summaryrefslogtreecommitdiffstats
path: root/kud/hosting_providers/containerized
diff options
context:
space:
mode:
authorTodd Malsbary <todd.malsbary@intel.com>2021-03-01 15:13:08 -0800
committerTodd Malsbary <todd.malsbary@intel.com>2021-05-04 14:41:48 -0700
commit61dc8e7b3aa13852dfde84dad4e6152178dd298d (patch)
tree52ef38d3b13df5355517ae54a51736a8a6d919ff /kud/hosting_providers/containerized
parentc7cc63c3e76d5739c67314008b01f6fe70289641 (diff)
Add ovn4nfv addon helm chart
This chart follows the upstream installation guide with the following exceptions: - The node-role.kubernetes.io/master:NoSchedule taint is not removed. The YAML files already included the necessary tolerations. - No node labeling is done. Instead, the ovn-control-plane node selector is for the master role, and the nfn-operator pod affinity is for "role: ovn-control-plane". This ensures that the ovn-control-plane and nfn-operator run are scheduled on the same master node, equivalent to the labelling approach used upstream. Also, additional allowed capabilities are needed to run the pods with the restricted PodSecurityPolicy. These capabilities are requested by the Pods, but not available in the default set of allowed capabilities. Issue-ID: MULTICLOUD-1324 Signed-off-by: Todd Malsbary <todd.malsbary@intel.com> Change-Id: I54ae12434572e2e2dd1fe2ec9298d04557331d94
Diffstat (limited to 'kud/hosting_providers/containerized')
-rw-r--r--kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml10
1 files changed, 10 insertions, 0 deletions
diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
index 30e8bc42..7d0404a5 100644
--- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
+++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml
@@ -87,10 +87,20 @@ podsecuritypolicy_enabled: true
# allowedCapabilities:
# - '*'
# by
+# allowedCapabilities:
+# - NET_ADMIN
+# - SYS_ADMIN
+# - SYS_NICE
+# - SYS_PTRACE
# requiredDropCapabilities:
# - NET_RAW
podsecuritypolicy_restricted_spec:
privileged: true
+ allowedCapabilities:
+ - NET_ADMIN
+ - SYS_ADMIN
+ - SYS_NICE
+ - SYS_PTRACE
allowPrivilegeEscalation: true
volumes:
- '*'