From 5bf0c107bc18e4f4ddff5c382106299b89f2c2a0 Mon Sep 17 00:00:00 2001 From: Miguel Duarte Barroso Date: Sat, 14 Mar 2020 00:14:00 +0100 Subject: [PATCH] Unify template manifest (#20) * Template more info in the manifests The following attributes were added: - namespace info to metadata - image pull policy to running container - CPU / memory requests to running container Also simplify the manifest - e.g. container image - so it can be easily imported by CNAO. Signed-off-by: Miguel Duarte Barroso * Add security context constraint template & manifest This template and generated manifest are paramount to deploy in OKD, where an SCC is required to be able to run a privileged container. Signed-off-by: Miguel Duarte Barroso * Add namespace templates & generated manifests Signed-off-by: Miguel Duarte Barroso --- Makefile | 7 +++++-- hack/generate-manifests.sh | 16 +++++++++------- manifests/macvtap.yaml | 17 ++++++++++++----- manifests/namespace.yaml | 4 ++++ manifests/scc.yaml | 14 ++++++++++++++ templates/macvtap.yaml.in | 21 ++++++++++++++------- templates/namespace.yaml.in | 4 ++++ templates/scc.yaml.in | 14 ++++++++++++++ 8 files changed, 76 insertions(+), 21 deletions(-) create mode 100644 manifests/namespace.yaml create mode 100644 manifests/scc.yaml create mode 100644 templates/namespace.yaml.in create mode 100644 templates/scc.yaml.in diff --git a/Makefile b/Makefile index aac71f7e..61694e5a 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,12 @@ CNI_MOUNT_PATH ?= /opt/cni/bin -IMAGE_REGISTRY ?= quay.io/kubevirt IMAGE_NAME ?= macvtap-cni +IMAGE_REGISTRY ?= quay.io/kubevirt +IMAGE_PULL_POLICY ?= Always IMAGE_TAG ?= latest +NAMESPACE ?= default + TARGETS = \ goimports-format \ goimports-check \ @@ -86,7 +89,7 @@ test/unit: go test ./cmd/... ./pkg/... -v --ginkgo.v manifests: - IMAGE_REGISTRY=$(IMAGE_REGISTRY) IMAGE_NAME=$(IMAGE_NAME) IMAGE_TAG=$(IMAGE_TAG) CNI_MOUNT_PATH=$(CNI_MOUNT_PATH) ./hack/generate-manifests.sh + IMAGE_REGISTRY=$(IMAGE_REGISTRY) IMAGE_NAME=$(IMAGE_NAME) IMAGE_TAG=$(IMAGE_TAG) CNI_MOUNT_PATH=$(CNI_MOUNT_PATH) NAMESPACE=$(NAMESPACE) IMAGE_PULL_POLICY=$(IMAGE_PULL_POLICY) ./hack/generate-manifests.sh vendor: go mod tidy diff --git a/hack/generate-manifests.sh b/hack/generate-manifests.sh index 2dd21167..de2c7a4f 100755 --- a/hack/generate-manifests.sh +++ b/hack/generate-manifests.sh @@ -2,19 +2,21 @@ set -ex -CNI_MOUNT_PATH=${CNI_MOUNT_PATH} # the default is stored in Makefile -IMAGE_REGISTRY=${IMAGE_REGISTRY} # the default is stored in Makefile -IMAGE_NAME=${IMAGE_NAME} # the default is stored in Makefile -IMAGE_TAG=${IMAGE_TAG} # the default is store in Makefile +CNI_MOUNT_PATH=${CNI_MOUNT_PATH} # the default is stored in Makefile +NAMESPACE=${NAMESPACE} # the default is store in Makefile +IMAGE_PULL_POLICY=${IMAGE_PULL_POLICY} # the default is store in Makefile + +# compose the full img name - defaults in Makefile +MACVTAP_IMG=${IMAGE_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG} DESTINATION=${DESTINATION:-manifests} for template in templates/*.in; do name=$(basename ${template%.in}) sed \ - -e "s#{{ .ImageRegistry }}#${IMAGE_REGISTRY}#g" \ - -e "s#{{ .ImageName }}#${IMAGE_NAME}#g" \ - -e "s#{{ .ImageTag }}#${IMAGE_TAG}#g" \ + -e "s#{{ .MacvtapImage }}#${MACVTAP_IMG}#g" \ -e "s#{{ .CniMountPath }}#${CNI_MOUNT_PATH}#g" \ + -e "s#{{ .Namespace }}#${NAMESPACE}#g" \ + -e "s#{{ .ImagePullPolicy }}#${IMAGE_PULL_POLICY}#g" \ ${template} > ${DESTINATION}/${name} done diff --git a/manifests/macvtap.yaml b/manifests/macvtap.yaml index 9aeb1f59..8f4fa072 100644 --- a/manifests/macvtap.yaml +++ b/manifests/macvtap.