Merge branch 'master' of https://github.com/jprdonnelly/kubernetes-cluster

Vagrantfile

@@ -10,6 +10,14 @@ servers = [
     :mem => "3200",
     :cpu => "2"
   },
+  {
+    :name => "k8s-nfs",
+    :type => "nfs",
+    :box => "jprdonnelly/ubuntu-1804",
+    :eth1 => "192.168.205.14",
+    :mem => "2176",
+    :cpu => "2"
+  },
   {
     :name => "k8s-node1",
     :type => "node",
@@ -26,14 +34,6 @@ servers = [
     :mem => "4224",
     :cpu => "2",
   },
-  {
-    :name => "k8s-nfs",
-    :type => "nfs",
-    :box => "jprdonnelly/ubuntu-1804",
-    :eth1 => "192.168.205.14",
-    :mem => "2176",
-    :cpu => "2"
-  },
 # Uncomment section below to enable a 3rd worker node.
   # {
   #   :name => "k8s-node3",
@@ -173,7 +173,7 @@ $configureNode = <<-SCRIPT
     echo "This is a worker node"
     sshpass -p "vagrant" scp -o StrictHostKeyChecking=no vagrant@192.168.205.10:/etc/kubeadm_join_cmd.sh .
     sudo sh ./kubeadm_join_cmd.sh
-    # kubectl taint nodes k8s-nfs key=value:NoSchedule
+    kubectl taint nodes k8s-nfs key=value:NoSchedule
 SCRIPT
 
 $configureNFS = <<-SCRIPT

metallb/metallb.yaml

@@ -1,128 +1,190 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    app: metallb
   name: metallb-system
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
   labels:
     app: metallb
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
-  name: controller
-  labels:
-    app: metallb
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: metallb-system
   name: speaker
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+  - NET_ADMIN
+  - NET_RAW
+  - SYS_ADMIN
+  fsGroup:
+    rule: RunAsAny
+  hostNetwork: true
+  hostPorts:
+  - max: 7472
+    min: 7472
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
   labels:
     app: metallb
-
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: metallb
   name: metallb-system:controller
-  labels:
-    app: metallb
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["services"]
+  - ''
-  verbs: ["get", "list", "watch", "update"]
+  resources:
-- apiGroups: [""]
+  - services
-  resources: ["services/status"]
+  verbs:
-  verbs: ["update"]
+  - get
-- apiGroups: [""]
+  - list
-  resources: ["events"]
+  - watch
-  verbs: ["create", "patch"]
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: metallb-system:speaker
   labels:
     app: metallb
+  name: metallb-system:speaker
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["services", "endpoints", "nodes"]
+  - ''
-  verbs: ["get", "list", "watch"]
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - extensions
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: metallb-system
-  name: config-watcher
   labels:
     app: metallb
+  name: config-watcher
+  namespace: metallb-system
 rules:
-- apiGroups: [""]
+- apiGroups:
-  resources: ["configmaps"]
+  - ''
-  verbs: ["get", "list", "watch"]
+  resources:
-- apiGroups: [""]
+  - configmaps
-  resources: ["events"]
+  verbs:
-  verbs: ["create"]
+  - get
+  - list
+  - watch
 ---
-
-## Role bindings
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: metallb-system:controller
   labels:
     app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
 subjects:
 - kind: ServiceAccount
   name: controller
   namespace: metallb-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: metallb-system:controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: metallb-system:speaker
   labels:
     app: metallb
-subjects:
+  name: metallb-system:speaker
-- kind: ServiceAccount
-  name: speaker
-  namespace: metallb-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  namespace: metallb-system
-  name: config-watcher
   labels:
     app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
 subjects:
 - kind: ServiceAccount
   name: controller
 - kind: ServiceAccount
   name: speaker
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: config-watcher
 ---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  namespace: metallb-system
-  name: speaker
   labels:
     app: metallb
     component: speaker
+  name: speaker
+  namespace: metallb-system
 spec:
   selector:
     matchLabels:
@@ -130,21 +192,15 @@ spec:
       component: speaker
   template:
     metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
       labels:
         app: metallb
         component: speaker
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "7472"
     spec:
-      serviceAccountName: speaker
-      terminationGracePeriodSeconds: 0
-      hostNetwork: true
       containers:
-      - name: speaker
+      - args:
-        image: metallb/speaker:v0.7.3
-        imagePullPolicy: IfNotPresent
-        args:
         - --port=7472
         - --config=config
         env:
@@ -152,32 +208,47 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        image: metallb/speaker:v0.8.1
+        imagePullPolicy: IfNotPresent
+        name: speaker
         ports:
-        - name: monitoring
+        - containerPort: 7472
-          containerPort: 7472
+          name: monitoring
         resources:
           limits:
             cpu: 100m
             memory: 100Mi
-
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
           capabilities:
-            drop:
-            - all
             add:
-            - net_raw
+            - NET_ADMIN
-
+            - NET_RAW
+            - SYS_ADMIN
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
 ---
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: metallb-system
-  name: controller
   labels:
     app: metallb
     component: controller
+  name: controller
+  namespace: metallb-system
 spec:
   revisionHistoryLimit: 3
   selector:
@@ -186,37 +257,37 @@ spec:
       component: controller
   template:
     metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
       labels:
         app: metallb
         component: controller
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "7472"
     spec:
-      serviceAccountName: controller
-      terminationGracePeriodSeconds: 0
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534 # nobody
       containers:
-      - name: controller
+      - args:
-        image: metallb/controller:v0.7.3
-        imagePullPolicy: IfNotPresent
-        args:
         - --port=7472
         - --config=config
+        image: metallb/controller:v0.8.1
+        imagePullPolicy: IfNotPresent
+        name: controller
         ports:
-        - name: monitoring
+        - containerPort: 7472
-          containerPort: 7472
+          name: monitoring
         resources:
           limits:
             cpu: 100m
             memory: 100Mi
-
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - all
           readOnlyRootFilesystem: true
-
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0