Before this change, the multus daemonset init container had troubles
with running with SELinux in enforced mode, due to lack of the
container_file_t label on the host /opt/cni/bin directory. Fix that by
making the container privileged.
Ref: rancher/rke2#746
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This version fixes the problems we had:
1 - Image prefix no possible
2 - Images on 3.19.0 instead of 3.19.1
Signed-off-by: Manuel Buil <mbuil@suse.com>
Seeing this error at runtime:
```
Error: parse error at (rke2-canal/templates/config.yaml:63): function "Values" not defined
```
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Before this change, wait-for-node-init container was not able to execute
properly with SELinux enabled, due to lack of ability to access the bind
mounted file. Due to lack of ability to set the container_file_t label
through Kubernetes, the other possible solution, done in this commit, is
making the container privileged. All the other containers accessing the
bootstrap file are already privileged as well, so it should not be that
harmful.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Consume the images from our rancher/mirrored-xxx images
Unfortunately, we can't consume the rest of the images. This feature is
unavailable
Signed-off-by: Manuel Buil <mbuil@suse.com>
Adds charts for sriov and multus.
Details:
* Multus chart, on deployment installs number of cnis, not only multus
itself but also other cnis ussually combined with it, like host-device
and macvlan.
* Multus includes a CRD, NetworkAttachmentDefinition, which is the
means to attach interfaces to pods by specifying a delegated cni for
each.
* Multus replaces the existing cni with itself, and sets up a default
NetworkAttachmentDefinition with that existing cni that will setup the
first interface of the pod just as if multus was not there.
* The NetworkAttachmentDefinition CRD is included along other multus
templates in the chart and no specific chart is setup for the CRD.
This CRD is no consumed on deployment and is unlikely to change
frequently.
* Sriov depends on NetworkAttachmentDefinition CRD but no dependency is
set between Multus and Sriov. Sriov charts checks on the presence of
NetworkAttachmentDefinition CRD via capabilities and fails deployment
if unavailable.
* Sriov includes a number of CRDs which are setup as separate chart.
* Sriov operator depends on certificates to be able to deploy its
webhooks. The charts depends and checks for the presence of
cert-manager to generate these certificates. Optionally, via chart
value, cert-manager integration can be disabled in which case the
chart will generate certificates with 1 year validity as a means to
quickly test or trial, but not the intended setup for production
clusters.
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Signed-off-by: Manuel Buil <mbuil@suse.com>
Made FailsafeOutboundHostPorts and FailsafeInboundHostPorts configurable
to allow users to have custom network policy for example SSH (22)
Previously failsafe rules would always have opened 22 even if user had
custom GlobalNetworkPolicy applied on the node.
Fixes https://github.com/rancher/rke2/issues/921
* Update coredns and kube-proxy charts to use passthrough values
* bump kube-proxy versions back to v1.21.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Erik Wilson
Manuel Buil
Michal Rostecki
Jacob Blain Christen
Chris Kim
Hussein Galal
Brad Davidson
Brad Davidson
Brian Downs
Jaime Caamaño Ruiz
Jonas Falck