From 61dc8e7b3aa13852dfde84dad4e6152178dd298d Mon Sep 17 00:00:00 2001 From: Todd Malsbary Date: Mon, 1 Mar 2021 15:13:08 -0800 Subject: Add ovn4nfv addon helm chart This chart follows the upstream installation guide with the following exceptions: - The node-role.kubernetes.io/master:NoSchedule taint is not removed. The YAML files already included the necessary tolerations. - No node labeling is done. Instead, the ovn-control-plane node selector is for the master role, and the nfn-operator pod affinity is for "role: ovn-control-plane". This ensures that the ovn-control-plane and nfn-operator run are scheduled on the same master node, equivalent to the labelling approach used upstream. Also, additional allowed capabilities are needed to run the pods with the restricted PodSecurityPolicy. These capabilities are requested by the Pods, but not available in the default set of allowed capabilities. Issue-ID: MULTICLOUD-1324 Signed-off-by: Todd Malsbary Change-Id: I54ae12434572e2e2dd1fe2ec9298d04557331d94 --- .../containerized/inventory/group_vars/k8s-cluster.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'kud/hosting_providers/containerized') diff --git a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml index 30e8bc42..7d0404a5 100644 --- a/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml +++ b/kud/hosting_providers/containerized/inventory/group_vars/k8s-cluster.yml @@ -87,10 +87,20 @@ podsecuritypolicy_enabled: true # allowedCapabilities: # - '*' # by +# allowedCapabilities: +# - NET_ADMIN +# - SYS_ADMIN +# - SYS_NICE +# - SYS_PTRACE # requiredDropCapabilities: # - NET_RAW podsecuritypolicy_restricted_spec: privileged: true + allowedCapabilities: + - NET_ADMIN + - SYS_ADMIN + - SYS_NICE + - SYS_PTRACE allowPrivilegeEscalation: true volumes: - '*' -- cgit 1.2.3-korg