Skip to content

Commit

Permalink
Unify template manifest (#20)
Browse files Browse the repository at this point in the history
* Template more info in the manifests

The following attributes were added:
  - namespace info to metadata
  - image pull policy to running container
  - CPU / memory requests to running container

Also simplify the manifest - e.g. container image - so it can be
easily imported by CNAO.

Signed-off-by: Miguel Duarte Barroso <[email protected]>

* Add security context constraint template & manifest

This template and generated manifest are paramount to deploy in
OKD, where an SCC is required to be able to run a privileged
container.

Signed-off-by: Miguel Duarte Barroso <[email protected]>

* Add namespace templates & generated manifests

Signed-off-by: Miguel Duarte Barroso <[email protected]>
  • Loading branch information
maiqueb authored Mar 13, 2020
1 parent 0c1d111 commit 5bf0c10
Show file tree
Hide file tree
Showing 8 changed files with 76 additions and 21 deletions.
7 changes: 5 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
CNI_MOUNT_PATH ?= /opt/cni/bin

IMAGE_REGISTRY ?= quay.io/kubevirt
IMAGE_NAME ?= macvtap-cni
IMAGE_REGISTRY ?= quay.io/kubevirt
IMAGE_PULL_POLICY ?= Always
IMAGE_TAG ?= latest

NAMESPACE ?= default

TARGETS = \
goimports-format \
goimports-check \
Expand Down Expand Up @@ -86,7 +89,7 @@ test/unit:
go test ./cmd/... ./pkg/... -v --ginkgo.v

manifests:
IMAGE_REGISTRY=$(IMAGE_REGISTRY) IMAGE_NAME=$(IMAGE_NAME) IMAGE_TAG=$(IMAGE_TAG) CNI_MOUNT_PATH=$(CNI_MOUNT_PATH) ./hack/generate-manifests.sh
IMAGE_REGISTRY=$(IMAGE_REGISTRY) IMAGE_NAME=$(IMAGE_NAME) IMAGE_TAG=$(IMAGE_TAG) CNI_MOUNT_PATH=$(CNI_MOUNT_PATH) NAMESPACE=$(NAMESPACE) IMAGE_PULL_POLICY=$(IMAGE_PULL_POLICY) ./hack/generate-manifests.sh

vendor:
go mod tidy
Expand Down
16 changes: 9 additions & 7 deletions hack/generate-manifests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,21 @@

set -ex

CNI_MOUNT_PATH=${CNI_MOUNT_PATH} # the default is stored in Makefile
IMAGE_REGISTRY=${IMAGE_REGISTRY} # the default is stored in Makefile
IMAGE_NAME=${IMAGE_NAME} # the default is stored in Makefile
IMAGE_TAG=${IMAGE_TAG} # the default is store in Makefile
CNI_MOUNT_PATH=${CNI_MOUNT_PATH} # the default is stored in Makefile
NAMESPACE=${NAMESPACE} # the default is store in Makefile
IMAGE_PULL_POLICY=${IMAGE_PULL_POLICY} # the default is store in Makefile

# compose the full img name - defaults in Makefile
MACVTAP_IMG=${IMAGE_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}

DESTINATION=${DESTINATION:-manifests}

for template in templates/*.in; do
name=$(basename ${template%.in})
sed \
-e "s#{{ .ImageRegistry }}#${IMAGE_REGISTRY}#g" \
-e "s#{{ .ImageName }}#${IMAGE_NAME}#g" \
-e "s#{{ .ImageTag }}#${IMAGE_TAG}#g" \
-e "s#{{ .MacvtapImage }}#${MACVTAP_IMG}#g" \
-e "s#{{ .CniMountPath }}#${CNI_MOUNT_PATH}#g" \
-e "s#{{ .Namespace }}#${NAMESPACE}#g" \
-e "s#{{ .ImagePullPolicy }}#${IMAGE_PULL_POLICY}#g" \
${template} > ${DESTINATION}/${name}
done
17 changes: 12 additions & 5 deletions manifests/macvtap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
name: macvtap-cni
namespace: default
spec:
selector:
matchLabels:
Expand All @@ -15,22 +16,28 @@ spec:
hostPID: true
containers:
- name: macvtap-cni
command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"]
envFrom:
- configMapRef:
name: macvtap-deviceplugin-config
image: quay.io/kubevirt/macvtap-cni:latest
imagePullPolicy: Always
resources:
requests:
cpu: "60m"
memory: "30Mi"
securityContext:
privileged: true
envFrom:
- configMapRef:
name: macvtap-deviceplugin-config
command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"]
volumeMounts:
- name: deviceplugin
mountPath: /var/lib/kubelet/device-plugins
initContainers:
- name: install-cni
command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap']
image: quay.io/kubevirt/macvtap-cni:latest
imagePullPolicy: Always
securityContext:
privileged: true
command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap']
volumeMounts:
- name: cni
mountPath: /host/opt/cni/bin
Expand Down
4 changes: 4 additions & 0 deletions manifests/namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: default
14 changes: 14 additions & 0 deletions manifests/scc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: macvtap-cni
allowHostNetwork: true
allowPrivilegedContainer: true
allowHostDirVolumePlugin: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
users:
- system:serviceaccount:default:macvtap-cni
21 changes: 14 additions & 7 deletions templates/macvtap.yaml.in
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
name: macvtap-cni
namespace: {{ .Namespace }}
spec:
selector:
matchLabels:
Expand All @@ -15,22 +16,28 @@ spec:
hostPID: true
containers:
- name: macvtap-cni
image: {{ .ImageRegistry }}/{{ .ImageName }}:{{ .ImageTag }}
command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"]
envFrom:
- configMapRef:
name: macvtap-deviceplugin-config
image: {{ .MacvtapImage }}
imagePullPolicy: {{ .ImagePullPolicy }}
resources:
requests:
cpu: "60m"
memory: "30Mi"
securityContext:
privileged: true
envFrom:
- configMapRef:
name: macvtap-deviceplugin-config
volumeMounts:
- name: deviceplugin
mountPath: /var/lib/kubelet/device-plugins
command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"]
initContainers:
- name: install-cni
image: {{ .ImageRegistry }}/{{ .ImageName }}:{{ .ImageTag }}
command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap']
image: {{ .MacvtapImage }}
imagePullPolicy: {{ .ImagePullPolicy }}
securityContext:
privileged: true
command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap']
volumeMounts:
- name: cni
mountPath: /host/opt/cni/bin
Expand Down
4 changes: 4 additions & 0 deletions templates/namespace.yaml.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Namespace }}
14 changes: 14 additions & 0 deletions templates/scc.yaml.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: macvtap-cni
allowHostNetwork: true
allowPrivilegedContainer: true
allowHostDirVolumePlugin: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
users:
- system:serviceaccount:{{ .Namespace }}:macvtap-cni

0 comments on commit 5bf0c10

Please sign in to comment.