diff --git a/test/integration/net_test.go b/test/integration/net_test.go index 834c5e9097..4556172302 100644 --- a/test/integration/net_test.go +++ b/test/integration/net_test.go @@ -61,7 +61,7 @@ func TestNetworkPlugins(t *testing.T) { {"flannel", []string{"--cni=flannel"}, "cni", "app=flannel", true}, {"kindnet", []string{"--cni=kindnet"}, "cni", "app=kindnet", true}, {"false", []string{"--cni=false"}, "", "", false}, - {"custom-weave", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "weavenet.yaml"))}, "cni", "", true}, + {"custom-flannel", []string{fmt.Sprintf("--cni=%s", filepath.Join(*testdataDir, "kube-flannel.yaml"))}, "cni", "", true}, {"calico", []string{"--cni=calico"}, "cni", "k8s-app=calico-node", true}, {"cilium", []string{"--cni=cilium"}, "cni", "k8s-app=cilium", true}, } diff --git a/test/integration/testdata/kube-flannel.yaml b/test/integration/testdata/kube-flannel.yaml new file mode 100644 index 0000000000..e5b98de1ff --- /dev/null +++ b/test/integration/testdata/kube-flannel.yaml @@ -0,0 +1,248 @@ +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: psp.flannel.unprivileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default +spec: + privileged: false + volumes: + - configMap + - secret + - emptyDir + - hostPath + allowedHostPaths: + - pathPrefix: "/etc/cni/net.d" + - pathPrefix: "/etc/kube-flannel" + - pathPrefix: "/run/flannel" + readOnlyRootFilesystem: false + # Users and groups + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + fsGroup: + rule: RunAsAny + # Privilege Escalation + allowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: false + # Capabilities + allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] + defaultAddCapabilities: [] + requiredDropCapabilities: [] + # Host namespaces + hostPID: false + hostIPC: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + # SELinux + seLinux: + # SELinux is unused in CaaSP + rule: 'RunAsAny' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['psp.flannel.unprivileged'] +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + namespace: kube-system + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + namespace: kube-system + labels: + tier: node + app: flannel +spec: + selector: + matchLabels: + app: flannel + template: + metadata: + labels: + tier: node + app: flannel + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + hostNetwork: true + priorityClassName: system-node-critical + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: flannel + initContainers: + - name: install-cni-plugin + #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1 + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin + - name: install-cni + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - cp + args: + - -f + - /etc/kube-flannel/cni-conf.json + - /etc/cni/net.d/10-flannel.conflist + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + containers: + - name: kube-flannel + #image: flannelcni/flannel:v0.17.0 for ppc64le and mips64le (dockerhub limitations may apply) + image: rancher/mirrored-flannelcni-flannel:v0.17.0 + command: + - /opt/bin/flanneld + args: + - --ip-masq + - --kube-subnet-mgr + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: EVENT_QUEUE_DEPTH + value: "5000" + volumeMounts: + - name: run + mountPath: /run/flannel + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + - name: xtables-lock + mountPath: /run/xtables.lock + volumes: + - name: run + hostPath: + path: /run/flannel + - name: cni-plugin + hostPath: + path: /opt/cni/bin + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate diff --git a/test/integration/testdata/weavenet.yaml b/test/integration/testdata/weavenet.yaml deleted file mode 100644 index 8918cf2a95..0000000000 --- a/test/integration/testdata/weavenet.yaml +++ /dev/null @@ -1,255 +0,0 @@ -apiVersion: v1 -kind: List -items: - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - rules: - - apiGroups: - - '' - resources: - - pods - - namespaces - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - nodes/status - verbs: - - patch - - update - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - roleRef: - kind: ClusterRole - name: weave-net - apiGroup: rbac.authorization.k8s.io - subjects: - - kind: ServiceAccount - name: weave-net - namespace: kube-system - - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - rules: - - apiGroups: - - '' - resourceNames: - - weave-net - resources: - - configmaps - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - roleRef: - kind: Role - name: weave-net - apiGroup: rbac.authorization.k8s.io - subjects: - - kind: ServiceAccount - name: weave-net - namespace: kube-system - - apiVersion: apps/v1 - kind: DaemonSet - metadata: - name: weave-net - annotations: - cloud.weave.works/launcher-info: |- - { - "original-request": { - "url": "/k8s/v1.16/net.yaml?k8s-version=Q2xpZW50IFZlcnNpb246IHZlcnNpb24uSW5mb3tNYWpvcjoiMSIsIE1pbm9yOiIxOCIsIEdpdFZlcnNpb246InYxLjE4LjAiLCBHaXRDb21taXQ6IjllOTkxNDE1Mzg2ZTRjZjE1NWEyNGIxZGExNWJlY2FhMzkwNDM4ZDgiLCBHaXRUcmVlU3RhdGU6ImNsZWFuIiwgQnVpbGREYXRlOiIyMDIwLTAzLTI2VDA2OjE2OjE1WiIsIEdvVmVyc2lvbjoiZ28xLjE0IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImRhcndpbi9hbWQ2NCJ9ClNlcnZlciBWZXJzaW9uOiB2ZXJzaW9uLkluZm97TWFqb3I6IjEiLCBNaW5vcjoiMTgiLCBHaXRWZXJzaW9uOiJ2MS4xOC4zIiwgR2l0Q29tbWl0OiIyZTc5OTZlM2UyNzEyNjg0YmM3M2YwZGVjMDIwMGQ2NGVlYzdmZTQwIiwgR2l0VHJlZVN0YXRlOiJjbGVhbiIsIEJ1aWxkRGF0ZToiMjAyMC0wNS0yMFQxMjo0MzozNFoiLCBHb1ZlcnNpb246ImdvMS4xMy45IiwgQ29tcGlsZXI6ImdjIiwgUGxhdGZvcm06ImxpbnV4L2FtZDY0In0K", - "date": "Tue Jun 23 2020 02:18:50 GMT+0000 (UTC)" - }, - "email-address": "support@weave.works" - } - labels: - name: weave-net - namespace: kube-system - spec: - minReadySeconds: 5 - selector: - matchLabels: - name: weave-net - template: - metadata: - labels: - name: weave-net - spec: - containers: - - name: weave - command: - - /home/weave/launch.sh - env: - - name: HOSTNAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - image: 'docker.io/weaveworks/weave-kube:2.6.5' - readinessProbe: - httpGet: - host: 127.0.0.1 - path: /status - port: 6784 - resources: - requests: - cpu: 10m - securityContext: - privileged: true - volumeMounts: - - name: weavedb - mountPath: /weavedb - - name: cni-bin - mountPath: /host/opt - - name: cni-bin2 - mountPath: /host/home - - name: cni-conf - mountPath: /host/etc - - name: dbus - mountPath: /host/var/lib/dbus - - name: lib-modules - mountPath: /lib/modules - - name: xtables-lock - mountPath: /run/xtables.lock - - name: weave-npc - env: - - name: HOSTNAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - image: 'docker.io/weaveworks/weave-npc:2.6.5' - resources: - requests: - cpu: 10m - securityContext: - privileged: true - volumeMounts: - - name: xtables-lock - mountPath: /run/xtables.lock - dnsPolicy: ClusterFirstWithHostNet - hostNetwork: true - hostPID: true - priorityClassName: system-node-critical - restartPolicy: Always - securityContext: - seLinuxOptions: {} - serviceAccountName: weave-net - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - volumes: - - name: weavedb - hostPath: - path: /var/lib/weave - - name: cni-bin - hostPath: - path: /opt - - name: cni-bin2 - hostPath: - path: /home - - name: cni-conf - hostPath: - path: /etc - - name: dbus - hostPath: - path: /var/lib/dbus - - name: lib-modules - hostPath: - path: /lib/modules - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - updateStrategy: - type: RollingUpdate