented by sealer, you can modify the kubefile to make your own openyurt cloudimage. + +```bash +cd openyurt-latest + +# build cloudimage +sealer build -t registry-1.docker.io/openyurt/openyurt-cluster:latest-k8s-1198 -f Kubefile . + +# push to dockerhub +sealer push registry-1.docker.io/openyurt/openyurt-cluster:latest-k8s-1198 +``` \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/Kubefile b/config/yurtadm/cloudimage/openyurt-latest/Kubefile new file mode 100644 index 00000000000..11b52599046 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/Kubefile @@ -0,0 +1,16 @@ +FROM kubernetes:v1.19.8-alpine + +# flannel: https://github.com/sealerio/applications/tree/main/flannel +COPY flannel/cni . +COPY flannel/init-kube.sh /scripts/ +COPY flannel/kube-flannel.yml manifests/ + +COPY shell-plugin.yaml plugins + +# openyurt +COPY yamls/*.yaml manifests +COPY install-openyurt.sh . +RUN chmod 777 install-openyurt.sh + +CMD kubectl apply -f manifests/kube-flannel.yml +CMD ./install-openyurt.sh \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bandwidth b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bandwidth new file mode 100644 index 00000000000..441f71df7ad Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bandwidth differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bridge b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bridge new file mode 100644 index 00000000000..64915b3578c Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/bridge differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/dhcp b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/dhcp new file mode 100644 index 00000000000..ae39ab0892f Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/dhcp differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/firewall b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/firewall new file mode 100644 index 00000000000..714e8d48863 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/firewall differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/flannel b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/flannel new file mode 100644 index 00000000000..dc1a0d4aaaa Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/flannel differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-device b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-device new file mode 100644 index 00000000000..6a4647a41a2 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-device differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-local b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-local new file mode 100644 index 00000000000..52d552b9d6e Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/host-local differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ipvlan b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ipvlan new file mode 100644 index 00000000000..935a94e4eb1 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ipvlan differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/loopback b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/loopback new file mode 100644 index 00000000000..323e3665fe6 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/loopback differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/macvlan b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/macvlan new file mode 100644 index 00000000000..8be93b29b17 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/macvlan differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/portmap b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/portmap new file mode 100644 index 00000000000..41bd0a02f4d Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/portmap differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ptp b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ptp new file mode 100644 index 00000000000..a9628313f68 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/ptp differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/sbr b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/sbr new file mode 100644 index 00000000000..88d48eb7a7b Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/sbr differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/static b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/static new file mode 100644 index 00000000000..d1a34be1348 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/static differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/tuning b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/tuning new file mode 100644 index 00000000000..7f126a9e9d7 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/tuning differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/vlan b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/vlan new file mode 100644 index 00000000000..56a187210e5 Binary files /dev/null and b/config/yurtadm/cloudimage/openyurt-latest/flannel/cni/vlan differ diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/init-kube.sh b/config/yurtadm/cloudimage/openyurt-latest/flannel/init-kube.sh new file mode 100644 index 00000000000..3cc67e44ead --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/flannel/init-kube.sh @@ -0,0 +1,177 @@ +#!