docs: add network policies examples

This commit adds a guide for deploying Kubernetes NetworkPolicy support to a cluster running Kilo. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-04-28 14:50:57 +02:00
parent 8bb9600e5e
commit 94f9a5e507
4 changed files with 177 additions and 1 deletions
--- a/manifests/kube-router.yaml
+++ b/manifests/kube-router.yaml
@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-router
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: kube-router
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-router
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-router
+    spec:
+      serviceAccountName: kube-router
+      priorityClassName: system-node-critical
+      containers:
+      - name: kube-router
+        image: cloudnativelabs/kube-router
+        args:
+        - --run-router=false
+        - --run-firewall=true
+        - --run-service-proxy=false
+        securityContext:
+          privileged: true
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 20244
+          initialDelaySeconds: 10
+          periodSeconds: 3
+        volumeMounts:
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
+          readOnly: false
+      hostNetwork: true
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoSchedule
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+      volumes:
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-router
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-router
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - namespaces
+  - nodes
+  - pods
+  - services
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-router
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-router
+subjects:
+  - kind: ServiceAccount
+    name: kube-router
+    namespace: kube-system