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: macvtap-cni + namespace: default spec: selector: matchLabels: @@ -15,22 +16,28 @@ spec: hostPID: true containers: - name: macvtap-cni + command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"] + envFrom: + - configMapRef: + name: macvtap-deviceplugin-config image: quay.io/kubevirt/macvtap-cni:latest + imagePullPolicy: Always + resources: + requests: + cpu: "60m" + memory: "30Mi" securityContext: privileged: true - envFrom: - - configMapRef: - name: macvtap-deviceplugin-config - command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"] volumeMounts: - name: deviceplugin mountPath: /var/lib/kubelet/device-plugins initContainers: - name: install-cni + command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap'] image: quay.io/kubevirt/macvtap-cni:latest + imagePullPolicy: Always securityContext: privileged: true - command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap'] volumeMounts: - name: cni mountPath: /host/opt/cni/bin diff --git a/manifests/namespace.yaml b/manifests/namespace.yaml new file mode 100644 index 00000000..5efde875 --- /dev/null +++ b/manifests/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: default diff --git a/manifests/scc.yaml b/manifests/scc.yaml new file mode 100644 index 00000000..b3d911c1 --- /dev/null +++ b/manifests/scc.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: macvtap-cni +allowHostNetwork: true +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +users: + - system:serviceaccount:default:macvtap-cni diff --git a/templates/macvtap.yaml.in b/templates/macvtap.yaml.in index 0d1cba7e..ffba6a53 100644 --- a/templates/macvtap.yaml.in +++ b/templates/macvtap.yaml.in @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: macvtap-cni + namespace: {{ .Namespace }} spec: selector: matchLabels: @@ -15,22 +16,28 @@ spec: hostPID: true containers: - name: macvtap-cni - image: {{ .ImageRegistry }}/{{ .ImageName }}:{{ .ImageTag }} + command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"] + envFrom: + - configMapRef: + name: macvtap-deviceplugin-config + image: {{ .MacvtapImage }} + imagePullPolicy: {{ .ImagePullPolicy }} + resources: + requests: + cpu: "60m" + memory: "30Mi" securityContext: privileged: true - envFrom: - - configMapRef: - name: macvtap-deviceplugin-config volumeMounts: - name: deviceplugin mountPath: /var/lib/kubelet/device-plugins - command: [ "/macvtap-deviceplugin", "-v", "3", "-logtostderr"] initContainers: - name: install-cni - image: {{ .ImageRegistry }}/{{ .ImageName }}:{{ .ImageTag }} + command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap'] + image: {{ .MacvtapImage }} + imagePullPolicy: {{ .ImagePullPolicy }} securityContext: privileged: true - command: ['cp', '/macvtap-cni', '/host/opt/cni/bin/macvtap'] volumeMounts: - name: cni mountPath: /host/opt/cni/bin diff --git a/templates/namespace.yaml.in b/templates/namespace.yaml.in new file mode 100644 index 00000000..d2a8c25d --- /dev/null +++ b/templates/namespace.yaml.in @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Namespace }} diff --git a/templates/scc.yaml.in b/templates/scc.yaml.in new file mode 100644 index 00000000..70f96278 --- /dev/null +++ b/templates/scc.yaml.in @@ -0,0 +1,14 @@ +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: macvtap-cni +allowHostNetwork: true +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +users: + - system:serviceaccount:{{ .Namespace }}:macvtap-cni