add calico policy controller
Also fix check for add-on if its namespace is not kube-system.
Change-Id: I4ed59bc72714e0217ff1784d2ca90c6ff98866c9
diff --git a/README.rst b/README.rst
index ed82007..315a648 100644
--- a/README.rst
+++ b/README.rst
@@ -43,6 +43,17 @@
helm:
enabled: true
+Enable calico-policy addon
+
+.. code-block:: yaml
+
+ parameters:
+ kubernetes:
+ master:
+ addons:
+ calico_policy:
+ enabled: true
+
Enable netchecker addon
.. code-block:: yaml
@@ -259,7 +270,7 @@
Kubernetes control plane running in systemd
-------------------------------------------
-By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
+By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
.. code-block:: yaml
@@ -380,6 +391,27 @@
ssl:
enabled: true
+Running with calico-policy controller:
+
+.. code-block:: yaml
+
+ kubernetes:
+ pool:
+ network:
+ engine: calico
+ addons:
+ calico_policy:
+ enabled: true
+
+ master:
+ network:
+ engine: calico
+ addons:
+ calico_policy:
+ enabled: true
+
+
+
Enable Prometheus metrics in Felix
.. code-block:: yaml
diff --git a/kubernetes/files/calico/calico.conf b/kubernetes/files/calico/calico.conf
index 119f638..0401f37 100644
--- a/kubernetes/files/calico/calico.conf
+++ b/kubernetes/files/calico/calico.conf
@@ -1,4 +1,5 @@
{%- from "kubernetes/map.jinja" import pool with context %}
+{%- from "kubernetes/map.jinja" import master with context %}
{
"name": "calico-k8s-network",
"type": "calico",
@@ -8,6 +9,11 @@
"etcd_cert_file": "/var/lib/etcd/etcd-client.pem",
"etcd_ca_cert_file": "/var/lib/etcd/ca.pem",
{%- endif %}
+{%- if master.get('addons', {}).get('calico_policy', {}).get('enabled', False) %}
+ "policy": {
+ "type": "k8s"
+ },
+{%- endif %}
"log_level": "info",
"ipam": {
"type": "calico-ipam"
diff --git a/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml b/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
new file mode 100644
index 0000000..1471a73
--- /dev/null
+++ b/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
@@ -0,0 +1,65 @@
+{%- from "kubernetes/map.jinja" import master with context %}
+{%- from "kubernetes/map.jinja" import pool with context %}
+apiVersion: extensions/v1beta1
+kind: ReplicaSet
+metadata:
+ name: calico-policy-controller
+ namespace: {{ master.addons.calico_policy.namespace }}
+ labels:
+ k8s-app: calico-policy
+ kubernetes.io/cluster-service: "true"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ kubernetes.io/cluster-service: "true"
+ k8s-app: calico-policy
+ template:
+ metadata:
+ name: calico-policy-controller
+ namespace: {{ master.addons.calico_policy.namespace }}
+ labels:
+ kubernetes.io/cluster-service: "true"
+ k8s-app: calico-policy
+ spec:
+ hostNetwork: true
+ containers:
+ - name: calico-policy-controller
+ image: {{ master.addons.calico_policy.image }}
+ imagePullPolicy: IfNotPresent
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256M
+ requests:
+ cpu: 30m
+ memory: 64M
+ env:
+ - name: ETCD_ENDPOINTS
+ value: "{% for member in pool.network.etcd.members %}http{% if pool.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}"
+ - name: ETCD_CA_CERT_FILE
+ value: "/var/lib/etcd/ca.pem"
+ - name: ETCD_CERT_FILE
+ value: "/var/lib/etcd/etcd-client.pem"
+ - name: ETCD_KEY_FILE
+ value: "/var/lib/etcd/etcd-client.pem"
+ # Location of the Kubernetes API - this shouldn't need to be
+ # changed so long as it is used in conjunction with
+ # CONFIGURE_ETC_HOSTS="true".
+ - name: K8S_API
+ value: "https://kubernetes.default"
+ # Configure /etc/hosts within the container to resolve
+ # the kubernetes.default Service to the correct clusterIP
+ # using the environment provided by the kubelet.
+ # This removes the need for KubeDNS to resolve the Service.
+ - name: CONFIGURE_ETC_HOSTS
+ value: "true"
+ volumeMounts:
+ - mountPath: /var/lib/etcd/
+ name: etcd-certs
+ readOnly: true
+ volumes:
+ - hostPath:
+ path: /var/lib/etcd
+ name: etcd-certs
+
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 610e85f..83a4d0b 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -8,6 +8,18 @@
- group: root
- mode: 0755
+{%- if master.addons.get('calico_policy', {}).get('enabled', False) and master.network.engine == "calico" %}
+/etc/kubernetes/addons/calico_policy/calico-policy-controller.yml:
+ file.managed:
+ - source: salt://kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
+ - template: jinja
+ - group: root
+ - dir_mode: 755
+ - makedirs: True
+
+{% endif %}
+
+
{%- if master.addons.helm.enabled %}
/etc/kubernetes/addons/helm/helm-tiller-deploy.yml:
file.managed:
diff --git a/kubernetes/master/setup.sls b/kubernetes/master/setup.sls
index 432cdce..f994d6a 100644
--- a/kubernetes/master/setup.sls
+++ b/kubernetes/master/setup.sls
@@ -8,7 +8,7 @@
cmd.run:
- name: |
hyperkube kubectl apply -f /etc/kubernetes/addons/{{ addon_name }}
- - unless: "hyperkube kubectl get svc kube-{{ addon.get('name', addon_name) }} --namespace=kube-system"
+ - unless: "hyperkube kubectl get svc kube-{{ addon.get('name', addon_name) }} --namespace={{ addon.get('namespace', 'kube-system') }}"
{%- endif %}
{%- endfor %}
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 3cb4c03..b7364ce 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -57,6 +57,10 @@
port: 80
agent_image: quay.io/l23network/k8s-netchecker-agent:v1.0
server_image: quay.io/l23network/k8s-netchecker-server:v1.0
+ calico_policy:
+ enabled: False
+ image: calico/kube-policy-controller:v0.5.4
+ namespace: kube-system
token:
admin: ${_param:kubernetes_admin_token}
kubelet: ${_param:kubernetes_kubelet_token}
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index a8bc63a..3a6440c 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -45,6 +45,10 @@
helm:
enabled: False
tiller_image: gcr.io/kubernetes-helm/tiller:v2.3.0
+ calico_policy:
+ enabled: False
+ image: calico/kube-policy-controller:v0.5.4
+ namespace: kube-system
token:
admin: ${_param:kubernetes_admin_token}
kubelet: ${_param:kubernetes_kubelet_token}
diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index c253e9d..a38467e 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -24,6 +24,8 @@
tiller_image: gcr.io/kubernetes-helm/tiller:v2.2.3
netchecker:
enabled: true
+ calico_policy:
+ enabled: true
admin:
password: password
username: admin