github.com/qsunny/k8s@v0.0.0-20220101153623-e6dca256d5bf/flannel/kube-flannel.yml (about) 1 --- 2 apiVersion: policy/v1beta1 3 kind: PodSecurityPolicy 4 metadata: 5 name: psp.flannel.unprivileged 6 annotations: 7 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default 8 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default 9 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default 10 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default 11 spec: 12 privileged: false 13 volumes: 14 - configMap 15 - secret 16 - emptyDir 17 - hostPath 18 allowedHostPaths: 19 - pathPrefix: "/etc/cni/net.d" 20 - pathPrefix: "/etc/kube-flannel" 21 - pathPrefix: "/run/flannel" 22 readOnlyRootFilesystem: false 23 # Users and groups 24 runAsUser: 25 rule: RunAsAny 26 supplementalGroups: 27 rule: RunAsAny 28 fsGroup: 29 rule: RunAsAny 30 # Privilege Escalation 31 allowPrivilegeEscalation: false 32 defaultAllowPrivilegeEscalation: false 33 # Capabilities 34 allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] 35 defaultAddCapabilities: [] 36 requiredDropCapabilities: [] 37 # Host namespaces 38 hostPID: false 39 hostIPC: false 40 hostNetwork: true 41 hostPorts: 42 - min: 0 43 max: 65535 44 # SELinux 45 seLinux: 46 # SELinux is unused in CaaSP 47 rule: 'RunAsAny' 48 --- 49 kind: ClusterRole 50 apiVersion: rbac.authorization.k8s.io/v1 51 metadata: 52 name: flannel 53 rules: 54 - apiGroups: ['extensions'] 55 resources: ['podsecuritypolicies'] 56 verbs: ['use'] 57 resourceNames: ['psp.flannel.unprivileged'] 58 - apiGroups: 59 - "" 60 resources: 61 - pods 62 verbs: 63 - get 64 - apiGroups: 65 - "" 66 resources: 67 - nodes 68 verbs: 69 - list 70 - watch 71 - apiGroups: 72 - "" 73 resources: 74 - nodes/status 75 verbs: 76 - patch 77 --- 78 kind: ClusterRoleBinding 79 apiVersion: rbac.authorization.k8s.io/v1 80 metadata: 81 name: flannel 82 roleRef: 83 apiGroup: rbac.authorization.k8s.io 84 kind: ClusterRole 85 name: flannel 86 subjects: 87 - kind: ServiceAccount 88 name: flannel 89 namespace: kube-system 90 --- 91 apiVersion: v1 92 kind: ServiceAccount 93 metadata: 94 name: flannel 95 namespace: kube-system 96 --- 97 kind: ConfigMap 98 apiVersion: v1 99 metadata: 100 name: kube-flannel-cfg 101 namespace: kube-system 102 labels: 103 tier: node 104 app: flannel 105 data: 106 cni-conf.json: | 107 { 108 "name": "cbr0", 109 "cniVersion": "0.3.1", 110 "plugins": [ 111 { 112 "type": "flannel", 113 "delegate": { 114 "hairpinMode": true, 115 "isDefaultGateway": true 116 } 117 }, 118 { 119 "type": "portmap", 120 "capabilities": { 121 "portMappings": true 122 } 123 } 124 ] 125 } 126 net-conf.json: | 127 { 128 "Network": "10.244.0.0/16", 129 "Backend": { 130 "Type": "vxlan" 131 } 132 } 133 --- 134 apiVersion: apps/v1 135 kind: DaemonSet 136 metadata: 137 name: kube-flannel-ds 138 namespace: kube-system 139 labels: 140 tier: node 141 app: flannel 142 spec: 143 selector: 144 matchLabels: 145 app: flannel 146 template: 147 metadata: 148 labels: 149 tier: node 150 app: flannel 151 spec: 152 affinity: 153 nodeAffinity: 154 requiredDuringSchedulingIgnoredDuringExecution: 155 nodeSelectorTerms: 156 - matchExpressions: 157 - key: kubernetes.io/os 158 operator: In 159 values: 160 - linux 161 hostNetwork: true 162 priorityClassName: system-node-critical 163 tolerations: 164 - operator: Exists 165 effect: NoSchedule 166 serviceAccountName: flannel 167 initContainers: 168 - name: install-cni-plugin 169 image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.0 170 command: 171 - cp 172 args: 173 - -f 174 - /flannel 175 - /opt/cni/bin/flannel 176 volumeMounts: 177 - name: cni-plugin 178 mountPath: /opt/cni/bin 179 - name: install-cni 180 image: quay.io/coreos/flannel:v0.15.1 181 command: 182 - cp 183 args: 184 - -f 185 - /etc/kube-flannel/cni-conf.json 186 - /etc/cni/net.d/10-flannel.conflist 187 volumeMounts: 188 - name: cni 189 mountPath: /etc/cni/net.d 190 - name: flannel-cfg 191 mountPath: /etc/kube-flannel/ 192 containers: 193 - name: kube-flannel 194 image: quay.io/coreos/flannel:v0.15.1 195 command: 196 - /opt/bin/flanneld 197 args: 198 - --ip-masq 199 - --kube-subnet-mgr 200 - --iface=eth1 201 resources: 202 requests: 203 cpu: "100m" 204 memory: "50Mi" 205 limits: 206 cpu: "100m" 207 memory: "50Mi" 208 securityContext: 209 privileged: false 210 capabilities: 211 add: ["NET_ADMIN", "NET_RAW"] 212 env: 213 - name: POD_NAME 214 valueFrom: 215 fieldRef: 216 fieldPath: metadata.name 217 - name: POD_NAMESPACE 218 valueFrom: 219 fieldRef: 220 fieldPath: metadata.namespace 221 volumeMounts: 222 - name: run 223 mountPath: /run/flannel 224 - name: flannel-cfg 225 mountPath: /etc/kube-flannel/ 226 volumes: 227 - name: run 228 hostPath: 229 path: /run/flannel 230 - name: cni-plugin 231 hostPath: 232 path: /opt/cni/bin 233 - name: cni 234 hostPath: 235 path: /etc/cni/net.d 236 - name: flannel-cfg 237 configMap: 238 name: kube-flannel-cfg