Last active
January 14, 2025 17:47
-
-
Save aojea/56cdfdf251abc4388ead358e1b0a00b4 to your computer and use it in GitHub Desktop.
Use kindnet in GKE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: kindnet | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes | |
| verbs: | |
| - list | |
| - watch | |
| - patch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes/proxy | |
| - nodes/configz | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| verbs: | |
| - get | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| - namespaces | |
| verbs: | |
| - list | |
| - watch | |
| - apiGroups: | |
| - "networking.k8s.io" | |
| resources: | |
| - networkpolicies | |
| verbs: | |
| - list | |
| - watch | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: kindnet | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kindnet | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kindnet | |
| namespace: kube-system | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kindnet | |
| namespace: kube-system | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| name: kindnet | |
| namespace: kube-system | |
| labels: | |
| tier: node | |
| app: kindnet | |
| k8s-app: kindnet | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: kindnet | |
| template: | |
| metadata: | |
| labels: | |
| tier: node | |
| app: kindnet | |
| k8s-app: kindnet | |
| spec: | |
| hostNetwork: true | |
| tolerations: | |
| - operator: Exists | |
| effect: NoSchedule | |
| serviceAccountName: kindnet | |
| initContainers: | |
| - name: mount-cni-bin | |
| image: busybox:stable | |
| command: | |
| - /bin/sh | |
| - -c | |
| - | | |
| mkdir -p /tmp/opt/cni | |
| mount --bind /tmp/opt/cni /opt/cni/bin/ | |
| # required by containerd but kindnet already provides this functionality | |
| touch /opt/cni/bin/localhost | |
| chmod +x /opt/cni/bin/localhost | |
| rm /etc/cni/net.d/* || true | |
| volumeMounts: | |
| - name: opt-cni | |
| mountPath: /opt/cni/ | |
| mountPropagation: Bidirectional | |
| securityContext: | |
| runAsUser: 0 | |
| privileged: true | |
| - name: install-cni-bin | |
| image: ghcr.io/aojea/kindnetd:stable | |
| command: ['sh', '-c', 'cat /opt/cni/bin/cni-kindnet > /cni/cni-kindnet ; chmod +x /cni/cni-kindnet'] | |
| volumeMounts: | |
| - name: cni-bin | |
| mountPath: /cni | |
| containers: | |
| - name: kindnet-cni | |
| image: ghcr.io/aojea/kindnetd:stable | |
| command: | |
| - /bin/kindnetd | |
| - --hostname-override=$(NODE_NAME) | |
| - --v=4 | |
| env: | |
| - name: HOST_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.hostIP | |
| - name: POD_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.podIP | |
| - name: NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| volumeMounts: | |
| - name: cni-cfg | |
| mountPath: /etc/cni/net.d | |
| - name: var-lib-kindnet | |
| mountPath: /var/lib/cni-kindnet | |
| resources: | |
| requests: | |
| cpu: "100m" | |
| memory: "50Mi" | |
| securityContext: | |
| privileged: true | |
| volumes: | |
| - name: opt-cni | |
| hostPath: | |
| path: /opt/cni | |
| type: DirectoryOrCreate | |
| - name: cni-bin | |
| hostPath: | |
| path: /opt/cni/bin | |
| type: DirectoryOrCreate | |
| - name: cni-cfg | |
| hostPath: | |
| path: /etc/cni/net.d | |
| type: DirectoryOrCreate | |
| - name: var-lib-kindnet | |
| hostPath: | |
| path: /var/lib/cni-kindnet | |
| type: DirectoryOrCreate | |
| - name: tmp | |
| hostPath: | |
| path: /tmp | |
| type: DirectoryOrCreate | |
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kube-proxy | |
| namespace: kube-system | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: system:kube-proxy | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kube-proxy | |
| namespace: kube-system | |
| roleRef: | |
| kind: ClusterRole | |
| name: system:node-proxier | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| labels: | |
| k8s-app: kube-proxy | |
| name: kube-proxy-nft | |
| namespace: kube-system | |
| spec: | |
| selector: | |
| matchLabels: | |
| k8s-app: kube-proxy | |
| updateStrategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxUnavailable: 10% | |
| template: | |
| metadata: | |
| labels: | |
| k8s-app: kube-proxy | |
| spec: | |
| priorityClassName: system-node-critical | |
| hostNetwork: true | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| tolerations: | |
| - operator: "Exists" | |
| effect: "NoExecute" | |
| - operator: "Exists" | |
| effect: "NoSchedule" | |
| containers: | |
| - name: kube-proxy | |
| image: registry.k8s.io/kube-proxy:v1.31.1 | |
| resources: | |
| requests: | |
| cpu: "100m" | |
| memory: "50Mi" | |
| command: | |
| - /usr/local/bin/kube-proxy | |
| - --hostname-override=$(NODE_NAME) | |
| - --v=2 | |
| - --proxy-mode=nftables | |
| - --detect-local-mode=NodeCIDR | |
| - --conntrack-tcp-be-liberal=true | |
| env: | |
| - name: KUBERNETES_SERVICE_HOST | |
| value: APISERVER_IP_HERE | |
| - name: NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: spec.nodeName | |
| securityContext: | |
| privileged: true | |
| serviceAccountName: kube-proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # only for dpv2 clusters | |
| kubectl -n kube-system patch ds anetd --type='json' \ | |
| -p='[{"op": "add", "path": "/spec/template/spec/nodeSelector/do-not-run-here", "value": "donotexist"}]' | |
| kubectl -n kube-system patch ds netd --type='json' \ | |
| -p='[{"op": "add", "path": "/spec/template/spec/nodeSelector/do-not-run-here", "value": "donotexist"}]' | |
| # cos is not writable | |
| mkdir -p /tmp/opt/cni | |
| mount --bind /tmp/opt/cni /opt/cni/bin/ | |
| mount -o remount,exec,rw /opt/cni/bin/ | |
| # required by containerd but kindnet already provides this functionality | |
| touch /opt/cni/bin/localhost | |
| chmod +x /opt/cni/bin/localhost | |
| kubectl apply -f kindnet-gke.yaml | |
| # replace the APISERVER_IP_HERE value in the kube-proxy yaml with the IP obtained from | |
| # kubectl get endpoints kubernetes | |
| # NAME ENDPOINTS AGE | |
| # kubernetes 10.128.0.3:443 25d | |
| # use kube-proxy-nft name because there is already a daemonset called kube-proxy | |
| kubectl apply -f kube-proxy.yaml | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://gist.github.com/BenTheElder/58e2b0c359a374cac10e529375fd70f2