constellation/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml
2022-08-12 10:20:19 +02:00

112 lines
3.8 KiB
YAML

{{- if .Values.nodeinit.enabled }}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: cilium-node-init
namespace: {{ .Release.Namespace }}
labels:
app: cilium-node-init
spec:
selector:
matchLabels:
app: cilium-node-init
{{- with .Values.nodeinit.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- with .Values.nodeinit.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/node-init: "unconfined"
{{- end }}
labels:
app: cilium-node-init
{{- with .Values.nodeinit.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
# To access iptables concurrently with other processes (e.g. kube-proxy)
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
containers:
- name: node-init
image: {{ include "cilium.image" .Values.nodeinit.image | quote }}
imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }}
volumeMounts:
# To access iptables concurrently with other processes (e.g. kube-proxy)
- mountPath: /run/xtables.lock
name: xtables-lock
lifecycle:
{{- if .Values.eni.enabled }}
postStart:
exec:
command:
- "/bin/sh"
- "-c"
- |
{{- tpl (.Files.Get "files/nodeinit/poststart-eni.bash") . | nindent 20 }}
{{- end }}
{{- if .Values.nodeinit.revertReconfigureKubelet }}
preStop:
exec:
command:
- nsenter
- --target=1
- --mount
- --
- /bin/sh
- -c
- |
{{- tpl (.Files.Get "files/nodeinit/prestop.bash") . | nindent 20 }}
{{- end }}
env:
{{- with .Values.nodeinit.extraEnv }}
{{- toYaml . | trim | nindent 10 }}
{{- end }}
# STARTUP_SCRIPT is the script run on node bootstrap. Node
# bootstrapping can be customized in this script. This script is invoked
# using nsenter, so it runs in the host's network and mount namespace using
# the host's userland tools!
- name: STARTUP_SCRIPT
value: |
{{- tpl (.Files.Get "files/nodeinit/startup.bash") . | nindent 14 }}
{{- with .Values.nodeinit.resources }}
resources:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.nodeinit.securityContext }}
securityContext:
{{- toYaml . | trim | nindent 12 }}
{{- end }}
{{- with .Values.nodeinit.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeinit.nodeSelector }}
nodeSelector:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- with .Values.nodeinit.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
hostPID: true
hostNetwork: true
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.nodeinit.priorityClassName "system-node-critical") }}
{{- end }}