apiVersion: v1 kind: ConfigMap metadata: name: flock-bird-init namespace: kube-system data: bird.conf: | # Bootstrap config served by the bird sidecar until flock-agent # writes the real config. Single-protocol device + kernel keeps BIRD # alive without trying to peer until the agent is ready. log syslog all; router id 127.0.0.1; protocol device { scan time 10; } protocol kernel kernel6 { ipv6 { import all; export all; }; } protocol kernel kernel4 { ipv4 { import all; export all; }; } --- apiVersion: apps/v1 kind: DaemonSet metadata: name: flock-agent namespace: kube-system labels: app: flock-agent spec: selector: matchLabels: app: flock-agent updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app: flock-agent spec: serviceAccountName: flock-agent hostNetwork: true dnsPolicy: ClusterFirstWithHostNet priorityClassName: system-node-critical nodeSelector: flock.fritzlab.net/agent: "" tolerations: # CNI must schedule on a fresh node before it becomes Ready — # the node has not-ready:NoSchedule until flock installs the CNI conflist. # Catch-all tolerates all taints so the agent always runs. - operator: Exists initContainers: - name: install-cni image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: - /usr/local/bin/flock-installer - --src=/usr/local/bin/flock - --bin=/host/opt/cni/bin/flock - --conflist=/host/etc/cni/net.d/01-flock.conflist securityContext: privileged: true volumeMounts: - name: cni-bin mountPath: /host/opt/cni/bin - name: cni-conf mountPath: /host/etc/cni/net.d - name: seed-bird-config image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - | mkdir -p /etc/flock/bird if [ ! -s /etc/flock/bird/bird.conf ]; then cp /seed/bird.conf /etc/flock/bird/bird.conf fi volumeMounts: - name: bird-config mountPath: /etc/flock/bird - name: bird-seed mountPath: /seed containers: - name: flock-agent image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always args: - --node=$(NODE_NAME) - --state=/var/lib/flock/allocations.json - --socket=/run/flock/flock.sock env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName securityContext: privileged: true volumeMounts: - name: lib-flock mountPath: /var/lib/flock - name: run-flock mountPath: /run/flock - name: bird-config mountPath: /etc/flock/bird - name: netns mountPath: /var/run/netns mountPropagation: HostToContainer resources: requests: { cpu: 25m, memory: 32Mi } limits: { memory: 256Mi } - name: bird image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: ["bird", "-c", "/etc/flock/bird/bird.conf", "-s", "/run/flock/bird.ctl", "-f"] securityContext: capabilities: add: ["NET_ADMIN", "NET_RAW", "NET_BIND_SERVICE"] allowPrivilegeEscalation: false volumeMounts: - name: bird-config mountPath: /etc/flock/bird - name: run-flock mountPath: /run/flock resources: requests: { cpu: 10m, memory: 16Mi } limits: { memory: 64Mi } volumes: - name: lib-flock hostPath: path: /var/lib/flock type: DirectoryOrCreate - name: run-flock hostPath: path: /run/flock type: DirectoryOrCreate - name: cni-bin hostPath: path: /opt/cni/bin type: DirectoryOrCreate - name: cni-conf hostPath: path: /etc/cni/net.d type: DirectoryOrCreate - name: netns hostPath: path: /var/run/netns type: DirectoryOrCreate - name: bird-config hostPath: path: /var/lib/flock-bird type: DirectoryOrCreate - name: bird-seed configMap: name: flock-bird-init imagePullSecrets: - name: code-fritzlab-net