martezr · October 18, 2019 21:25
diff --git a/helm-install.sh b/helm-install.sh
 #!/bin/bash

 kubectl -n kube-system create serviceaccount tiller
 kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
 wget https://get.helm.sh/helm-v2.15.0-linux-amd64.tar.gz
 tar -xzf helm-v2.15.0-linux-amd64.tar.gz
 mv linux-amd64/helm /usr/local/bin/helm
 helm init --service-account=tiller
diff --git a/kubebootstrap.sh b/kubebootstrap.sh
 #!/bin/bash

 networking=$1

 function gencreds {
  mkdir -p $HOME/.kube
  sudo cp -f /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config
 }

 case $networking in

  calico)
    echo -n "Calico networking"
    kubeadm init --pod-network-cidr=192.168.0.0/16
    gencreds
    kubectl apply -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml
    ;;

  cilium)
    echo -n "Cilium networking"
    kubeadm init --pod-network-cidr=10.217.0.0/16
    gencreds
    kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/kubernetes/1.14/cilium.yaml
    ;;

  flannel)
    echo -n "Flannel networking"
    kubeadm init --pod-network-cidr=10.244.0.0/16
    gencreds
    kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/62e44c867a2846fefb68bd5f178daf4da3095ccb/Documentation/kube-flannel.yml
    ;;
 esac

 #kubeadm token create --print-join-command
diff --git a/metallb.yaml b/metallb.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  namespace: metallb-system
  name: config
 data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 10.0.0.2-10.0.0.6
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    app: metallb
  name: metallb-system
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  labels:
    app: metallb
  name: speaker
  namespace: metallb-system
 spec:
  allowPrivilegeEscalation: false
  allowedCapabilities:
  - NET_ADMIN
  - NET_RAW
  - SYS_ADMIN
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  hostPorts:
  - max: 7472
    min: 7472
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    app: metallb
  name: controller
  namespace: metallb-system
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    app: metallb
  name: speaker
  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app: metallb
  name: metallb-system:controller
 rules:
 - apiGroups:
  - ''
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - update
 - apiGroups:
  - ''
  resources:
  - services/status
  verbs:
  - update
 - apiGroups:
  - ''
  resources:
  - events
  verbs:
  - create
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app: metallb
  name: metallb-system:speaker
 rules:
 - apiGroups:
  - ''
  resources:
  - services
  - endpoints
  - nodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ''
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - extensions
  resourceNames:
  - speaker
  resources:
  - podsecuritypolicies
  verbs:
  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app: metallb
  name: config-watcher
  namespace: metallb-system
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app: metallb
  name: metallb-system:controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:controller
 subjects:
 - kind: ServiceAccount
  name: controller
  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app: metallb
  name: metallb-system:speaker
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metallb-system:speaker
 subjects:
 - kind: ServiceAccount
  name: speaker
  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app: metallb
  name: config-watcher
  namespace: metallb-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: config-watcher
 subjects:
 - kind: ServiceAccount
  name: controller
 - kind: ServiceAccount
  name: speaker
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app: metallb
    component: speaker
  name: speaker
  namespace: metallb-system
 spec:
  selector:
    matchLabels:
      app: metallb
      component: speaker
  template:
    metadata:
      annotations:
        prometheus.io/port: '7472'
        prometheus.io/scrape: 'true'
      labels:
        app: metallb
        component: speaker
    spec:
      containers:
      - args:
        - --port=7472
        - --config=config
        env:
        - name: METALLB_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: METALLB_HOST
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        image: metallb/speaker:v0.8.1
        imagePullPolicy: IfNotPresent
        name: speaker
        ports:
        - containerPort: 7472
          name: monitoring
        resources:
          limits:
            cpu: 100m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
            - SYS_ADMIN
            drop:
            - ALL
          readOnlyRootFilesystem: true
      hostNetwork: true
      nodeSelector:
        beta.kubernetes.io/os: linux
      serviceAccountName: speaker
      terminationGracePeriodSeconds: 0
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: metallb
    component: controller
  name: controller
  namespace: metallb-system
 spec:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: metallb
      component: controller
  template:
    metadata:
      annotations:
        prometheus.io/port: '7472'
        prometheus.io/scrape: 'true'
      labels:
        app: metallb
        component: controller
    spec:
      containers:
      - args:
        - --port=7472
        - --config=config
        image: metallb/controller:v0.8.1
        imagePullPolicy: IfNotPresent
        name: controller
        ports:
        - containerPort: 7472
          name: monitoring
        resources:
          limits:
            cpu: 100m
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          readOnlyRootFilesystem: true
      nodeSelector:
        beta.kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
      serviceAccountName: controller
      terminationGracePeriodSeconds: 0
	#!/bin/bash

	kubectl -n kube-system create serviceaccount tiller
	kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
	wget https://get.helm.sh/helm-v2.15.0-linux-amd64.tar.gz
	tar -xzf helm-v2.15.0-linux-amd64.tar.gz
	mv linux-amd64/helm /usr/local/bin/helm
	helm init --service-account=tiller
	#!/bin/bash

	networking=$1

	function gencreds {
	mkdir -p $HOME/.kube
	sudo cp -f /etc/kubernetes/admin.conf $HOME/.kube/config
	sudo chown $(id -u):$(id -g) $HOME/.kube/config
	}

	case $networking in

	calico)
	echo -n "Calico networking"
	kubeadm init --pod-network-cidr=192.168.0.0/16
	gencreds
	kubectl apply -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml
	;;

	cilium)
	echo -n "Cilium networking"
	kubeadm init --pod-network-cidr=10.217.0.0/16
	gencreds
	kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/kubernetes/1.14/cilium.yaml
	;;

	flannel)
	echo -n "Flannel networking"
	kubeadm init --pod-network-cidr=10.244.0.0/16
	gencreds
	kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/62e44c867a2846fefb68bd5f178daf4da3095ccb/Documentation/kube-flannel.yml
	;;
	esac

