1 ---
2 apiVersion: policy/v1beta1
3 kind: PodSecurityPolicy
4 metadata:
5 name: psp.flannel.unprivileged
6 annotations:
7 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
8 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
9 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
10 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
11 spec:
12 privileged: false
13 volumes:
14 - configMap
15 - secret
16 - emptyDir
17 - hostPath
18 allowedHostPaths:
19 - pathPrefix: "/etc/cni/net.d"
20 - pathPrefix: "/etc/kube-flannel"
21 - pathPrefix: "/run/flannel"
22 readOnlyRootFilesystem: false
23 runAsUser:
24 rule: RunAsAny
25 supplementalGroups:
26 rule: RunAsAny
27 fsGroup:
28 rule: RunAsAny
29 allowPrivilegeEscalation: false
30 defaultAllowPrivilegeEscalation: false
31 allowedCapabilities: ['NET_ADMIN']
32 defaultAddCapabilities: []
33 requiredDropCapabilities: []
34 hostPID: false
35 hostIPC: false
36 hostNetwork: true
37 hostPorts:
38 - min: 0
39 max: 65535
40 seLinux:
41 rule: 'RunAsAny'
42 ---
43 kind: ClusterRole
44 apiVersion: rbac.authorization.k8s.io/v1beta1
45 metadata:
46 name: flannel
47 rules:
48 - apiGroups: ['extensions']
49 resources: ['podsecuritypolicies']
50 verbs: ['use']
51 resourceNames: ['psp.flannel.unprivileged']
52 - apiGroups:
53 - ""
54 resources:
55 - pods
56 verbs:
57 - get
58 - apiGroups:
59 - ""
60 resources:
61 - nodes
62 verbs:
63 - list
64 - watch
65 - apiGroups:
66 - ""
67 resources:
68 - nodes/status
69 verbs:
70 - patch
71 ---
72 kind: ClusterRoleBinding
73 apiVersion: rbac.authorization.k8s.io/v1beta1
74 metadata:
75 name: flannel
76 roleRef:
77 apiGroup: rbac.authorization.k8s.io
78 kind: ClusterRole
79 name: flannel
80 subjects:
81 - kind: ServiceAccount
82 name: flannel
83 namespace: kube-system
84 ---
85 apiVersion: v1
86 kind: ServiceAccount
87 metadata:
88 name: flannel
89 namespace: kube-system
90 ---
91 kind: ConfigMap
92 apiVersion: v1
93 metadata:
94 name: kube-flannel-cfg
95 namespace: kube-system
96 labels:
97 tier: node
98 app: flannel
99 data:
100 cni-conf.json: |
101 {
102 "cniVersion": "0.2.0",
103 "name": "cbr0",
104 "plugins": [
105 {
106 "type": "flannel",
107 "delegate": {
108 "hairpinMode": true,
109 "isDefaultGateway": true
110 }
111 },
112 {
113 "type": "portmap",
114 "capabilities": {
115 "portMappings": true
116 }
117 }
118 ]
119 }
120 net-conf.json: |
121 {
122 "Network": "10.244.0.0/16",
123 "Backend": {
124 "Type": "vxlan"
125 }
126 }
127 ---
128 apiVersion: apps/v1
129 kind: DaemonSet
130 metadata:
131 name: kube-flannel-ds-amd64
132 namespace: kube-system
133 labels:
134 tier: node
135 app: flannel
136 spec:
137 selector:
138 matchLabels:
139 app: flannel
140 template:
141 metadata:
142 labels:
143 tier: node
144 app: flannel
145 spec:
146 affinity:
147 nodeAffinity:
148 requiredDuringSchedulingIgnoredDuringExecution:
149 nodeSelectorTerms:
150 - matchExpressions:
151 - key: beta.kubernetes.io/os
152 operator: In
153 values:
154 - linux
155 - key: beta.kubernetes.io/arch
156 operator: In
157 values:
