mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-03-10 12:18:52 +03:00
Upgrade Cilium network plugin to v1.5.5. (#5014)
* Needs an additional cilium-operator deployment. * Added option to enable hostPort mappings.
This commit is contained in:
Holger Frydrych
committed by
Kubernetes Prow Robot
Kubernetes Prow Robot
parent
7cf8ad4dc7
commit
bc6de32faf
70
roles/network_plugin/cilium/templates/cilium-cr.yml.j2
Executable file → Normal file
70
roles/network_plugin/cilium/templates/cilium-cr.yml.j2
Executable file → Normal file
@@ -1,11 +1,58 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cilium-operator
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to get k8s version and status
|
||||
- componentstatuses
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to automatically delete [core|kube]dns pods so that are starting to being
|
||||
# managed by Cilium
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
# to automatically read from k8s and import the node's pod CIDR to cilium's
|
||||
# etcd so all nodes know how to reach another pod running in in a different
|
||||
# node.
|
||||
- nodes
|
||||
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
|
||||
- services
|
||||
- endpoints
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
resources:
|
||||
- ciliumnetworkpolicies
|
||||
- ciliumnetworkpolicies/status
|
||||
- ciliumendpoints
|
||||
- ciliumendpoints/status
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cilium
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "networking.k8s.io"
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- networkpolicies
|
||||
verbs:
|
||||
@@ -34,11 +81,16 @@ rules:
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
- nodes/status
|
||||
verbs:
|
||||
- patch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- networkpolicies # FIXME remove this when we drop support for k8s NP-beta GH-1202
|
||||
- thirdpartyresources
|
||||
- ingresses
|
||||
verbs:
|
||||
- create
|
||||
@@ -46,7 +98,7 @@ rules:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "apiextensions.k8s.io"
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
@@ -63,12 +115,4 @@ rules:
|
||||
- ciliumendpoints
|
||||
- ciliumendpoints/status
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- policy
|
||||
resourceNames:
|
||||
- privileged
|
||||
resources:
|
||||
- podsecuritypolicies
|
||||
verbs:
|
||||
- use
|
||||
- '*'
|
||||
|
||||
Reference in New Issue
Block a user