85 lines
3.1 KiB
YAML
85 lines
3.1 KiB
YAML
---
|
|
# This manifest deploys the Calico policy controller on Kubernetes.
|
|
# See https://github.com/projectcalico/k8s-policy
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: calico-policy-controller
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: calico-policy
|
|
spec:
|
|
# The policy controller can only have a single active instance.
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
template:
|
|
metadata:
|
|
name: calico-policy-controller
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: calico-policy-controller
|
|
annotations:
|
|
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
|
# reserves resources for critical add-on pods so that they can be rescheduled after
|
|
# a failure. This annotation works in tandem with the toleration below.
|
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
|
spec:
|
|
# The policy controller must run in the host network namespace so that
|
|
# it isn't governed by policy that would prevent it from working.
|
|
hostNetwork: true
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
effect: NoSchedule
|
|
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
|
# This, along with the annotation above marks this pod as a critical add-on.
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
serviceAccountName: calico-policy-controller
|
|
containers:
|
|
- name: calico-policy-controller
|
|
image: {{ .Values.images.policy_controller }}
|
|
env:
|
|
# The location of the Calico etcd cluster.
|
|
- name: ETCD_ENDPOINTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_endpoints
|
|
# Location of the CA certificate for etcd.
|
|
- name: ETCD_CA_CERT_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_ca
|
|
# Location of the client key for etcd.
|
|
- name: ETCD_KEY_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_key
|
|
# Location of the client certificate for etcd.
|
|
- name: ETCD_CERT_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_cert
|
|
# The location of the Kubernetes API. Use the default Kubernetes
|
|
# service for API access.
|
|
- name: K8S_API
|
|
value: "https://kubernetes.default:443"
|
|
# Since we're running in the host namespace and might not have KubeDNS
|
|
# access, configure the container's /etc/hosts to resolve
|
|
# kubernetes.default to the correct service clusterIP.
|
|
- name: CONFIGURE_ETC_HOSTS
|
|
value: "true"
|
|
volumeMounts:
|
|
# Mount in the etcd TLS secrets.
|
|
- mountPath: /calico-secrets
|
|
name: etcd-certs
|
|
volumes:
|
|
# Mount in the etcd TLS secrets.
|
|
- name: etcd-certs
|
|
secret:
|
|
secretName: calico-etcd-secrets
|