158 - amd64
159 hostNetwork: true
160 tolerations:
161 - operator: Exists
162 effect: NoSchedule
163 serviceAccountName: flannel
164 initContainers:
165 - name: install-cni
166 image: quay.io/coreos/flannel:v0.11.0-amd64
167 command:
168 - cp
169 args:
170 - -f
171 - /etc/kube-flannel/cni-conf.json
172 - /etc/cni/net.d/10-flannel.conflist
173 volumeMounts:
174 - name: cni
175 mountPath: /etc/cni/net.d
176 - name: flannel-cfg
177 mountPath: /etc/kube-flannel/
178 containers:
179 - name: kube-flannel
180 image: quay.io/coreos/flannel:v0.11.0-amd64
181 command:
182 - /opt/bin/flanneld
183 args:
184 - --ip-masq
185 - --kube-subnet-mgr
186 resources:
187 requests:
188 cpu: "100m"
189 memory: "50Mi"
190 limits:
191 cpu: "100m"
192 memory: "50Mi"
193 securityContext:
194 privileged: false
195 capabilities:
196 add: ["NET_ADMIN"]
197 env:
198 - name: POD_NAME
199 valueFrom:
200 fieldRef:
201 fieldPath: metadata.name
202 - name: POD_NAMESPACE
203 valueFrom:
204 fieldRef:
205 fieldPath: metadata.namespace
206 volumeMounts:
207 - name: run
208 mountPath: /run/flannel
209 - name: flannel-cfg
210 mountPath: /etc/kube-flannel/
211 volumes:
212 - name: run
213 hostPath:
214 path: /run/flannel
215 - name: cni
216 hostPath:
217 path: /etc/cni/net.d
218 - name: flannel-cfg
219 configMap:
220 name: kube-flannel-cfg
221 ---
222 apiVersion: apps/v1
223 kind: DaemonSet
224 metadata:
225 name: kube-flannel-ds-arm64
226 namespace: kube-system
227 labels:
228 tier: node
229 app: flannel
230 spec:
231 selector:
232 matchLabels:
233 app: flannel
234 template:
235 metadata:
236 labels:
237 tier: node
238 app: flannel
239 spec:
240 affinity:
241 nodeAffinity:
242 requiredDuringSchedulingIgnoredDuringExecution:
243 nodeSelectorTerms:
244 - matchExpressions:
245 - key: beta.kubernetes.io/os
246 operator: In
247 values:
248 - linux
249 - key: beta.kubernetes.io/arch
250 operator: In
251 values:
252 - arm64
253 hostNetwork: true
254 tolerations:
255 - operator: Exists
256 effect: NoSchedule
257 serviceAccountName: flannel
258 initContainers:
259 - name: install-cni
260 image: quay.io/coreos/flannel:v0.11.0-arm64
261 command:
262 - cp
263 args:
264 - -f
265 - /etc/kube-flannel/cni-conf.json
266 - /etc/cni/net.d/10-flannel.conflist
267 volumeMounts:
268 - name: cni
269 mountPath: /etc/cni/net.d
270 - name: flannel-cfg
271 mountPath: /etc/kube-flannel/
272 containers:
273 - name: kube-flannel
274 image: quay.io/coreos/flannel:v0.11.0-arm64
275 command:
276 - /opt/bin/flanneld
277 args:
278 - --ip-masq
279 - --kube-subnet-mgr
280 resources:
281 requests:
282 cpu: "100m"
283 memory: "50Mi"
284 limits:
285 cpu: "100m"
286 memory: "50Mi"
287 securityContext:
288 privileged: false
289 capabilities:
290 add: ["NET_ADMIN"]
291 env:
292 - name: POD_NAME
293 valueFrom:
294 fieldRef:
295 fieldPath: metadata.name
296 - name: POD_NAMESPACE
297 valueFrom:
298 fieldRef:
299 fieldPath: metadata.namespace
300 volumeMounts:
301 - name: run
302 mountPath: /run/flannel
303 - name: flannel-cfg
304 mountPath: /etc/kube-flannel/
