diff options
author | Todd Malsbary <todd.malsbary@intel.com> | 2021-03-01 15:13:08 -0800 |
---|---|---|
committer | Todd Malsbary <todd.malsbary@intel.com> | 2021-05-04 14:41:48 -0700 |
commit | 61dc8e7b3aa13852dfde84dad4e6152178dd298d (patch) | |
tree | 52ef38d3b13df5355517ae54a51736a8a6d919ff /kud/hosting_providers | |
parent | c7cc63c3e76d5739c67314008b01f6fe70289641 (diff) |
Add ovn4nfv addon helm chart
This chart follows the upstream installation guide with the following
exceptions:
- The node-role.kubernetes.io/master:NoSchedule taint is not removed.
The YAML files already included the necessary tolerations.
- No node labeling is done. Instead, the ovn-control-plane node
selector is for the master role, and the nfn-operator pod affinity
is for "role: ovn-control-plane". This ensures that the
ovn-control-plane and nfn-operator run are scheduled on the same
master node, equivalent to the labelling approach used upstream.
Also, additional allowed capabilities are needed to run the pods with
the restricted PodSecurityPolicy. These capabilities are requested by
the Pods, but not available in the default set of allowed
capabilities.
Issue-ID: MULTICLOUD-1324
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I54ae12434572e2e2dd1fe2ec9298d04557331d94
Diffstat (limited to 'kud/hosting_providers')
-rw-r--r-- | kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml | 10 | ||||
-rw-r--r-- | kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml | 10 |
2 files changed, 20 insertions, 0 deletions
diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml index 30e8bc42..7d0404a5 100644 --- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml +++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml @@ -87,10 +87,20 @@ podsecuritypolicy_enabled: true # allowedCapabilities: # - '*' # by +# allowedCapabilities: +# - NET_ADMIN +# - SYS_ADMIN +# - SYS_NICE +# - SYS_PTRACE # requiredDropCapabilities: # - NET_RAW podsecuritypolicy_restricted_spec: privileged: true + allowedCapabilities: + - NET_ADMIN + - SYS_ADMIN + - SYS_NICE + - SYS_PTRACE allowPrivilegeEscalation: true volumes: - '*' diff --git a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml index 8d4795be..7803f27a 100644 --- a/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml +++ b/kud/hosting_providers/vagrant/inventory/group_vars/k8s-cluster.yml @@ -84,10 +84,20 @@ podsecuritypolicy_enabled: true # allowedCapabilities: # - '*' # by +# allowedCapabilities: +# - NET_ADMIN +# - SYS_ADMIN +# - SYS_NICE +# - SYS_PTRACE # requiredDropCapabilities: # - NET_RAW podsecuritypolicy_restricted_spec: privileged: true + allowedCapabilities: + - NET_ADMIN + - SYS_ADMIN + - SYS_NICE + - SYS_PTRACE allowPrivilegeEscalation: true volumes: - '*' |