/bin/bash + +# Copyright © 2021 Alibaba Group Holding Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Open ipvs +modprobe -- ip_vs +modprobe -- ip_vs_rr +modprobe -- ip_vs_wrr +modprobe -- ip_vs_sh +modprobe -- br_netfilter +## version_ge 4.19 4.19 true ; +## version_ge 5.4 4.19 true ; +## version_ge 3.10 4.19 false ; + +version_ge(){ + test "$(echo "$@" | tr ' ' '\n' | sort -rV | head -n 1)" == "$1" +} + +disable_selinux(){ + if [ -s /etc/selinux/config ] && grep 'SELINUX=enforcing' /etc/selinux/config; then + sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config + setenforce 0 + fi +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +disable_firewalld() { + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + case "$lsb_dist" in + ubuntu|deepin|debian|raspbian) + command -v ufw &> /dev/null && ufw disable + ;; + centos|rhel|ol|sles|kylin|neokylin) + systemctl stop firewalld && systemctl disable firewalld + ;; + *) + systemctl stop firewalld && systemctl disable firewalld + echo "unknown system, use default to stop firewalld" + ;; + esac +} + +kernel_version=$(uname -r | cut -d- -f1) +if version_ge "${kernel_version}" 4.19; then + modprobe -- nf_conntrack +else + modprobe -- nf_conntrack_ipv4 +fi + +cat < /etc/sysctl.d/k8s.conf +net.bridge.bridge-nf-call-ip6tables = 1 +net.bridge.bridge-nf-call-iptables = 1 +net.ipv4.conf.all.rp_filter=0 +EOF +sysctl --system +sysctl -w net.ipv4.ip_forward=1 +disable_firewalld +swapoff -a || true +disable_selinux + +chmod -R 755 ../bin/* +chmod 644 ../bin +cp ../bin/* /usr/bin +cp ../scripts/kubelet-pre-start.sh /usr/bin +#cni +mkdir /opt/cni/bin -p +chmod -R 755 ../cni/* +chmod 644 ../cni +cp ../cni/* /opt/cni/bin + +# Cgroup driver +mkdir -p /etc/systemd/system +cp ../etc/kubelet.service /etc/systemd/system/ +[ -d /etc/systemd/system/kubelet.service.d ] || mkdir /etc/systemd/system/kubelet.service.d +cp ../etc/10-kubeadm.conf /etc/systemd/system/kubelet.service.d/ + +[ -d /var/lib/kubelet ] || mkdir -p /var/lib/kubelet/ + +cat < /var/lib/kubelet/config.yaml +address: 0.0.0.0 +apiVersion: kubelet.config.k8s.io/v1beta1 +authentication: + anonymous: + enabled: false + webhook: + cacheTTL: 2m0s + enabled: true + x509: + clientCAFile: /etc/kubernetes/pki/ca.crt +authorization: + mode: Webhook + webhook: + cacheAuthorizedTTL: 5m0s + cacheUnauthorizedTTL: 30s +cgroupDriver: ${criDriver} +cgroupsPerQOS: true +clusterDNS: +- 10.96.0.10 +clusterDomain: cluster.local +configMapAndSecretChangeDetectionStrategy: Watch +containerLogMaxFiles: 5 +containerLogMaxSize: 10Mi +contentType: application/vnd.kubernetes.protobuf +cpuCFSQuota: true +cpuCFSQuotaPeriod: 100ms +cpuManagerPolicy: none +cpuManagerReconcilePeriod: 10s +enableControllerAttachDetach: true +enableDebuggingHandlers: true +enforceNodeAllocatable: +- pods +eventBurst: 10 +eventRecordQPS: 5 +evictionHard: + imagefs.available: 15% + memory.available: 100Mi + nodefs.available: 10% + nodefs.inodesFree: 5% +evictionPressureTransitionPeriod: 5m0s +failSwapOn: true +fileCheckFrequency: 20s +hairpinMode: promiscuous-bridge +healthzBindAddress: 127.0.0.1 +healthzPort: 10248 +httpCheckFrequency: 20s +imageGCHighThresholdPercent: 85 +imageGCLowThresholdPercent: 80 +imageMinimumGCAge: 2m0s +iptablesDropBit: 15 +iptablesMasqueradeBit: 14 +kind: KubeletConfiguration +kubeAPIBurst: 10 +kubeAPIQPS: 5 +makeIPTablesUtilChains: true +maxOpenFiles: 1000000 +maxPods: 110 +nodeLeaseDurationSeconds: 40 +nodeStatusUpdateFrequency: 10s +oomScoreAdj: -999 +podPidsLimit: -1 +port: 10250 +registryBurst: 10 +registryPullQPS: 5 +resolvConf: /etc/resolv.conf +rotateCertificates: true +runtimeRequestTimeout: 2m0s +serializeImagePulls: true +staticPodPath: /etc/kubernetes/manifests +streamingConnectionIdleTimeout: 4h0m0s +syncFrequency: 1m0s +volumeStatsAggPeriod: 1m0s +EOF + +systemctl enable kubelet \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/flannel/kube-flannel.yml b/config/yurtadm/cloudimage/openyurt-latest/flannel/kube-flannel.yml new file mode 100644 index 00000000000..17a430942a9 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/flannel/kube-flannel.yml @@ -0,0 +1,223 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni + image: quay.io/coreos/flannel:v0.14.0 + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + image: quay.io/coreos/flannel:v0.14.0 + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/install-openyurt.sh b/config/yurtadm/cloudimage/openyurt-latest/install-openyurt.sh new file mode 100644 index 00000000000..5318fbcd2a6 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/install-openyurt.