305 volumes:
306 - name: run
307 hostPath:
308 path: /run/flannel
309 - name: cni
310 hostPath:
311 path: /etc/cni/net.d
312 - name: flannel-cfg
313 configMap:
314 name: kube-flannel-cfg
315 ---
316 apiVersion: apps/v1
317 kind: DaemonSet
318 metadata:
319 name: kube-flannel-ds-arm
320 namespace: kube-system
321 labels:
322 tier: node
323 app: flannel
324 spec:
325 selector:
326 matchLabels:
327 app: flannel
328 template:
329 metadata:
330 labels:
331 tier: node
332 app: flannel
333 spec:
334 affinity:
335 nodeAffinity:
336 requiredDuringSchedulingIgnoredDuringExecution:
337 nodeSelectorTerms:
338 - matchExpressions:
339 - key: beta.kubernetes.io/os
340 operator: In
341 values:
342 - linux
343 - key: beta.kubernetes.io/arch
344 operator: In
345 values:
346 - arm
347 hostNetwork: true
348 tolerations:
349 - operator: Exists
350 effect: NoSchedule
351 serviceAccountName: flannel
352 initContainers:
353 - name: install-cni
354 image: quay.io/coreos/flannel:v0.11.0-arm
355 command:
356 - cp
357 args:
358 - -f
359 - /etc/kube-flannel/cni-conf.json
360 - /etc/cni/net.d/10-flannel.conflist
361 volumeMounts:
362 - name: cni
363 mountPath: /etc/cni/net.d
364 - name: flannel-cfg
365 mountPath: /etc/kube-flannel/
366 containers:
367 - name: kube-flannel
368 image: quay.io/coreos/flannel:v0.11.0-arm
369 command:
370 - /opt/bin/flanneld
371 args:
372 - --ip-masq
373 - --kube-subnet-mgr
374 resources:
375 requests:
376 cpu: "100m"
377 memory: "50Mi"
378 limits:
379 cpu: "100m"
380 memory: "50Mi"
381 securityContext:
382 privileged: false
383 capabilities:
384 add: ["NET_ADMIN"]
385 env:
386 - name: POD_NAME
387 valueFrom:
388 fieldRef:
389 fieldPath: metadata.name
390 - name: POD_NAMESPACE
391 valueFrom:
392 fieldRef:
393 fieldPath: metadata.namespace
394 volumeMounts:
395 - name: run
396 mountPath: /run/flannel
397 - name: flannel-cfg
398 mountPath: /etc/kube-flannel/
399 volumes:
400 - name: run
401 hostPath:
402 path: /run/flannel
403 - name: cni
404 hostPath:
405 path: /etc/cni/net.d
406 - name: flannel-cfg
407 configMap:
408 name: kube-flannel-cfg
409 ---
410 apiVersion: apps/v1
411 kind: DaemonSet
412 metadata:
413 name: kube-flannel-ds-ppc64le
414 namespace: kube-system
415 labels:
416 tier: node
417 app: flannel
418 spec:
419 selector:
420 matchLabels:
421 app: flannel
422 template:
423 metadata:
424 labels:
425 tier: node
426 app: flannel
427 spec:
428 affinity:
429 nodeAffinity:
430 requiredDuringSchedulingIgnoredDuringExecution:
431 nodeSelectorTerms:
432 - matchExpressions:
433 - key: beta.kubernetes.io/os
434 operator: In
435 values:
436 - linux
437 - key: beta.kubernetes.io/arch
438 operator: In
439 values:
440 - ppc64le
441 hostNetwork: true
442 tolerations:
443 - operator: Exists
444 effect: NoSchedule
445 serviceAccountName: flannel
446 initContainers:
447 - name: install-cni
448 image: quay.io/coreos/flannel:v0.11.0-ppc64le
449 command:
450 - cp
451 args:
452 - -f
453 - /etc/kube-flannel/cni-conf.json
454 - /etc/cni/net.d/10-flannel.conflist
455 volumeMounts:
456 - name: cni
