Closed sriramec closed 2 years ago
Looks like few authorization modes and one authorization group is missing from the RBAC file of danm installer. Following changes in RBAC file of danm-installer resolved the issue for me.
--- a/integration/install/0danm-installer-rbac.yaml
+++ b/integration/install/0danm-installer-rbac.yaml
@@ -20,6 +20,7 @@ rules:
- clusterroles
- clusterrolebindings
verbs:
+ - bind
- get
- create
- patch
@@ -84,6 +85,9 @@ rules:
- watch
- create
- update
+ - patch
+ - approve
+ - delete
- apiGroups:
- "certificates.k8s.io"
resources:
@@ -132,6 +136,15 @@ rules:
verbs:
- list
- watch
+- apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
+ - list
+ - watch
+ - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Is this a BUG REPORT or FEATURE REQUEST?:
What happened: Not able to deploy Danm 4.3.0 in kubernetes 1.21.8 using installer job.
What you expected to happen: Danm should get deployed in Kubernetes 1.21.8 using installer job. How to reproduce it: kubectl apply -f integration/install
Anything else we need to know?:
Environment:
danm -version
): 4.3.0kubectl version
): 1.21.8watch
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: caas:danm-installer roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: caas:danm-installer subjects:
kind: ServiceAccount name: danm-installer namespace: kube-system
apiVersion: v1 kind: ConfigMap metadata: namespace: kube-system name: danm-installer-config data: #
DANM deployment mode. This MUST be either "lightweight" or "production". Please see the DANM user guide for
details on the two modes.
# deploy_mode: production
#
CNI configuration directory. Typically, this is "/etc/cni/net.d". This is the directory where your
current (bootstrap) CNI configuration is located, too.
# cni_dir: /etc/cni/net.d
#
CNI naming scheme. See section "Naming container interfaces" in the user guide for a more detailed
discussion. Set this parameter to "legacy" if you wish container interface names to be set exactly
according to DanmNet.Spec.Options.container_prefix, or to an empty string if you wish the first
interface to always be named "eth0".
# cni_naming_scheme: "legacy"
#
[OPTIONAL] Kubernetes API Root CA certificate. If left blank, the installer will obtain the
API server certificate from the Kubernetes API. Note, however, that placing a certificate here
is technically more secure (as it provides external verification of the CA certificate, rather
than blindly trusting the certificate that we see from the server) and also more future-proof
if the individual API server's certificate ever were to change in the future, to put the Root
CA certificate here. You can obtain this, for example, by running:
#
kubectl config view \
--flatten \
-o jsonpath='{.clusters[0].cluster.certificate-authority-data} \
| base64 -d
#
api_ca_cert: | -----BEGIN CERTIFICATE----- MIIC+jCCAeKgAwIBAgIIk8HzEIXtYm4wDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UE AwwYY3NibHJsYWJzdnRjYzJlYzEwNGFkbWluMB4XDTIyMDIyMTA1NTQzM1oXDTQy MDIyMTA1NTQzM1owIzEhMB8GA1UEAwwYY3NibHJsYWJzdnRjYzJlYzEwNGFkbWlu MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WBotGz6oqaZTYgDbLit wAsNe4+rJgcWVBAxlZ6BYJVtomISxx9VhYd+QgV5PaMMYl+GBJF/kP1mji+8uQNk SHXdf0y8IFAExYcLcAbQdjySHl/6Fjck5JNpXH1HMqrGSScKutb6k6AhfJk6iuBe IevssR6zIv3bn+gJTxhMFVkAoRLUjxfgEdRc+mzTCiZGHMnA0vCmHxtUEEc/gIjK 3dNcSCPPzK7fMgEia/ysG4S7EBHDXaoEzQoMkVVwrKNz7mb7oNSOXOx8bpRGbA== -----END CERTIFICATE----- #
This is the type of the CNI plugin used for your default (bootstrap) network.
The value can also be found in the "type" field of your bootstrap CNI configuration
file, eg. "cat ${cni_dir}/${default_cni_network_id}.conf | jq -Mr '.type'"
# default_cni_type: calico
#
The name of your bootstrap CNI configuration file, without the
.conf
extension.This means that on each node in your cluster, in the ${cni_dir} directory, a file
with the name of "${default_cni_network_id}.conf" must exist. Alternatively,
a file with this name will be created if the ${default_cni_config_data} parameter
is also provided (below).
# default_cni_network_id: calico
#
[OPTIONAL] Bootstrap CNI configuration data. Typically, your bootstrap CNI plugin
should already be configured, so using this option should not be necessary. However,
there may be situations where using this option may be useful to distribute an
alternative configuration file for your bootstrap CNI plugin. If provided, the
contents of this variable are going to be written to a file named
"${default_cni_network_id}.conf" as above.
#
default_cni_config_data: | { "name": "k8s-pod-network", "cniVersion": "0.3.1", "type": "calico", "log_level": "info", "datastore_type": "kubernetes", "mtu": 1440, "ipam": { "type": "calico-ipam", "assign_ipv4": "true", "assign_ipv6": "false" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" } }
#
[OPTIONAL] A prefix (such as a registry name) to be included in each container image.
Note that this can be any prefix you like, but if it is a registry name, then
the value specified here needs to include the trailing slash.
#
For example, if you wish to pull your "netwatcher" image from
"my-registry.example.com/namespace/netwatcher", then set this value to
"my-registry.example.com/namespace/". The same prefix will be applied for
all images.
# image_registry_prefix: 10.222.26.1:30003/danm/
#
[OPTIONAL] Image tag for each image. Defaults to "latest" if none specified.
# image_tag: "2.0"
#
[OPTIONAL] If your registry needs authentication, then this is the name
of a Kubernetes secret with registry credentials. This secret must already
exist and is not created by the installer.
#
image_pull_secret: my-registry-secret
#
Image Pull policy. Can be "Always", "Never", or "IfNotPresent".
# image_pull_policy: Always
apiVersion: batch/v1 kind: Job metadata: name: danm-installer namespace: kube-system spec: template: spec: serviceAccountName: danm-installer containers:
name: danm-installer volumeMounts:
name: danm-installer-config mountPath: /config
Update the next two lines as needed
image: 10.222.26.1:30003/danm/danm-installer:2.0 imagePullPolicy: Always
volumes:
name: danm-installer-config configMap: name: danm-installer-config terminationGracePeriodSeconds: 0 restartPolicy: OnFailure
Add this if needed:
imagePullSecrets:
- name: my-registry-secret