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright 2022 The OpenYurt Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +echo "[INFO] Start installing OpenYurt." + +## label node +kubectl label node $HOSTNAME openyurt.io/is-edge-worker=false + +## install openyurt components +kubectl apply -f manifests/yurt-controller-manager.yaml +kubectl apply -f manifests/yurt-tunnel-agent.yaml +kubectl apply -f manifests/yurt-tunnel-server.yaml +kubectl apply -f manifests/yurt-app-manager.yaml +kubectl apply -f manifests/yurthub-cfg.yaml + +## configure coredns +kubectl apply -f manifests/coredns.yaml +kubectl annotate svc kube-dns -n kube-system openyurt.io/topologyKeys='openyurt.io/nodepool' +kubectl scale --replicas=0 deployment/coredns -n kube-system + +## configure kube-proxy +kubectl patch cm -n kube-system kube-proxy --patch '{"data": {"config.conf": "apiVersion: kubeproxy.config.k8s.io/v1alpha1\nbindAddress: 0.0.0.0\nfeatureGates:\n EndpointSliceProxying: true\nbindAddressHardFail: false\nclusterCIDR: 100.64.0.0/10\nconfigSyncPeriod: 0s\nenableProfiling: false\nipvs:\n excludeCIDRs:\n - 10.103.97.2/32\n minSyncPeriod: 0s\n strictARP: false\nkind: KubeProxyConfiguration\nmode: ipvs\nudpIdleTimeout: 0s\nwinkernel:\n enableDSR: false\nkubeconfig.conf:"}}' && kubectl delete pod --selector k8s-app=kube-proxy -n kube-system + +echo "[INFO] OpenYurt is successfully installed." \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/shell-plugin.yaml b/config/yurtadm/cloudimage/openyurt-latest/shell-plugin.yaml new file mode 100644 index 00000000000..d32bbca570d --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/shell-plugin.yaml @@ -0,0 +1,10 @@ +apiVersion: sealer.aliyun.com/v1alpha1 +kind: Plugin +metadata: + name: MyShell +spec: + type: SHELL + action: PostInstall + 'on': master + data: | + kubectl label node $HOSTNAME openyurt.io/is-edge-worker=false --overwrite \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/coredns.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/coredns.yaml new file mode 100644 index 00000000000..6cc43c0379d --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/coredns.yaml @@ -0,0 +1,134 @@ +apiVersion: v1 +data: + Corefile: | + .:53 { + errors + log . { + class denial success + + } + health { + lameduck 5s + } + ready + hosts /etc/edge/tunnel-nodes { # 增加hosts插件 + reload 300ms + fallthrough + } + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + prometheus :9153 + forward . /etc/resolv.conf { + max_concurrent 1000 + } + cache 30 + loop + reload + loadbalance + } +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system + +--- + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: kube-dns + name: coredns + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + spec: + containers: + - args: + - -conf + - /etc/coredns/Corefile + image: registry.aliyuncs.com/google_containers/coredns:1.7.0 + livenessProbe: + failureThreshold: 5 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 8181 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/coredns + name: config-volume + readOnly: true + - mountPath: /etc/edge + name: hosts + readOnly: true + dnsPolicy: Default + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccount: coredns + serviceAccountName: coredns + tolerations: + - operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + defaultMode: 420 + items: + - key: Corefile + path: Corefile + name: coredns + name: config-volume + - configMap: + defaultMode: 420 + name: yurt-tunnel-nodes + name: hosts \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-app-manager.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-app-manager.yaml new file mode 100644 index 00000000000..d24f7ae3146 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-app-manager.yaml @@ -0,0 +1,1278 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: nodepools.apps.openyurt.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.type + description: The type of nodepool + name: Type + type: string + - JSONPath: .status.readyNodeNum + description: The number of ready nodes in the pool + name: ReadyNodes + type: integer + - JSONPath: .status.unreadyNodeNum + name: NotReadyNodes + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: apps.openyurt.io + names: + categories: + - all + kind: NodePool + listKind: NodePoolList + plural: nodepools + shortNames: + - np + singular: nodepool + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: NodePool is the Schema for the nodepools API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodePoolSpec defines the desired state of NodePool + properties: + annotations: + additionalProperties: + type: string + description: 'If specified, the Annotations will be added to all nodes. NOTE: existing labels with samy keys on the nodes will be overwritten.' + type: object + labels: + additionalProperties: + type: string + description: 'If specified, the Labels will be added to all nodes. NOTE: existing labels with samy keys on the nodes will be overwritten.' + type: object + selector: + description: A label query over nodes to consider for adding to the pool + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + taints: + description: If specified, the Taints will be added to all nodes. + items: + description: The node this Taint is attached to has the "effect" on any pod that does not tolerate the Taint. + type: object + type: array + type: + description: The type of the NodePool + type: string + type: object + status: + description: NodePoolStatus defines the observed state of NodePool + properties: + nodes: + description: The list of nodes' names in the pool + items: + type: string + type: array + readyNodeNum: + description: Total number of ready nodes in the pool. + format: int32 + type: integer + unreadyNodeNum: + description: Total number of unready nodes in the pool. + format: int32 + type: integer + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: uniteddeployments.apps.openyurt.io +spec: + additionalPrinterColumns: + - JSONPath: .status.readyReplicas + description: The number of pods ready. + name: READY + type: integer + - JSONPath: .status.templateType + description: The WorkloadTemplate Type. + name: WorkloadTemplate + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: AGE + type: date + group: apps.openyurt.io + names: + kind: UnitedDeployment + listKind: UnitedDeploymentList + plural: uniteddeployments + shortNames: + - ud + singular: uniteddeployment + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: UnitedDeployment is the Schema for the uniteddeployments API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: UnitedDeploymentSpec defines the desired state of UnitedDeployment. + properties: + revisionHistoryLimit: + description: Indicates the number of histories to be conserved. If unspecified, defaults to 10. + format: int32 + type: integer + selector: + description: Selector is a label query over pods that should match the replica count. It must match the pod template's labels. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + topology: + description: Topology describes the pods distribution detail between each of pools. + properties: + pools: + description: Contains the details of each pool. Each element in this array represents one pool which will be provisioned and managed by UnitedDeployment. + items: + description: Pool defines the detail of a pool. + properties: + name: + description: Indicates pool name as a DNS_LABEL, which will be used to generate pool workload name prefix in the format '--'. Name should be unique between all of the pools under one UnitedDeployment. Name is NodePool Name + type: string + nodeSelectorTerm: + description: Indicates the node selector to form the pool. Depending on the node selector, pods provisioned could be distributed across multiple groups of nodes. A pool's nodeSelectorTerm is not allowed to be updated. + type: object + patch: + description: Indicates the patch for the templateSpec Now support strategic merge path :https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#notes-on-the-strategic-merge-patch Patch takes precedence over Replicas fields If the Patch also modifies the Replicas, use the Replicas value in the Patch + type: object + replicas: + description: Indicates the number of the pod to be created under this pool. + format: int32 + type: integer + tolerations: + description: Indicates the tolerations the pods under this pool have. A pool's tolerations is not allowed to be updated. + items: + description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + type: object + type: array + required: + - name + type: object + type: array + type: object + workloadTemplate: + description: WorkloadTemplate describes the pool that will be created. + properties: + deploymentTemplate: + description: Deployment template + properties: + metadata: + type: object + spec: + description: DeploymentSpec is the specification of the desired behavior of the Deployment. + type: object + required: + - spec + type: object + statefulSetTemplate: + description: StatefulSet template + properties: + metadata: + type: object + spec: + description: A StatefulSetSpec is the specification of a StatefulSet. + type: object + required: + - spec + type: object + type: object + required: + - selector + type: object + status: + description: UnitedDeploymentStatus defines the observed state of UnitedDeployment. + properties: + collisionCount: + description: Count of hash collisions for the UnitedDeployment. The UnitedDeployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision. + format: int32 + type: integer + conditions: + description: Represents the latest available observations of a UnitedDeployment's current state. + items: + description: UnitedDeploymentCondition describes current state of a UnitedDeployment. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of in place set condition. + type: string + type: object + type: array + currentRevision: + description: CurrentRevision, if not empty, indicates the current version of the UnitedDeployment. + type: string + observedGeneration: + description: ObservedGeneration is the most recent generation observed for this UnitedDeployment. It corresponds to the UnitedDeployment's generation, which is updated on mutation by the API Server. + format: int64 + type: integer + poolReplicas: + additionalProperties: + format: int32 + type: integer + description: Records the topology detail information of the replicas of each pool. + type: object + readyReplicas: + description: The number of ready replicas. + format: int32 + type: integer + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + templateType: + description: TemplateType indicates the type of PoolTemplate + type: string + required: + - currentRevision + - replicas + - templateType + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: yurtappdaemons.apps.openyurt.io +spec: + additionalPrinterColumns: + - JSONPath: .status.templateType + description: The WorkloadTemplate Type. + name: WorkloadTemplate + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: AGE + type: date + group: apps.openyurt.io + names: + kind: YurtAppDaemon + listKind: YurtAppDaemonList + plural: yurtappdaemons + shortNames: + - yad + singular: yurtappdaemon + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: YurtAppDaemon is the Schema for the YurtAppDaemon API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: YurtAppDaemonSpec defines the desired state of YurtAppDaemon. + properties: + nodepoolSelector: + description: NodePoolSelector is a label query over nodepool that should match the replica count. It must match the nodepool's labels. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + revisionHistoryLimit: + description: Indicates the number of histories to be conserved. If unspecified, defaults to 10. + format: int32 + type: integer + selector: + description: Selector is a label query over pods that should match the replica count. It must match the pod template's labels. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + workloadTemplate: + description: WorkloadTemplate describes the pool that will be created. + properties: + deploymentTemplate: + description: Deployment template + properties: + metadata: + type: object + spec: + description: DeploymentSpec is the specification of the desired behavior of the Deployment. + type: object + required: + - spec + type: object + statefulSetTemplate: + description: StatefulSet template + properties: + metadata: + type: object + spec: + description: A StatefulSetSpec is the specification of a StatefulSet. + type: object + required: + - spec + type: object + type: object + required: + - nodepoolSelector + - selector + type: object + status: + description: YurtAppDaemonStatus defines the observed state of YurtAppDaemon. + properties: + collisionCount: + description: Count of hash collisions for the YurtAppDaemon. The YurtAppDaemon controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision. + format: int32 + type: integer + conditions: + description: Represents the latest available observations of a YurtAppDaemon's current state. + items: + description: YurtAppDaemonCondition describes current state of a YurtAppDaemon. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of in place set condition. + type: string + type: object + type: array + currentRevision: + description: CurrentRevision, if not empty, indicates the current version of the YurtAppDaemon. + type: string + nodepools: + description: NodePools indicates the list of node pools selected by YurtAppDaemon + items: + type: string + type: array + observedGeneration: + description: ObservedGeneration is the most recent generation observed for this YurtAppDaemon. It corresponds to the YurtAppDaemon's generation, which is updated on mutation by the API Server. + format: int64 + type: integer + templateType: + description: TemplateType indicates the type of PoolTemplate + type: string + required: + - currentRevision + - templateType + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.9 + creationTimestamp: null + name: yurtingresses.apps.openyurt.io +spec: + additionalPrinterColumns: + - JSONPath: .status.nginx_ingress_controller_version + description: The nginx ingress controller version + name: Nginx-Ingress-Version + type: string + - JSONPath: .status.ingress_controller_replicas_per_pool + description: The nginx ingress controller replicas per pool + name: Replicas-Per-Pool + type: integer + - JSONPath: .status.readyNum + description: The number of pools on which ingress is enabled + name: ReadyNum + type: integer + - JSONPath: .status.unreadyNum + description: The number of pools on which ingress is enabling or enable failed + name: NotReadyNum + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: apps.openyurt.io + names: + categories: + - all + kind: YurtIngress + listKind: YurtIngressList + plural: yurtingresses + shortNames: + - ying + singular: yurtingress + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: YurtIngress is the Schema for the yurtingresses API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: YurtIngressSpec defines the desired state of YurtIngress + properties: + ingress_controller_replicas_per_pool: + description: Indicates the number of the ingress controllers to be deployed under all the specified nodepools. + format: int32 + type: integer + pools: + description: Indicates all the nodepools on which to enable ingress. + items: + description: IngressPool defines the details of a Pool for ingress + properties: + name: + description: Indicates the pool name. + type: string + required: + - name + type: object + type: array + type: object + status: + description: YurtIngressStatus defines the observed state of YurtIngress + properties: + conditions: + description: Indicates all the nodepools on which to enable ingress. + properties: + ingressreadypools: + description: Indicates the pools that ingress controller is deployed successfully. + items: + type: string + type: array + ingressunreadypools: + description: Indicates the pools that ingress controller is being deployed or deployed failed. + items: + description: IngressNotReadyPool defines the condition details of an ingress not ready Pool + properties: + name: + description: Indicates the pool name. + type: string + poolinfo: + description: Info of ingress not ready condition. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + type: + description: Type of ingress not ready condition. + type: string + type: object + required: + - name + type: object + type: array + type: object + ingress_controller_replicas_per_pool: + description: Indicates the number of the ingress controllers deployed under all the specified nodepools. + format: int32 + type: integer + nginx_ingress_controller_version: + description: Indicates the nginx ingress controller version deployed under all the specified nodepools. + type: string + readyNum: + description: Total number of ready pools on which ingress is enabled. + format: int32 + type: integer + unreadyNum: + description: Total number of unready pools on which ingress is enabling or enable failed. + format: int32 + type: integer + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: yurt-app-leader-election-role + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: yurt-app-manager-role +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - statefulsets/status + verbs: + - get + - patch + - update +- apiGroups: + - apps.openyurt.io + resources: + - nodepools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openyurt.io + resources: + - nodepools/status + verbs: + - get + - patch + - update +- apiGroups: + - apps.openyurt.io + resources: + - uniteddeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openyurt.io + resources: + - uniteddeployments/status + verbs: + - get + - patch + - update +- apiGroups: + - apps.openyurt.io + resources: + - yurtappdaemons + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openyurt.io + resources: + - yurtappdaemons/status + verbs: + - get + - patch + - update +- apiGroups: + - apps.openyurt.io + resources: + - yurtingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openyurt.io + resources: + - yurtingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: yurt-app-leader-election-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: yurt-app-leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: yurt-app-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: yurt-app-manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: yurt-app-webhook-certs + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + name: yurt-app-webhook-service + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 9876 + selector: + control-plane: yurt-app-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: yurt-app-manager + name: yurt-app-manager + namespace: kube-system +spec: + replicas: 2 + selector: + matchLabels: + control-plane: yurt-app-manager + template: + metadata: + labels: + control-plane: yurt-app-manager + spec: + containers: + - args: + - --enable-leader-election + - --v=4 + command: + - /usr/local/bin/yurt-app-manager + image: openyurt/yurt-app-manager:latest + imagePullPolicy: Always + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + nodeSelector: + beta.kubernetes.io/arch: amd64 + beta.kubernetes.io/os: linux + openyurt.io/is-edge-worker: "false" + priorityClassName: system-node-critical + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.alibabacloud.com/addon + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: yurt-app-webhook-certs +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + template: "" + name: yurt-app-mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /mutate-apps-openyurt-io-v1alpha1-nodepool + failurePolicy: Fail + name: mnodepool.