457 mountPath: /etc/cni/net.d
458 - name: flannel-cfg
459 mountPath: /etc/kube-flannel/
460 containers:
461 - name: kube-flannel
462 image: quay.io/coreos/flannel:v0.11.0-ppc64le
463 command:
464 - /opt/bin/flanneld
465 args:
466 - --ip-masq
467 - --kube-subnet-mgr
468 resources:
469 requests:
470 cpu: "100m"
471 memory: "50Mi"
472 limits:
473 cpu: "100m"
474 memory: "50Mi"
475 securityContext:
476 privileged: false
477 capabilities:
478 add: ["NET_ADMIN"]
479 env:
480 - name: POD_NAME
481 valueFrom:
482 fieldRef:
483 fieldPath: metadata.name
484 - name: POD_NAMESPACE
485 valueFrom:
486 fieldRef:
487 fieldPath: metadata.namespace
488 volumeMounts:
489 - name: run
490 mountPath: /run/flannel
491 - name: flannel-cfg
492 mountPath: /etc/kube-flannel/
493 volumes:
494 - name: run
495 hostPath:
496 path: /run/flannel
497 - name: cni
498 hostPath:
499 path: /etc/cni/net.d
500 - name: flannel-cfg
501 configMap:
502 name: kube-flannel-cfg
503 ---
504 apiVersion: apps/v1
505 kind: DaemonSet
506 metadata:
507 name: kube-flannel-ds-s390x
508 namespace: kube-system
509 labels:
510 tier: node
511 app: flannel
512 spec:
513 selector:
514 matchLabels:
515 app: flannel
516 template:
517 metadata:
518 labels:
519 tier: node
520 app: flannel
521 spec:
522 affinity:
523 nodeAffinity:
524 requiredDuringSchedulingIgnoredDuringExecution:
525 nodeSelectorTerms:
526 - matchExpressions:
527 - key: beta.kubernetes.io/os
528 operator: In
529 values:
530 - linux
531 - key: beta.kubernetes.io/arch
532 operator: In
533 values:
534 - s390x
535 hostNetwork: true
536 tolerations:
537 - operator: Exists
538 effect: NoSchedule
539 serviceAccountName: flannel
540 initContainers:
541 - name: install-cni
542 image: quay.io/coreos/flannel:v0.11.0-s390x
543 command:
544 - cp
545 args:
546 - -f
547 - /etc/kube-flannel/cni-conf.json
548 - /etc/cni/net.d/10-flannel.conflist
549 volumeMounts:
550 - name: cni
551 mountPath: /etc/cni/net.d
552 - name: flannel-cfg
553 mountPath: /etc/kube-flannel/
554 containers:
555 - name: kube-flannel
556 image: quay.io/coreos/flannel:v0.11.0-s390x
557 command:
558 - /opt/bin/flanneld
559 args:
560 - --ip-masq
561 - --kube-subnet-mgr
562 resources:
563 requests:
564 cpu: "100m"
565 memory: "50Mi"
566 limits:
567 cpu: "100m"
568 memory: "50Mi"
569 securityContext:
570 privileged: false
571 capabilities:
572 add: ["NET_ADMIN"]
573 env:
574 - name: POD_NAME
575 valueFrom:
576 fieldRef:
577 fieldPath: metadata.name
578 - name: POD_NAMESPACE
579 valueFrom:
580 fieldRef:
581 fieldPath: metadata.namespace
582 volumeMounts:
583 - name: run
584 mountPath: /run/flannel
585 - name: flannel-cfg
586 mountPath: /etc/kube-flannel/
587 volumes:
588 - name: run
589 hostPath:
590 path: /run/flannel
591 - name: cni
592 hostPath:
593 path: /etc/cni/net.d
594 - name: flannel-cfg
595 configMap:
596 name: kube-flannel-cfg
quay.io/coreos/flannel:v0.10.0-s390x ==> quay-mirror.qiniu.com/coreos/flannel:v0.10.0-s390x
gcr.io/google_containers/kube-proxy ==> registry.aliyuncs.com/google_containers/kube-proxy