--- kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: {{ openshift_daemonset_config_daemonset_name }} annotations: kubernetes.io/description: | This daemon set manages the operational configuration for a cluster and ensures all nodes have a concrete set of config in place. It could also use a local ansible run against the /host directory. spec: selector: matchLabels: app: {{ openshift_daemonset_config_daemonset_name }} confighosts: ops ops.openshift.io/role: operations updateStrategy: type: RollingUpdate template: metadata: labels: app: {{ openshift_daemonset_config_daemonset_name }} confighosts: ops ops.openshift.io/role: operations annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: {% if openshift_daemonset_config_node_selector is defined and openshift_daemonset_config_node_selector != {} %} nodeSelector: {{ openshift_daemonset_config_node_selector | to_json }} {% endif %} serviceAccountName: {{ openshift_daemonset_config_sa_name }} hostNetwork: true hostPID: true hostIPC: true containers: - name: config image: centos:7 env: - name: RESYNC_INTERVAL value: "{{ openshift_daemonset_config_interval }}" command: - /bin/bash - -c - | #!/bin/sh set -o errexit while true; do # execute user defined script sh /opt/config/{{ openshift_daemonset_config_script }} # sleep for ${RESYNC_INTERVAL} minutes, then loop. if we fail Kubelet will restart us again echo "Success, sleeping for ${RESYNC_INTERVAL}s" exec sleep ${RESYNC_INTERVAL} # Return to perform the config done securityContext: # Must be root to modify host system runAsUser: {{ openshift_daemonset_config_runasuser }} # Permission could be reduced by selecting an appropriate SELinux policy that allows # us to update the named directories privileged: {{ openshift_daemonset_config_privileged }} volumeMounts: # Directory which contains the host volume. - mountPath: /host name: host # Our node configuration - mountPath: /opt/config name: config {% if openshift_daemonset_config_secrets != {} %} # Our delivered secrets - mountPath: /opt/secrets name: secrets {% endif %} resources: requests: cpu: {{ openshift_daemonset_config_resources.cpu }} memory: {{ openshift_daemonset_config_resources.memory }} {% if openshift_daemonset_config_monitoring %} - name: monitoring image: openshifttools/oso-centos7-host-monitoring:latest securityContext: # Must be root to read content runAsUser: 0 privileged: true volumeMounts: - mountPath: /host name: host readOnly: true - mountPath: /etc/localtime subPath: etc/localtime name: host readOnly: true - mountPath: /sys subPath: sys name: host readOnly: true - mountPath: /var/run/docker.sock subPath: var/run/docker.sock name: host readOnly: true - mountPath: /var/run/openvswitch subPath: var/run/openvswitch name: host readOnly: true - mountPath: /etc/origin subPath: etc/origin name: host readOnly: true - mountPath: /usr/bin/oc subPath: usr/bin/oc name: host readOnly: true name: host readOnly: true - mountPath: /host/var/cache/yum subPath: var/cache/yum name: host - mountPath: /container_setup/monitoring-config.yml subPath: monitoring-config.yaml name: config - mountPath: /opt/config name: config resources: requests: cpu: 10m memory: 10Mi {% endif %} volumes: - name: config configMap: name: {{ openshift_daemonset_config_configmap_name }} {% if openshift_daemonset_config_secrets != {} %} - name: secrets secret: secretName: {{ openshift_daemonset_config_secret_name }} {% endif %} - name: host hostPath: path: /