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - nodepools +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /mutate-apps-openyurt-io-v1alpha1-uniteddeployment + failurePolicy: Fail + name: muniteddeployment.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - uniteddeployments +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /mutate-apps-openyurt-io-v1alpha1-yurtappdaemon + failurePolicy: Fail + name: myurtappdaemon.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - yurtappdaemons +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + template: "" + name: yurt-app-validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /validate-apps-openyurt-io-v1alpha1-nodepool + failurePolicy: Fail + name: vnodepool.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - nodepools +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /validate-apps-openyurt-io-v1alpha1-uniteddeployment + failurePolicy: Fail + name: vuniteddeployment.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - uniteddeployments +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /validate-apps-openyurt-io-v1alpha1-yurtappdaemon + failurePolicy: Fail + name: vyurtappdaemon.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - yurtappdaemons +- clientConfig: + caBundle: Cg== + service: + name: yurt-app-webhook-service + namespace: kube-system + path: /validate-apps-openyurt-io-v1alpha1-yurtingress + failurePolicy: Fail + name: vyurtingress.kb.io + rules: + - apiGroups: + - apps.openyurt.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - yurtingresses diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-controller-manager.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-controller-manager.yaml new file mode 100644 index 00000000000..c1330fcf463 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-controller-manager.yaml @@ -0,0 +1,148 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: yurt-controller-manager + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: yurt-controller-manager +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - update + - apiGroups: + - "" + resources: + - pods/status + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + - list + - watch + - apiGroups: + - "" + - apps + resources: + - daemonsets + verbs: + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update + - apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - kubernetes.io/kube-apiserver-client + - kubernetes.io/kubelet-serving + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: yurt-controller-manager +subjects: + - kind: ServiceAccount + name: yurt-controller-manager + namespace: kube-system +roleRef: + kind: ClusterRole + name: yurt-controller-manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yurt-controller-manager + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: yurt-controller-manager + template: + metadata: + labels: + app: yurt-controller-manager + spec: + serviceAccountName: yurt-controller-manager + hostNetwork: true + tolerations: + - operator: "Exists" + nodeSelector: + openyurt.io/is-edge-worker: "false" + affinity: + nodeAffinity: + # we prefer allocating ycm on cloud node + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: openyurt.io/is-edge-worker + operator: In + values: + - "false" + containers: + - name: yurt-controller-manager + image: openyurt/yurt-controller-manager:latest + command: + - yurt-controller-manager \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-agent.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-agent.yaml new file mode 100644 index 00000000000..acb2b35341f --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-agent.