-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy pathdeploy.yaml
More file actions
149 lines (149 loc) · 3.97 KB
/
deploy.yaml
File metadata and controls
149 lines (149 loc) · 3.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multi-networkpolicy-nftables
rules:
- apiGroups: ["k8s.cni.cncf.io"]
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- pods/status
- namespaces
verbs:
- get
- list
- watch
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: multi-networkpolicy-nftables
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: multi-networkpolicy-nftables
subjects:
- kind: ServiceAccount
name: multi-networkpolicy-nftables
namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: multi-networkpolicy-nftables
namespace: default
---
kind: ConfigMap
apiVersion: v1
metadata:
name: multi-networkpolicy-custom-v4-rules
namespace: kube-system
labels:
tier: node
app: multi-networkpolicy
data:
custom-v4-rules.txt: |
# Custom IPv4 rules for e2e testing
# Allow traffic on port 9999 for testing custom rules
tcp dport 9999 accept
# Allow traffic from specific IP range
ip saddr 192.168.100.0/24 accept
---
kind: ConfigMap
apiVersion: v1
metadata:
name: multi-networkpolicy-custom-v6-rules
namespace: kube-system
labels:
tier: node
app: multi-networkpolicy
data:
custom-v6-rules.txt: |
# Custom IPv6 rules for e2e testing
# Allow traffic on port 9999 for testing custom rules
tcp dport 9999 accept
# Allow traffic from specific IPv6 range
ip6 saddr 2001:db8:100::/64 accept
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: multi-networkpolicy-nftables
namespace: default
labels:
app: multi-networkpolicy-nftables
spec:
selector:
matchLabels:
name: multi-networkpolicy-nftables
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
name: multi-networkpolicy-nftables
spec:
hostNetwork: true
serviceAccountName: multi-networkpolicy-nftables
containers:
- name: multi-networkpolicy-nftables
image: localhost:5000/multus-networkpolicy-nftables:e2e
imagePullPolicy: Always
command:
- /multi-networkpolicy-nftables
args:
- "--zap-log-level=2"
- "--container-runtime-endpoint=/run/crio/crio.sock"
- "--network-plugins=macvlan,ipvlan"
- "--host-prefix=/host"
# accept all icmp/icmpv6 types for e2e testing
- "--accept-icmp"
- "--accept-icmpv6"
# custom rules for e2e testing
- "--custom-v4-ingress-rule-file=/etc/multi-networkpolicy/rules/custom-v4-rules.txt"
- "--custom-v4-egress-rule-file=/etc/multi-networkpolicy/rules/custom-v4-rules.txt"
- "--custom-v6-ingress-rule-file=/etc/multi-networkpolicy/rules/custom-v6-rules.txt"
- "--custom-v6-egress-rule-file=/etc/multi-networkpolicy/rules/custom-v6-rules.txt"
# enable debug logging for e2e
- "--zap-log-level=2"
resources:
requests:
cpu: "100m"
memory: "80Mi"
limits:
cpu: "100m"
memory: "150Mi"
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN", "NET_ADMIN"]
volumeMounts:
- name: host
mountPath: /host
- name: multi-networkpolicy-custom-rules
mountPath: /etc/multi-networkpolicy/rules
readOnly: true
volumes:
- name: host
hostPath:
path: /
- name: multi-networkpolicy-custom-rules
projected:
sources:
- configMap:
name: multi-networkpolicy-custom-v4-rules
- configMap:
name: multi-networkpolicy-custom-v6-rules