in pkg/operator/controllers/routefix/routefix.go [88:271]
func (r *Reconciler) resources(ctx context.Context, cluster *arov1alpha1.Cluster) ([]kruntime.Object, error) {
scc, err := r.securityContextConstraints(ctx, "privileged-routefix", kubeServiceAccount)
if err != nil {
return nil, err
}
resourceCPU, err := resource.ParseQuantity("10m")
if err != nil {
return nil, err
}
resourceMemory, err := resource.ParseQuantity("300Mi")
if err != nil {
return nil, err
}
return []kruntime.Object{
&corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: kubeNamespace,
Annotations: map[string]string{projectv1.ProjectNodeSelector: ""},
},
},
scc,
&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName,
Namespace: kubeNamespace,
},
},
&rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: kubeName,
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "openshift-sdn-controller",
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: serviceAccountName,
Namespace: kubeNamespace,
},
},
},
&corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: configmapName,
Namespace: kubeNamespace,
},
Data: map[string]string{
configmapScriptName: shellScriptAddIptables,
},
},
&appsv1.DaemonSet{
ObjectMeta: metav1.ObjectMeta{
Name: kubeName,
Namespace: kubeNamespace,
},
Spec: appsv1.DaemonSetSpec{
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"app": kubeName},
},
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{"app": kubeName},
},
Spec: corev1.PodSpec{
ServiceAccountName: serviceAccountName,
Containers: []corev1.Container{
{
Name: "drop-icmp",
Image: image,
Args: []string{
"sh",
"-c",
shellScriptDrop,
},
// TODO: specify requests/limits
SecurityContext: &corev1.SecurityContext{
Privileged: to.BoolPtr(true),
},
Lifecycle: &corev1.Lifecycle{
PreStop: &corev1.LifecycleHandler{
Exec: &corev1.ExecAction{
Command: []string{
"/bin/bash",
"-c",
"echo drop-icmp done",
},
},
},
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "host",
MountPath: "/host",
ReadOnly: false,
},
{
Name: configmapName,
MountPath: configmapScriptDir + "/" + configmapScriptName,
SubPath: configmapScriptName,
ReadOnly: false,
},
},
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceCPU: resourceCPU,
corev1.ResourceMemory: resourceMemory,
},
},
Env: []corev1.EnvVar{
{
Name: "K8S_NODE",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "spec.nodeName",
},
},
},
},
},
{
Name: "detect",
Image: image,
Args: []string{
"sh",
"-c",
shellScriptLog,
},
// TODO: specify requests/limits
SecurityContext: &corev1.SecurityContext{
Privileged: to.BoolPtr(true),
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "host",
MountPath: "/host",
ReadOnly: true,
},
},
},
},
HostNetwork: true,
Tolerations: []corev1.Toleration{
{
Effect: corev1.TaintEffectNoExecute,
Operator: corev1.TolerationOpExists,
},
{
Effect: corev1.TaintEffectNoSchedule,
Operator: corev1.TolerationOpExists,
},
},
Volumes: []corev1.Volume{
{
Name: "host",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/",
},
},
},
{
Name: configmapName,
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: configmapName,
},
DefaultMode: to.Int32Ptr(0555),
},
},
},
},
DNSPolicy: corev1.DNSClusterFirst,
RestartPolicy: corev1.RestartPolicyAlways,
},
},
},
},
}, nil
}