diff --git a/deploy/kubernetes/configmap.yaml b/deploy/kubernetes/configmap.yaml index 5cbd4cc..8e2854d 100644 --- a/deploy/kubernetes/configmap.yaml +++ b/deploy/kubernetes/configmap.yaml @@ -83,6 +83,7 @@ data: #enable_sha = True + [ha] diff --git a/deploy/openshift4/configmap.yaml b/deploy/openshift4/configmap.yaml index 678dcdc..1f88189 100644 --- a/deploy/openshift4/configmap.yaml +++ b/deploy/openshift4/configmap.yaml @@ -83,6 +83,7 @@ data: #enable_sha = True + [ha] diff --git a/manifest/kubernetes/rhel/ncp-rhel.yaml b/manifest/kubernetes/rhel/ncp-rhel.yaml index 224fab3..e86c7a0 100644 --- a/manifest/kubernetes/rhel/ncp-rhel.yaml +++ b/manifest/kubernetes/rhel/ncp-rhel.yaml @@ -443,157 +443,6 @@ subjects: - ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nsx-node-agent-psp -spec: - hostIPC: false - hostNetwork: true - hostPID: true - privileged: true - allowedCapabilities: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - DAC_READ_SEARCH - - SYS_NICE - - SYS_MODULE - - AUDIT_WRITE - - NET_RAW - defaultAddCapabilities: null - fsGroup: - rule: RunAsAny - readOnlyRootFilesystem: false - requiredDropCapabilities: - - KILL - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - seLinuxOptions: - type: spc_t - level: s0:c0.c1023 - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - - hostPath - ---- - -kind: ClusterRole -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nsx-node-agent-psp-cluster-role -rules: -- apiGroups: - - policy - resourceNames: - - nsx-node-agent-psp - resources: - - podsecuritypolicies - verbs: - - use - ---- - -kind: ClusterRoleBinding -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nsx-node-agent-psp-cluster-role-binding -subjects: -- kind: ServiceAccount - name: nsx-node-agent-svc-account - namespace: nsx-system -roleRef: - kind: ClusterRole - name: nsx-node-agent-psp-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ncp-psp -spec: - hostNetwork: true - hostIPC: false - hostPID: false - privileged: false - allowedCapabilities: - - AUDIT_WRITE - defaultAddCapabilities: null - requiredDropCapabilities: - - KILL - runAsUser: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - seLinux: - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - ---- - -kind: ClusterRole -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ncp-psp-cluster-role -rules: -- apiGroups: - - policy - resourceNames: - - ncp-psp - resources: - - podsecuritypolicies - verbs: - - use - ---- - -kind: ClusterRoleBinding -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ncp-psp-cluster-role-binding -subjects: -- kind: ServiceAccount - name: ncp-svc-account - namespace: nsx-system -roleRef: - kind: ClusterRole - name: ncp-psp-cluster-role - apiGroup: rbac.authorization.k8s.io - --- # Create Role for NCP to run exec on pods kind: Role @@ -676,6 +525,9 @@ data: # must be specified. # This yaml file is part of NCP release. + + + # ConfigMap for ncp.ini apiVersion: v1 kind: ConfigMap @@ -693,6 +545,7 @@ data: --- + apiVersion: apps/v1 kind: Deployment metadata: @@ -808,9 +661,11 @@ spec: + volumes: + - name: host-var-log-ujo hostPath: path: /var/log/nsx-ujo diff --git a/manifest/kubernetes/ubuntu/ncp-ubuntu.yaml b/manifest/kubernetes/ubuntu/ncp-ubuntu.yaml index a87f4f2..bc76a27 100644 --- a/manifest/kubernetes/ubuntu/ncp-ubuntu.yaml +++ b/manifest/kubernetes/ubuntu/ncp-ubuntu.yaml @@ -443,157 +443,6 @@ subjects: - ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nsx-node-agent-psp -spec: - hostIPC: false - hostNetwork: true - hostPID: true - privileged: true - allowedCapabilities: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - DAC_READ_SEARCH - - SYS_NICE - - SYS_MODULE - - AUDIT_WRITE - - NET_RAW - defaultAddCapabilities: null - fsGroup: - rule: RunAsAny - readOnlyRootFilesystem: false - requiredDropCapabilities: - - KILL - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - seLinuxOptions: - type: spc_t - level: s0:c0.c1023 - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - - hostPath - ---- - -kind: ClusterRole -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nsx-node-agent-psp-cluster-role -rules: -- apiGroups: - - policy - resourceNames: - - nsx-node-agent-psp - resources: - - podsecuritypolicies - verbs: - - use - ---- - -kind: ClusterRoleBinding -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nsx-node-agent-psp-cluster-role-binding -subjects: -- kind: ServiceAccount - name: nsx-node-agent-svc-account - namespace: nsx-system -roleRef: - kind: ClusterRole - name: nsx-node-agent-psp-cluster-role - apiGroup: rbac.authorization.k8s.io - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ncp-psp -spec: - hostNetwork: true - hostIPC: false - hostPID: false - privileged: false - allowedCapabilities: - - AUDIT_WRITE - defaultAddCapabilities: null - requiredDropCapabilities: - - KILL - runAsUser: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - seLinux: - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - ---- - -kind: ClusterRole -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ncp-psp-cluster-role -rules: -- apiGroups: - - policy - resourceNames: - - ncp-psp - resources: - - podsecuritypolicies - verbs: - - use - ---- - -kind: ClusterRoleBinding -# Set the apiVersion to rbac.authorization.k8s.io/v1beta1 when k8s < v1.8 -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ncp-psp-cluster-role-binding -subjects: -- kind: ServiceAccount - name: ncp-svc-account - namespace: nsx-system -roleRef: - kind: ClusterRole - name: ncp-psp-cluster-role - apiGroup: rbac.authorization.k8s.io - --- # Create Role for NCP to run exec on pods kind: Role @@ -676,6 +525,9 @@ data: # must be specified. # This yaml file is part of NCP release. + + + # ConfigMap for ncp.ini apiVersion: v1 kind: ConfigMap @@ -693,6 +545,7 @@ data: --- + apiVersion: apps/v1 kind: Deployment metadata: @@ -808,9 +661,11 @@ spec: + volumes: + - name: host-var-log-ujo hostPath: path: /var/log/nsx-ujo diff --git a/manifest/openshift4/coreos/ncp-openshift4.yaml b/manifest/openshift4/coreos/ncp-openshift4.yaml index c16a0ef..db6c39b 100644 --- a/manifest/openshift4/coreos/ncp-openshift4.yaml +++ b/manifest/openshift4/coreos/ncp-openshift4.yaml @@ -384,7 +384,6 @@ subjects: - --- # Create Role for NCP to run exec on pods kind: Role @@ -463,6 +462,9 @@ data: # must be specified. # This yaml file is part of NCP release. + + + # ConfigMap for ncp.ini apiVersion: v1 kind: ConfigMap @@ -480,6 +482,7 @@ data: --- + apiVersion: apps/v1 kind: Deployment metadata: @@ -590,9 +593,11 @@ spec: + volumes: + - name: host-var-log-ujo hostPath: path: /var/log/nsx-ujo