Skip to content

Instantly share code, notes, and snippets.

@jayunit100

jayunit100/gist:e4f329964b1980d3b6fe46439f4c1fce

Created July 24, 2020 14:59
Show Gist options
  • Save jayunit100/e4f329964b1980d3b6fe46439f4c1fce to your computer and use it in GitHub Desktop.
Save jayunit100/e4f329964b1980d3b6fe46439f4c1fce to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
#@ def antreayaml():
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreaagentinfos.clusterinformation.antrea.tanzu.vmware.com
spec:
group: clusterinformation.antrea.tanzu.vmware.com
names:
kind: AntreaAgentInfo
plural: antreaagentinfos
shortNames:
- aai
singular: antreaagentinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: antreacontrollerinfos.clusterinformation.antrea.tanzu.vmware.com
spec:
group: clusterinformation.antrea.tanzu.vmware.com
names:
kind: AntreaControllerInfo
plural: antreacontrollerinfos
shortNames:
- aci
singular: antreacontrollerinfo
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: clusternetworkpolicies.security.antrea.tanzu.vmware.com
spec:
additionalPrinterColumns:
- JSONPath: .spec.priority
description: The Priority of this ClusterNetworkPolicy relative to other policies.
format: float
name: Priority
type: number
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: security.antrea.tanzu.vmware.com
names:
kind: ClusterNetworkPolicy
plural: clusternetworkpolicies
shortNames:
- cnp
singular: clusternetworkpolicy
preserveUnknownFields: false
scope: Cluster
validation:
openAPIV3Schema:
properties:
spec:
properties:
appliedTo:
items:
properties:
namespaceSelector:
x-kubernetes-preserve-unknown-fields: true
podSelector:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
egress:
items:
properties:
action:
pattern: \bAllow|\bDrop
type: string
ports:
items:
properties:
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
to:
items:
properties:
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
x-kubernetes-preserve-unknown-fields: true
podSelector:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
required:
- action
type: object
type: array
ingress:
items:
properties:
action:
pattern: \bAllow|\bDrop
type: string
from:
items:
properties:
ipBlock:
properties:
cidr:
format: cidr
type: string
type: object
namespaceSelector:
x-kubernetes-preserve-unknown-fields: true
podSelector:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
ports:
items:
properties:
port:
x-kubernetes-int-or-string: true
protocol:
type: string
type: object
type: array
required:
- action
type: object
type: array
priority:
format: float
maximum: 10000
minimum: 1
type: number
required:
- appliedTo
- priority
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: antrea
name: traceflows.ops.antrea.tanzu.vmware.com
spec:
group: ops.antrea.tanzu.vmware.com
names:
kind: Traceflow
plural: traceflows
shortNames:
- tf
singular: traceflow
scope: Cluster
validation:
openAPIV3Schema:
properties:
spec:
properties:
source:
properties:
namespace:
type: string
pod:
type: string
required:
- pod
- namespace
type: object
required:
- source
type: object
required:
- spec
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antctl
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antrea-agent
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: antrea
name: antrea-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antctl
rules:
- apiGroups:
- networking.antrea.tanzu.vmware.com
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- list
- apiGroups:
- system.antrea.tanzu.vmware.com
resources:
- controllerinfos
- agentinfos
verbs:
- get
- apiGroups:
- system.antrea.tanzu.vmware.com
resources:
- supportbundles
verbs:
- get
- post
- apiGroups:
- system.antrea.tanzu.vmware.com
resources:
- supportbundles/download
verbs:
- get
- nonResourceURLs:
- /agentinfo
- /addressgroups
- /appliedtogroups
- /networkpolicies
- /ovsflows
- /ovstracing
- /podinterfaces
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antrea-agent
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- endpoints
- services
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
resources:
- antreaagentinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- networking.antrea.tanzu.vmware.com
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- antrea-ca
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
- traceflows
verbs:
- get
- watch
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: antrea
name: antrea-controller
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- namespaces
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
resources:
- antreacontrollerinfos
verbs:
- get
- create
- update
- delete
- apiGroups:
- clusterinformation.antrea.tanzu.vmware.com
resources:
- antreaagentinfos
verbs:
- list
- delete
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- antrea-ca
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- apiregistration.k8s.io
resourceNames:
- v1beta1.system.antrea.tanzu.vmware.com
- v1beta1.networking.antrea.tanzu.vmware.com
resources:
- apiservices
verbs:
- get
- update
- apiGroups:
- security.antrea.tanzu.vmware.com
resources:
- clusternetworkpolicies
verbs:
- get
- watch
- list
- apiGroups:
- ops.antrea.tanzu.vmware.com
resources:
- traceflows
verbs:
- get
- watch
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antctl
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antctl
subjects:
- kind: ServiceAccount
name: antctl
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antrea-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-agent
subjects:
- kind: ServiceAccount
name: antrea-agent
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: antrea
name: antrea-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-controller
subjects:
- kind: ServiceAccount
name: antrea-controller
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: antrea
name: antrea-ca
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable antrea proxy which provides ServiceLB for in-cluster services in antrea agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic.
# AntreaProxy: false
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
#ovsBridge: br-int
# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
# - system
# - netdev
# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
#ovsDatapathType: system
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
#hostGateway: antrea-gw0
# Encapsulation mode for communication between Pods across Nodes, supported values:
# - geneve (default)
# - vxlan
# - gre
# - stt
#tunnelType: geneve
# Default MTU to use for the host gateway interface and the network interface of each Pod. If
# omitted, antrea-agent will default this value to 1450 to accommodate for tunnel encapsulate
# overhead.
#defaultMTU: 1450
# Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported
# for the GRE tunnel type.
#enableIPSecTunnel: false
