github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/ansible/roles/calico-network-policy/templates/network-policy-controller.yaml (about) 1 # This manifest deploys the Calico Kubernetes controllers. 2 # See https://github.com/projectcalico/kube-controllers 3 4 --- 5 kind: ClusterRole 6 apiVersion: rbac.authorization.k8s.io/v1 7 metadata: 8 name: calico-kube-controllers 9 namespace: kube-system 10 rules: 11 - apiGroups: 12 - "" 13 - extensions 14 resources: 15 - pods 16 - namespaces 17 - networkpolicies 18 - nodes 19 verbs: 20 - watch 21 - list 22 --- 23 kind: ClusterRoleBinding 24 apiVersion: rbac.authorization.k8s.io/v1 25 metadata: 26 name: calico-kube-controllers 27 roleRef: 28 apiGroup: rbac.authorization.k8s.io 29 kind: ClusterRole 30 name: calico-kube-controllers 31 subjects: 32 - kind: ServiceAccount 33 name: calico-kube-controllers 34 namespace: kube-system 35 --- 36 apiVersion: v1 37 kind: ServiceAccount 38 metadata: 39 name: calico-kube-controllers 40 namespace: kube-system 41 42 --- 43 apiVersion: apps/v1 44 kind: Deployment 45 metadata: 46 name: calico-kube-controllers 47 namespace: kube-system 48 labels: 49 tier: control-plane 50 k8s-app: calico-kube-controllers 51 annotations: 52 kismatic/version: "{{ kismatic_short_version }}" 53 scheduler.alpha.kubernetes.io/critical-pod: '' 54 spec: 55 selector: 56 matchLabels: 57 k8s-app: calico-kube-controllers 58 # The controllers can only have a single active instance. 59 replicas: 1 60 strategy: 61 type: Recreate 62 template: 63 metadata: 64 name: calico-kube-controllers 65 namespace: kube-system 66 labels: 67 tier: control-plane 68 k8s-app: calico-kube-controllers 69 spec: 70 # The controllers must run in the host network namespace so that 71 # it isn't governed by policy that would prevent it from working. 72 hostNetwork: true 73 serviceAccountName: calico-kube-controllers 74 tolerations: 75 - effect: NoSchedule 76 operator: Exists 77 volumes: 78 - name: "ca" 79 hostPath: 80 path: "{{ kubernetes_certificates.ca }}" 81 - name: "cert" 82 hostPath: 83 path: "{{ kubernetes_certificates.etcd_client }}" 84 - name: "key" 85 hostPath: 86 path: "{{ kubernetes_certificates.etcd_client_key }}" 87 containers: 88 - name: calico-kube-controllers 89 image: "{{ images.calico_kube_controller }}" 90 volumeMounts: 91 - mountPath: "{{ kubernetes_certificates.ca }}" 92 name: "ca" 93 - mountPath: "{{ kubernetes_certificates.etcd_client }}" 94 name: "cert" 95 - mountPath: "{{ kubernetes_certificates.etcd_client_key }}" 96 name: "key" 97 env: 98 # The location of the Calico etcd cluster. 99 - name: ETCD_ENDPOINTS 100 valueFrom: 101 configMapKeyRef: 102 name: calico-config 103 key: etcd_endpoints 104 # Location of the CA certificate for etcd. 105 - name: ETCD_CA_CERT_FILE 106 valueFrom: 107 configMapKeyRef: 108 name: calico-config 109 key: etcd_ca 110 # Location of the client certificate for etcd. 111 - name: ETCD_CERT_FILE 112 valueFrom: 113 configMapKeyRef: 114 name: calico-config 115 key: etcd_cert 116 # Location of the client key for etcd. 117 - name: ETCD_KEY_FILE 118 valueFrom: 119 configMapKeyRef: 120 name: calico-config 121 key: etcd_key 122 # The location of the Kubernetes API. Use the default Kubernetes 123 # service for API access. 124 - name: K8S_API 125 value: "{{ kubernetes_master_ip }}" 126 - name: CONFIGURE_ETC_HOSTS 127 value: "true" 128 # Choose which controllers to run. 129 - name: ENABLED_CONTROLLERS 130 value: policy,profile,workloadendpoint,node