apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: nodeconfigs.flock.fritzlab.net spec: group: flock.fritzlab.net scope: Cluster names: kind: NodeConfig listKind: NodeConfigList singular: nodeconfig plural: nodeconfigs shortNames: - fnc versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object required: [spec] properties: spec: type: object required: [bgp] properties: cidr6: type: array items: type: string description: IPv6 CIDR owned and aggregate-advertised by this node. cidr4: type: array items: type: string description: IPv4 CIDR owned and aggregate-advertised by this node. bgp: type: object required: [asn, peers] properties: asn: type: integer format: int64 minimum: 1 maximum: 4294967295 description: This node's local ASN. peers: type: array minItems: 1 items: type: object required: [address, asn] properties: address: type: string description: Peer IP (IPv6 or IPv4). asn: type: integer format: int64 minimum: 1 maximum: 4294967295 additionalPrinterColumns: - name: ASN type: integer jsonPath: .spec.bgp.asn - name: CIDR6 type: string jsonPath: .spec.cidr6 - name: CIDR4 type: string jsonPath: .spec.cidr4 --- apiVersion: v1 kind: ServiceAccount metadata: name: flock-agent namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: flock-agent rules: - apiGroups: ["flock.fritzlab.net"] resources: ["nodeconfigs"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes/status"] verbs: ["patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: flock-agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: flock-agent subjects: - kind: ServiceAccount name: flock-agent namespace: kube-system --- apiVersion: v1 kind: ConfigMap metadata: name: flock-bird-init namespace: kube-system data: bird.conf: | # Bootstrap config served by the bird sidecar until flock-agent # writes the real config. Single-protocol device + kernel keeps BIRD # alive without trying to peer until the agent is ready. log syslog all; router id 127.0.0.1; protocol device { scan time 10; } protocol kernel kernel6 { ipv6 { import all; export all; }; } protocol kernel kernel4 { ipv4 { import all; export all; }; } --- apiVersion: apps/v1 kind: DaemonSet metadata: name: flock-agent namespace: kube-system labels: app: flock-agent spec: selector: matchLabels: app: flock-agent updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app: flock-agent spec: serviceAccountName: flock-agent hostNetwork: true dnsPolicy: ClusterFirstWithHostNet priorityClassName: system-node-critical nodeSelector: flock.fritzlab.net/agent: "" tolerations: - key: fritzlab.net/cni-test operator: Equal value: "true" effect: NoSchedule - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule - key: node.kubernetes.io/not-ready operator: Exists effect: NoExecute - key: node.kubernetes.io/unreachable operator: Exists effect: NoExecute initContainers: - name: install-cni image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: - /usr/local/bin/flock-installer - --src=/usr/local/bin/flock - --bin=/host/opt/cni/bin/flock - --conflist=/host/etc/cni/net.d/01-flock.conflist securityContext: privileged: true volumeMounts: - name: cni-bin mountPath: /host/opt/cni/bin - name: cni-conf mountPath: /host/etc/cni/net.d - name: seed-bird-config image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - | mkdir -p /etc/flock/bird if [ ! -s /etc/flock/bird/bird.conf ]; then cp /seed/bird.conf /etc/flock/bird/bird.conf fi volumeMounts: - name: bird-config mountPath: /etc/flock/bird - name: bird-seed mountPath: /seed containers: - name: flock-agent image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always args: - --node=$(NODE_NAME) - --state=/var/lib/flock/allocations.json - --socket=/run/flock/flock.sock env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName securityContext: privileged: true volumeMounts: - name: lib-flock mountPath: /var/lib/flock - name: run-flock mountPath: /run/flock - name: bird-config mountPath: /etc/flock/bird - name: netns mountPath: /var/run/netns mountPropagation: HostToContainer resources: requests: { cpu: 25m, memory: 32Mi } limits: { memory: 256Mi } - name: bird image: code.fritzlab.net/fritzlab/flock:latest imagePullPolicy: Always command: ["bird", "-c", "/etc/flock/bird/bird.conf", "-s", "/run/flock/bird.ctl", "-f"] securityContext: capabilities: add: ["NET_ADMIN", "NET_RAW", "NET_BIND_SERVICE"] allowPrivilegeEscalation: false volumeMounts: - name: bird-config mountPath: /etc/flock/bird - name: run-flock mountPath: /run/flock resources: requests: { cpu: 10m, memory: 16Mi } limits: { memory: 64Mi } volumes: - name: lib-flock hostPath: path: /var/lib/flock type: DirectoryOrCreate - name: run-flock hostPath: path: /run/flock type: DirectoryOrCreate - name: cni-bin hostPath: path: /opt/cni/bin type: DirectoryOrCreate - name: cni-conf hostPath: path: /etc/cni/net.d type: DirectoryOrCreate - name: netns hostPath: path: /var/run/netns type: DirectoryOrCreate - name: bird-config hostPath: path: /var/lib/flock-bird type: DirectoryOrCreate - name: bird-seed configMap: name: flock-bird-init imagePullSecrets: - name: code-fritzlab-net