# CIDR Range for services in cluster. It's required to support egress network policy, should
# be set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver.
#serviceCIDR: 10.96.0.0/12
# Determines how traffic is encapsulated. It has the following options
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to outbound traffic is masqueraded.
# noEncap: Inter-node Pod traffic is not encapsulated, but Pod to outbound traffic is masqueraded.
# Underlying network must be capable of supporting Pod traffic across IP subnet.
# hybrid: noEncap if worker Nodes on same subnet, otherwise encap.
# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod IPAM and connectivity to primary CNI.
#
#trafficEncapMode: encap
# The port for the antrea-agent APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-agent` container must be set to the same value.
#apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: false
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"plugins": [
{
"type": "antrea",
"ipam": {
"type": "host-local"
}
},
{
"type": "portmap",
"capabilities": {"portMappings": true}
}
]
}
antrea-controller.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable traceflow which provides packet tracing feature to diagnose network issue.
# Traceflow: false
# Enable ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster.
# ClusterNetworkPolicy: false
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
#apiPort: 10349
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: false
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-5g4h62mc5t
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app: antrea
name: antrea
namespace: kube-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: antrea
component: antrea-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: antrea
component: antrea-controller
name: antrea-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: antrea
component: antrea-controller
strategy:
type: Recreate
template:
metadata:
labels:
app: antrea
component: antrea-controller
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-controller.conf
- --logtostderr=false
- --log_dir=/var/log/antrea
- --alsologtostderr
- --log_file_max_size=100
- --log_file_max_num=4
command:
- antrea-controller
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: antrea/antrea-ubuntu:v0.8.2
name: antrea-controller
ports:
- containerPort: 10349
name: api
protocol: TCP
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: api
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
cpu: 200m
volumeMounts:
- mountPath: /etc/antrea/antrea-controller.conf
name: antrea-config
readOnly: true
subPath: antrea-controller.conf
- mountPath: /var/run/antrea/antrea-controller-tls
name: antrea-controller-tls
- mountPath: /var/log/antrea
name: host-var-log-antrea
hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: antrea-controller
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-5g4h62mc5t
name: antrea-config
- name: antrea-controller-tls
secret:
defaultMode: 256
optional: true
secretName: antrea-controller-tls
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta1.networking.antrea.tanzu.vmware.com
spec:
group: networking.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta1
versionPriority: 100
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app: antrea
name: v1beta1.system.antrea.tanzu.vmware.com
spec:
group: system.antrea.tanzu.vmware.com
groupPriorityMinimum: 100
service:
name: antrea
namespace: kube-system
version: v1beta1
versionPriority: 100
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: antrea
component: antrea-agent
name: antrea-agent
namespace: kube-system
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
template:
metadata:
labels:
app: antrea
component: antrea-agent
spec:
containers:
- args:
- --config
- /etc/antrea/antrea-agent.conf
- --logtostderr=false
- --log_dir=/var/log/antrea
- --alsologtostderr
- --log_file_max_size=100
- --log_file_max_num=4
command:
- antrea-agent
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: antrea/antrea-ubuntu:v0.8.2
livenessProbe:
exec:
command:
- /bin/sh
- -c
- container_liveness_probe agent
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
name: antrea-agent
ports:
- containerPort: 10350
name: api
protocol: TCP
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: api
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
resources:
requests:
cpu: 200m
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/antrea/antrea-agent.conf
name: antrea-config
readOnly: true
subPath: antrea-agent.conf
- mountPath: /var/run/antrea
name: host-var-run-antrea
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/lib/cni
name: host-var-run-antrea
subPath: cni
- mountPath: /var/log/antrea
name: host-var-log-antrea
- mountPath: /host/proc
name: host-proc
readOnly: true
- mountPath: /host/var/run/netns
mountPropagation: HostToContainer
name: host-var-run-netns
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
- command:
- start_ovs
image: antrea/antrea-ubuntu:v0.8.2
livenessProbe:
exec:
command:
- /bin/sh
- -c
- timeout 10 container_liveness_probe ovs
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 10
name: antrea-ovs
resources:
requests:
cpu: 200m
securityContext:
capabilities:
add:
- SYS_NICE
- NET_ADMIN
- SYS_ADMIN
- IPC_LOCK
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-var-run-antrea
subPath: openvswitch
- mountPath: /var/log/openvswitch
name: host-var-log-antrea
subPath: openvswitch
hostNetwork: true
initContainers:
- command:
- install_cni
image: antrea/antrea-ubuntu:v0.8.2
name: install-cni
resources:
requests:
cpu: 100m
securityContext:
capabilities:
add:
- SYS_MODULE
volumeMounts:
- mountPath: /etc/antrea/antrea-cni.conflist
name: antrea-config
readOnly: true
subPath: antrea-cni.conflist
- mountPath: /host/etc/cni/net.d
name: host-cni-conf
- mountPath: /host/opt/cni/bin
name: host-cni-bin
- mountPath: /lib/modules
name: host-lib-modules
readOnly: true
- mountPath: /sbin/depmod
name: host-depmod
readOnly: true
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-node-critical
serviceAccountName: antrea-agent
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- configMap:
name: antrea-config-5g4h62mc5t
name: antrea-config
- hostPath:
path: /etc/cni/net.d
name: host-cni-conf
- hostPath:
path: /opt/cni/bin
name: host-cni-bin
- hostPath:
path: /proc
name: host-proc
- hostPath:
path: /var/run/netns
name: host-var-run-netns
- hostPath:
path: /var/run/antrea
type: DirectoryOrCreate
name: host-var-run-antrea
- hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
name: host-var-log-antrea
- hostPath:
path: /lib/modules
name: host-lib-modules
- hostPath:
path: /sbin/depmod
name: host-depmod
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
updateStrategy:
type: RollingUpdate
#@ end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment