| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The intention with this change is to disable CAP_NET_RAW (which can be
a security vulnerability) for created Pods.
kubespray provides the podsecuritypolicy_enabled variable for enabling
privileged (for kube-system) and restricted (for everyone else)
policies. Enabling this requires binding the KUD_ADDONs to the
privileged policy and specifying the security context correctly for
Pods running in the default namespace.
As of this change, the only difference between the privileged and
restricted security policies is the dropping of CAP_NET_RAW in the
restricted policy. To use the default restricted policy provided with
kubespray, additional changes must be made to the Pods that are run in
the default namespace (such as runing as a non-root user, not
requesting privileged mode, etc.).
Issue-ID: MULTICLOUD-1256
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I7d6add122ad4046f9116ef03a249f5c9da1d7eec
|
|
|
|
- Replace move of ansible.cfg from kubespray distribution to
/etc/ansible with ANSIBLE_CONFIG environment variable. Ansible
modifies ansible.cfg during installation, and the paths in it are
relative.
- kubespray 2.14.1 requires a kubernetes version > 1.16. Use the
default versions of kubernetes and helm provided by kubespray
2.14.1.
- kubespray 2.14.1 replaces helm 2 with helm 3. This removes support
for helm init and helm serve. It is no longer necessary to call
helm init, and the helm serve repository is replaced with file
relative URLs. This also triggered a subsequent update of the
kubernetes-helm ansible module to include the newer helm versions.
- Add "storageType: hostPath" to etcd/values.yaml. Helm deploy of
etcd will fail without this due to nil
PersistentVolume.metadata.labels.type.
- The mitogen module used by kubespray/ansible requires python2 on the
hosts. Use the linear strategy to bypass mitogen and install
python2 on the cluster hosts.
Issue-ID: MULTICLOUD-1230
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I9f50bb4e123fdcacab6b6a97e79cd09fb5c96634
|
|
Building on the target host fixes a couple issues:
- In the containerized installer, the container image does not include
the necessary kernel headers to build the module.
- The build and target host must have the same kernel version. There
is no guarantee of this.
The deploy uses NFD, similar to the QAT playbook.
Issue-ID: MULTICLOUD-1228
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I58705b73b8ce6d381b4649d5a20b8644e51e1b13
|
|
To deploy to multiple clusters, set the KUD_PLUGIN_FW_CLUSTERS
environment variable to the following format (an array of cluster data
objects):
[
{
"metadata": {
"name": "NAME",
"description": "DESCRIPTION",
"userData1": "USER_DATA_1",
"userData2": "USER_DATA_2"
},
"file": "KUBECONFIG_PATH"
},
{
...
}
]
Issue-ID: MULTICLOUD-1217
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: I4c80fbcef1162b441c4dfba4ce2bfd3ac419bc25
|
|
Issue-ID: MULTICLOUD-1181
Signed-off-by: Todd <todd.malsbary@intel.com>
Change-Id: Ibfdf401d40398bf6b94543dedf4c860951d50de7
|
|
Using "--no-cache-dir" flag in pip install ,make sure dowloaded packages
by pip don't cached on system . This is a best practise which make sure
to fetch ftom repo instead of using local cached one . Further , in case
of Docker Containers , by restricing caching , we can reduce image size.
In term of stats , it depends upon the number of python packages
multiplied by their respective size . e.g for heavy packages with a lot
of dependencies it reduce a lot by don't caching pip packages.
Further , more detail information can be found at
https://medium.com/sciforce/strategies-of-docker-images-optimization-2ca9cc5719b6
Issue-ID: MULTICLOUD-1080
Signed-off-by: Pratik Raj <rajpratik71@gmail.com>
Change-Id: Ib79fae7e69eb669e39bc3eb52373668367460ba2
|
|
Update kubespray to 2.12 to deploy Kubernetes 1.16
Issue-ID: MULTICLOUD-1063
Signed-off-by: Yao Le <le.yao@intel.com>
Change-Id: I537f6395e5d05d8b72411dd1e0789e19972f1947
|
|
- interface name will be different in each Baremetal
- Multus testing good for Vagrant and AIO testing only
Issue-ID: MULTICLOUD-1037
Co-authored-by: yu marin <weifei.yu@intel.com>
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I50786f07f0dbd9aadffda69d02597c85e2675203
|
|
Issue-ID: MULTICLOUD-1037
Co-authored-by: yu marin <weifei.yu@intel.com>
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: Id07394cc454b3660fb5f06982fea020e93b26039
|
|
Change docker version to fix kubespray issue in containerization soltuion
Co-authored-by: Ritu Sood <ritu.sood@intel.com>
Co-authored-by: Le yao <le.yao@intel.com>
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Issue-ID: MULTICLOUD-1073
Change-Id: Id575c64b1630127f1a06ce89ba5b89249d004956
|
|
Issue-ID: MULTICLOUD-1071
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: Ia3818ee16393d8e8b2d465d354ce777192baca9e
|
|
Issue-ID: MULTICLOUD-1068
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I8ced72f4d9f13b9cb2305fc3778cdd65e933d778
|
|
Openness EAA provides application/service registration
and authentication. EAA is integrated by running EAA via
ONAP4K8S.
Issue-ID: MULTICLOUD-1044
Signed-off-by: ChenjieXu <chenjie.xu@intel.com>
Change-Id: I66dffc5bcfc66675f6b62672e32496ec7f71454c
|
|
- deploy cmk related pods
- untaint compute nodes if necessary
- run cmk unit tests: allocate CPUs from exclusive and shared pools
- deploy a testing nginx pod along with cmk testing pods
- preset 1/2 CPUs for shared/exlusive pools to fit CI server machines
users can adjust the parameters to meet their own requirements
Test Results:
- many rounds of vagrant/5 VMs(controller01/02/03 and compute01/02)
based test are all OK
- 14 rounds tests on my local server (S2600WFQ (36C/72T) )and
PC(HP Z228 (4C/4T)) with all-in-one bare metal deployment are all OK
- CI(a 4C/4T machine) results of latest patch set also show that the
test of bare metal deployment is OK
- NOTE: both my local test and CI use the same testing method of calling
aio.sh after applying the latest patch set.
Change-Id: I046a4a63b94f92f23347ab76c21a661521e01119
Issue-ID: MULTICLOUD-879
Signed-off-by: Liang Ding <liang.ding@intel.com>
|
|
Remove no longer public jonathonf ppa
Issue-ID: CIMAN-359
Signed-off-by: Marcus G K Williams <marcus.williams@intel.com>
Change-Id: I12a24a28914654127e3bd27e7814b42ecd897ca1
|
|
Please refer ICN SDWAN Module Design for architecture
link:https://wiki.akraino.org/display/AK/SDWAN+Module+Design
Issue-ID: MULTICLOUD-956
Co-authored-by: Huifeng Le <huifeng.le@intel.com>
Signed-off-by: r.kuralamudhan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I4bc35bc62f6bab52a5d290829f7406424d72d5ae
|
|
Issue-ID: MULTICLOUD-942
Signed-off-by: r.kuralamudhan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I4c5da84002135d856c5c3dcccf103aa52bb8a0f9
|
|
Issue-ID: MULTICLOUD-919
Signed-off-by: r.kuralamudhan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I6850c2673b1d5e8e7ccc9d036a0a68fa896aa3ab
|
|
Issue-ID: MULTICLOUD-905
Co-authored-by: Itohan Ukponmwan <itohan.ukponmwan@intel.com>
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: Ie9710146d4764f6b1f8ce11af9b28988131d75c8
|
|
Issue-ID: MULTICLOUD-867
Co-authored-by: Pramod Raghavendra Jayathirth <pramod.raghavendra.jayathirth@intel.com>
Co-authored-by: Ritu Sood <ritu.sood@intel.com>
Change-Id: I37b8112bdd5809f1ae0eaa58ddb0d834d395e8d8
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
|
|
Issue-ID: MULTICLOUD-827
Signed-off-by: Kuralamudhan Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Change-Id: I0205459a032c8876943e9b50e61b2c315b138af9
|
Todd Malsbary
Ritu Sood
Pratik Raj
Yao Le
r.kuralamudhan
ChenjieXu
Liang Ding
Marcus G K Williams