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: yurt-tunnel-agent + name: yurt-tunnel-agent + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: yurt-tunnel-agent + template: + metadata: + labels: + k8s-app: yurt-tunnel-agent + spec: + nodeSelector: + beta.kubernetes.io/os: linux + openyurt.io/is-edge-worker: "true" + containers: + - command: + - yurt-tunnel-agent + args: + - --node-name=$(NODE_NAME) + - --node-ip=$(POD_IP) + - --v=2 + image: openyurt/yurt-tunnel-agent:latest + imagePullPolicy: IfNotPresent + name: yurt-tunnel-agent + volumeMounts: + - name: k8s-dir + mountPath: /etc/kubernetes + - name: kubelet-pki + mountPath: /var/lib/kubelet/pki + - name: tunnel-agent-dir + mountPath: /var/lib/yurttunnel-agent + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + hostNetwork: true + restartPolicy: Always + tolerations: + - operator: Exists + volumes: + - name: k8s-dir + hostPath: + path: /etc/kubernetes + type: Directory + - name: kubelet-pki + hostPath: + path: /var/lib/kubelet/pki + type: Directory + - name: tunnel-agent-dir + hostPath: + path: /var/lib/yurttunnel-agent + type: DirectoryOrCreate diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-server.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-server.yaml new file mode 100644 index 00000000000..3db48f81165 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurt-tunnel-server.yaml @@ -0,0 +1,227 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: tunnel-proxy-client +rules: + - apiGroups: + - "" + resources: + - nodes/stats + - nodes/metrics + - nodes/log + - nodes/spec + - nodes/proxy + verbs: + - create + - get + - list + - watch + - delete + - update + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tunnel-proxy-client +subjects: + - kind: User + name: tunnel-proxy-client + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: tunnel-proxy-client + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: yurt-tunnel-server +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: yurt-tunnel-server +subjects: + - kind: ServiceAccount + name: yurt-tunnel-server + namespace: kube-system +roleRef: + kind: ClusterRole + name: yurt-tunnel-server + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: yurt-tunnel-server + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + name: x-tunnel-server-svc + namespace: kube-system + labels: + name: yurt-tunnel-server +spec: + type: NodePort + ports: + - port: 10263 + targetPort: 10263 + name: https + - port: 10262 + targetPort: 10262 + name: tcp + selector: + k8s-app: yurt-tunnel-server +--- +apiVersion: v1 +kind: Service +metadata: + name: x-tunnel-server-internal-svc + namespace: kube-system + labels: + name: yurt-tunnel-server +spec: + ports: + - port: 10250 + targetPort: 10263 + name: https + - port: 10255 + targetPort: 10264 + name: http + selector: + k8s-app: yurt-tunnel-server +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: yurt-tunnel-server-cfg + namespace: kube-system +data: + localhost-proxy-ports: "10266, 10267" + http-proxy-ports: "" + https-proxy-ports: "" + dnat-ports-pair: "" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yurt-tunnel-server + namespace: kube-system + labels: + k8s-app: yurt-tunnel-server +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: yurt-tunnel-server + template: + metadata: + labels: + k8s-app: yurt-tunnel-server + spec: + hostNetwork: true + serviceAccountName: yurt-tunnel-server + restartPolicy: Always + volumes: + - name: tunnel-server-dir + hostPath: + path: /var/lib/yurttunnel-server + type: DirectoryOrCreate + tolerations: + - operator: "Exists" + nodeSelector: + beta.kubernetes.io/arch: amd64 + beta.kubernetes.io/os: linux + openyurt.io/is-edge-worker: "false" + containers: + - name: yurt-tunnel-server + image: openyurt/yurt-tunnel-server:latest + imagePullPolicy: IfNotPresent + command: + - yurt-tunnel-server + args: + - --bind-address=$(NODE_IP) + - --insecure-bind-address=$(NODE_IP) + - --proxy-strategy=destHost + - --v=2 + env: + - name: NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + securityContext: + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + volumeMounts: + - name: tunnel-server-dir + mountPath: /var/lib/yurttunnel-server + +--- + +apiVersion: v1 +data: + tunnel-nodes: "" +kind: ConfigMap +metadata: + name: yurt-tunnel-nodes + namespace: kube-system \ No newline at end of file diff --git a/config/yurtadm/cloudimage/openyurt-latest/yamls/yurthub-cfg.yaml b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurthub-cfg.yaml new file mode 100644 index 00000000000..679df092920 --- /dev/null +++ b/config/yurtadm/cloudimage/openyurt-latest/yamls/yurthub-cfg.yaml @@ -0,0 +1,52 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: yurt-hub +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - get + - apiGroups: + - apps.openyurt.io + resources: + - nodepools + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - yurt-hub-cfg + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: yurt-hub +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: yurt-hub +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:nodes +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: yurt-hub-cfg + namespace: kube-system +data: + cache_agents: "" + filter_endpoints: coredns/endpoints#list;watch + filter_servicetopology: coredns/endpointslices#list;watch + filter_discardcloudservice: "" + filter_masterservice: ""