Appendix A - CNI Operator Manifests

cluster-network-03-mysdn-namespace.yml

apiVersion: v1
kind: Namespace
metadata:
 name: mysdn-operator
 annotations:
   openshift.io/node-selector: ""
 labels:
   name: mysdn-operator
   openshift.io/run-level: "0"

cluster-network-04-mysdn-CRD.yml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
 name: installations.operator.mysdn.io
spec:
 group: operator.mysdn.io
 names:
   kind: Installation
   listKind: InstallationList
   plural: installations
   singular: installation
 scope: Cluster
 subresources:
   status: {}
 validation:
   openAPIV3Schema:
     properties:
       apiVersion:
         description: 'APIVersion defines the versioned schema of this representation
      of an object. Servers should convert recognized schemas to the latest
           internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
         type: string
       kind:
         description: 'Kind is a string value representing the REST resource this
           object represents. Servers may infer this from the endpoint the client
           submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
         type: string
       metadata:
         type: object
       spec:
         type: object
       status:
         type: object
 version: v1
 versions:
 - name: v1
   served: true
   storage: true

Cluster-network-05-mysdn-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
 name: mysdn-operator
 namespace: mysdn-operator
spec:
 replicas: 1
 selector:
   matchLabels:
     name: mysdn-operator
 template:
   metadata:
     labels:
       name: mysdn-operator
   spec:
     tolerations:
       - effect: NoExecute
         operator: Exists
       - effect: NoSchedule
         operator: Exists
     serviceAccountName: mysdn-operator
     hostNetwork: true
     initContainers:
       - name: configure-security-groups
         image: quay.io/mysdn/operator-init:master
         env:
           - name: KUBELET_KUBECONFIG
             value: /etc/kubernetes/kubeconfig
         volumeMounts:
           - mountPath: /etc/kubernetes/kubeconfig
             name: host-kubeconfig
             readOnly: true
     containers:
       - name: mysdn-operator
         image: quay.io/mysdn/operator:de99f8f
         command:
           - operator
           - --url-only-kubeconfig=/etc/kubernetes/kubeconfig
         imagePullPolicy: Always
         volumeMounts:
           - mountPath: /etc/kubernetes/kubeconfig
             name: host-kubeconfig
             readOnly: true
         env:
           - name: WATCH_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
           - name: OPENSHIFT
             value: "true"
           - name: POD_NAME
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
           - name: OPERATOR_NAME
             value: "mysdn-operator"
     volumes:
     - hostPath:
         path: /etc/kubernetes/kubeconfig
       name: host-kubeconfig

cluster-network-06-mysdn-clusterrolebinding.yml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: mysdn-operator
subjects:
- kind: ServiceAccount
 name: mysdn-operator
 namespace: mysdn-operator
roleRef:
 kind: ClusterRole
 name: mysdn-operator
 apiGroup: rbac.authorization.k8s.io

cluster-network-07-mysdn-clusterrole.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: mysdn-operator
rules:
- apiGroups:
 - ""
 resources:
 - namespaces
 - pods
 - services
 - endpoints
 - events
 - configmaps
 - secrets
 - serviceaccounts
 verbs:
 - '*'
- apiGroups:
 - rbac.authorization.k8s.io
 resources:
 - clusterroles
 - clusterrolebindings
 - rolebindings
 verbs:
 - '*'
- apiGroups:
 - apps
 resources:
 - deployments
 - daemonsets
 verbs:
 - '*'
- apiGroups:
 - apiextensions.k8s.io
 resources:
 - customresourcedefinitions
 verbs:
 - '*'
- apiGroups:
 - monitoring.coreos.com
 resources:
 - servicemonitors
 verbs:
 - get
 - create
- apiGroups:
 - apps
 resourceNames:
 - mysdn-operator
 resources:
 - deployments/finalizers
 verbs:
 - update
- apiGroups:
 - operator.mysdn.io
 resources:
 - '*'
 verbs:
 - '*'
# When running mysdnSecureEnterprise, we need to manage APIServices.
- apiGroups:
 - apiregistration.k8s.io
 resources:
 - apiservices
 verbs:
 - '*'
# When running in openshift, we need to update networking config.
- apiGroups:
 - config.openshift.io
 resources:
 - networks/status
 verbs:
 - 'update'
 - '*'
- apiGroups:
 - config.openshift.io
 resources:
 - networks
 verbs:
 - 'get'
 - '*'
- apiGroups:
 - scheduling.k8s.io
 resources:
 - priorityclasses
 verbs:
 - '*'

cluster-network-08-mysdn-serviceaccount.yml

apiVersion: v1
kind: ServiceAccount
metadata:
 name: mysdn-operator
 namespace: mysdn-operator

cluster-network-09-mysdn-installation.yml

apiVersion: operator.mysdn.io/v1
kind: Installation
metadata:
 name: default
spec:
 cniBinDir: "/var/lib/cni/bin"
 cniNetDir: "/etc/kubernetes/cni/net.d"
 components:
   kubeProxy:
     required: true
     image: quay.io/mysdn/kube-proxy:v1.13.6-nft-b9dfbb
   node:
     image: tmjd/node:erik-nft