diff options
Diffstat (limited to 'kud/hosting_providers/containerized')
| -rwxr-xr-x | kud/hosting_providers/containerized/installer.sh | 60 | ||||
| -rw-r--r-- | kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml | 39 |
2 files changed, 67 insertions, 32 deletions
diff --git a/kud/hosting_providers/containerized/installer.sh b/kud/hosting_providers/containerized/installer.sh index c443eaf1..b2ec52af 100755 --- a/kud/hosting_providers/containerized/installer.sh +++ b/kud/hosting_providers/containerized/installer.sh @@ -36,7 +36,6 @@ function _install_ansible { pip install --no-cache-dir ansible==$version } -# install_k8s() - Install Kubernetes using kubespray tool function install_kubespray { echo "Deploying kubernetes" version=$(grep "kubespray_version" ${kud_playbooks}/kud-vars.yml | \ @@ -50,7 +49,6 @@ function install_kubespray { _install_ansible wget https://github.com/kubernetes-incubator/kubespray/archive/$tarball tar -C $dest_folder -xzf $tarball - mv $dest_folder/kubespray-$version/ansible.cfg /etc/ansible/ansible.cfg chown -R root:root $dest_folder/kubespray-$version mkdir -p ${local_release_dir}/containers rm $tarball @@ -79,11 +77,14 @@ function install_kubespray { fi } +# install_k8s() - Install Kubernetes using kubespray tool function install_k8s { - version=$(grep "kubespray_version" ${kud_playbooks}/kud-vars.yml | \ - awk -F ': ' '{print $2}') local cluster_name=$1 ansible-playbook $verbose -i \ + $kud_inventory $kud_playbooks/preconfigure-kubespray.yml \ + --become --become-user=root | \ + tee $cluster_log/setup-kubernetes.log + ansible-playbook $verbose -i \ $kud_inventory $dest_folder/kubespray-$version/cluster.yml \ -e cluster_name=$cluster_name --become --become-user=root | \ tee $cluster_log/setup-kubernetes.log @@ -119,7 +120,9 @@ function install_addons { ansible-playbook $verbose -i \ $kud_inventory -e "base_dest=$HOME" $kud_playbooks/configure-kud.yml | \ tee $cluster_log/setup-kud.log - for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov cmk $plugins_name}; do + # The order of KUD_ADDONS is important: some plugins (sriov, qat) + # require nfd to be enabled. + for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov qat cmk $plugins_name}; do echo "Deploying $addon using configure-$addon.yml playbook.." ansible-playbook $verbose -i \ $kud_inventory -e "base_dest=$HOME" $kud_playbooks/configure-${addon}.yml | \ @@ -128,30 +131,34 @@ function install_addons { echo "Run the test cases if testing_enabled is set to true." if [[ "${testing_enabled}" == "true" ]]; then - for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov cmk $plugins_name}; do + failed_kud_tests="" + for addon in ${KUD_ADDONS:-virtlet ovn4nfv nfd sriov qat cmk $plugins_name}; do pushd $kud_tests - bash ${addon}.sh + bash ${addon}.sh || failed_kud_tests="${failed_kud_tests} ${addon}" + case $addon in + "onap4k8s" ) + echo "Test the onap4k8s plugin installation" + for functional_test in plugin_edgex plugin_fw plugin_eaa; do + bash ${functional_test}.sh --external || failed_kud_tests="${failed_kud_tests} ${functional_test}" + done + ;; + "emco" ) + echo "Test the emco plugin installation" + for functional_test in plugin_fw_v2; do + bash ${functional_test}.sh --external || failed_kud_tests="${failed_kud_tests} ${functional_test}" + done + ;; + esac popd done + if [[ ! -z "$failed_kud_tests" ]]; then + echo "Test cases failed:${failed_kud_tests}" + return 1 + fi fi echo "Add-ons deployment complete..." } -# install_plugin() - Install ONAP Multicloud Kubernetes plugin -function install_plugin { - echo "Installing multicloud/k8s onap4k8s plugin" - if [[ "${testing_enabled}" == "true" ]]; then - pushd $kud_tests - echo "Test the onap4k8s installation" - bash onap4k8s.sh - echo "Test the onap4k8s plugin installation" - for functional_test in plugin_edgex plugin_fw plugin_eaa; do - bash ${functional_test}.sh --external - done - popd - fi -} - # _print_kubernetes_info() - Prints the login Kubernetes information function _print_kubernetes_info { if ! $(kubectl version &>/dev/null); then @@ -200,6 +207,9 @@ function install_pkg { } function install_cluster { + version=$(grep "kubespray_version" ${kud_playbooks}/kud-vars.yml | \ + awk -F ': ' '{print $2}') + export ANSIBLE_CONFIG=$dest_folder/kubespray-$version/ansible.cfg install_k8s $1 if [ ${2:+1} ]; then echo "install default addons and $2" @@ -207,12 +217,8 @@ function install_cluster { else install_addons fi - echo "installed the addons" - if ${KUD_PLUGIN_ENABLED:-false}; then - install_plugin - echo "installed the install_plugin" - fi + _print_kubernetes_info } diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml index 5560dd97..18a55035 100644 --- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml +++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml @@ -49,14 +49,9 @@ kubectl_localhost: true local_volumes_enabled: true local_volume_provisioner_enabled: true -## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.16.9 - # Helm deployment helm_enabled: true -docker_version: 'latest' - # Kube-proxy proxyMode configuration. # NOTE: Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and # works in the kernel space @@ -84,3 +79,37 @@ kube_pods_subnet: 10.244.64.0/18 # disable localdns cache enable_nodelocaldns: false + +# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled) +podsecuritypolicy_enabled: true +# The restricted spec is identical to the kubespray podsecuritypolicy_privileged_spec, with the replacement of +# allowedCapabilities: +# - '*' +# by +# requiredDropCapabilities: +# - NET_RAW +podsecuritypolicy_restricted_spec: + privileged: true + allowPrivilegeEscalation: true + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + requiredDropCapabilities: + - NET_RAW + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags + allowedUnsafeSysctls: + - '*' |