	#kubeadm token create --print-join-command
	apiVersion: v1
	kind: ConfigMap
	metadata:
	namespace: metallb-system
	name: config
	data:
	config: \|
	address-pools:
	- name: default
	protocol: layer2
	addresses:
	- 10.0.0.2-10.0.0.6
	---
	apiVersion: v1
	kind: Namespace
	metadata:
	labels:
	app: metallb
	name: metallb-system
	---
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	labels:
	app: metallb
	name: speaker
	namespace: metallb-system
	spec:
	allowPrivilegeEscalation: false
	allowedCapabilities:
	- NET_ADMIN
	- NET_RAW
	- SYS_ADMIN
	fsGroup:
	rule: RunAsAny
	hostNetwork: true
	hostPorts:
	- max: 7472
	min: 7472
	privileged: true
	runAsUser:
	rule: RunAsAny
	seLinux:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	volumes:
	- '*'
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	labels:
	app: metallb
	name: controller
	namespace: metallb-system
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	labels:
	app: metallb
	name: speaker
	namespace: metallb-system
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	labels:
	app: metallb
	name: metallb-system:controller
	rules:
	- apiGroups:
	- ''
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- update
	- apiGroups:
	- ''
	resources:
	- services/status
	verbs:
	- update
	- apiGroups:
	- ''
	resources:
	- events
	verbs:
	- create
	- patch
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	labels:
	app: metallb
	name: metallb-system:speaker
	rules:
	- apiGroups:
	- ''
	resources:
	- services
	- endpoints
	- nodes
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ''
	resources:
	- events
	verbs:
	- create
	- patch
	- apiGroups:
	- extensions
	resourceNames:
	- speaker
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	labels:
	app: metallb
	name: config-watcher
	namespace: metallb-system
	rules:
	- apiGroups:
	- ''
	resources:
	- configmaps
	verbs:
	- get
	- list
	- watch
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	labels:
	app: metallb
	name: metallb-system:controller
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: metallb-system:controller
	subjects:
	- kind: ServiceAccount
	name: controller
	namespace: metallb-system
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	labels:
	app: metallb
	name: metallb-system:speaker
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: metallb-system:speaker
	subjects:
	- kind: ServiceAccount
	name: speaker
	namespace: metallb-system
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	labels:
	app: metallb
	name: config-watcher
	namespace: metallb-system
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: config-watcher
	subjects:
	- kind: ServiceAccount
	name: controller
	- kind: ServiceAccount
	name: speaker
	---
	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	labels:
	app: metallb
	component: speaker
	name: speaker
	namespace: metallb-system
	spec:
	selector:
	matchLabels:
	app: metallb
	component: speaker
	template:
	metadata:
	annotations:
	prometheus.io/port: '7472'
	prometheus.io/scrape: 'true'
	labels:
	app: metallb
	component: speaker
	spec:
	containers:
	- args:
	- --port=7472
	- --config=config
	env:
	- name: METALLB_NODE_NAME
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	- name: METALLB_HOST
	valueFrom:
	fieldRef:
	fieldPath: status.hostIP
	image: metallb/speaker:v0.8.1
	imagePullPolicy: IfNotPresent
	name: speaker
	ports:
	- containerPort: 7472
	name: monitoring
	resources:
	limits:
	cpu: 100m
	memory: 100Mi
	securityContext:
	allowPrivilegeEscalation: false
	capabilities:
	add:
	- NET_ADMIN
	- NET_RAW
	- SYS_ADMIN
	drop:
	- ALL
	readOnlyRootFilesystem: true
	hostNetwork: true
	nodeSelector:
	beta.kubernetes.io/os: linux
	serviceAccountName: speaker
	terminationGracePeriodSeconds: 0
	tolerations:
	- effect: NoSchedule
	key: node-role.kubernetes.io/master
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: metallb
	component: controller
	name: controller
	namespace: metallb-system
	spec:
	revisionHistoryLimit: 3
	selector:
	matchLabels:
	app: metallb
	component: controller
	template:
	metadata:
	annotations:
	prometheus.io/port: '7472'
	prometheus.io/scrape: 'true'
	labels:
	app: metallb
	component: controller
	spec:
	containers:
	- args:
	- --port=7472
	- --config=config
	image: metallb/controller:v0.8.1
	imagePullPolicy: IfNotPresent
	name: controller
	ports:
	- containerPort: 7472
	name: monitoring
	resources:
	limits:
	cpu: 100m
	memory: 100Mi
	securityContext:
	allowPrivilegeEscalation: false
	capabilities:
	drop:
	- all
	readOnlyRootFilesystem: true
	nodeSelector:
	beta.kubernetes.io/os: linux
	securityContext:
	runAsNonRoot: true
	runAsUser: 65534
	serviceAccountName: controller
	terminationGracePeriodSeconds: 0