diff --git a/README.md b/README.md
index e6fc2812edc461a841b228e0d4037d87f9207f30..f9e31a8d03f3f88a5242a9118fdb7e6b470083d8 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [cilium](https://github.com/cilium/cilium) v1.8.5
- [contiv](https://github.com/contiv/install) v1.2.1
- [flanneld](https://github.com/coreos/flannel) v0.13.0
- - [kube-ovn](https://github.com/alauda/kube-ovn) v1.3.0
+ - [kube-ovn](https://github.com/alauda/kube-ovn) v1.5.2
- [kube-router](https://github.com/cloudnativelabs/kube-router) v1.1.0
- [multus](https://github.com/intel/multus-cni) v3.6.0
- [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 8dd5a1f71d501e3e2efbef26ab44b8e7a08c09b5..0679de6481466c45c670df05aecf9a9699aad435 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -80,7 +80,7 @@ weave_version: 2.7.0
pod_infra_version: "3.3"
contiv_version: 1.2.1
cilium_version: "v1.8.5"
-kube_ovn_version: "v1.3.0"
+kube_ovn_version: "v1.5.2"
kube_router_version: "v1.1.0"
multus_version: "v3.6"
ovn4nfv_ovn_image_version: "v1.0.0"
diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
index ca6ae9414b7b819db6951dd7e1b537291cf2f301..d405336d123092fc7d52d3512e2e33286daa7042 100644
--- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
+++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
@@ -8,7 +8,7 @@ metadata:
kubernetes.io/description: |
kube-ovn controller
spec:
- replicas: 2
+ replicas: 1
selector:
matchLabels:
app: kube-ovn-controller
@@ -46,6 +46,8 @@ spec:
args:
- --default-cidr={{ kube_pods_subnet }}
env:
+ - name: ENABLE_SSL
+ value: "false"
- name: POD_NAME
valueFrom:
fieldRef:
@@ -58,12 +60,16 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
+ volumeMounts:
+ - mountPath: /var/run/tls
+ name: kube-ovn-tls
readinessProbe:
exec:
command:
- sh
- /kube-ovn/kube-ovn-controller-healthcheck.sh
periodSeconds: 3
+ timeoutSeconds: 45
livenessProbe:
exec:
command:
@@ -72,9 +78,14 @@ spec:
initialDelaySeconds: 300
periodSeconds: 7
failureThreshold: 5
+ timeoutSeconds: 45
nodeSelector:
kubernetes.io/os: "linux"
-
+ volumes:
+ - name: kube-ovn-tls
+ secret:
+ optional: true
+ secretName: kube-ovn-tls
---
kind: DaemonSet
apiVersion: apps/v1
@@ -88,8 +99,6 @@ spec:
selector:
matchLabels:
app: kube-ovn-cni
- updateStrategy:
- type: OnDelete
template:
metadata:
labels:
@@ -112,8 +121,6 @@ spec:
runAsUser: 0
privileged: true
volumeMounts:
- - mountPath: /etc/cni/net.d
- name: cni-conf
- mountPath: /opt/cni/bin
name: cni-bin
containers:
@@ -131,6 +138,8 @@ spec:
runAsUser: 0
privileged: true
env:
+ - name: ENABLE_SSL
+ value: "false"
- name: POD_IP
valueFrom:
fieldRef:
@@ -140,6 +149,8 @@ spec:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
+ - mountPath: /etc/cni/net.d
+ name: cni-conf
- mountPath: /run/openvswitch
name: host-run-ovs
- mountPath: /run/ovn
@@ -221,6 +232,8 @@ spec:
runAsUser: 0
privileged: false
env:
+ - name: ENABLE_SSL
+ value: "false"
- name: POD_IP
valueFrom:
fieldRef:
@@ -256,6 +269,8 @@ spec:
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
+ - mountPath: /var/run/tls
+ name: kube-ovn-tls
resources:
requests:
cpu: {{ kube_ovn_pinger_cpu_request }}
@@ -287,6 +302,10 @@ spec:
- name: host-log-ovn
hostPath:
path: /var/log/ovn
+ - name: kube-ovn-tls
+ secret:
+ optional: true
+ secretName: kube-ovn-tls
---
kind: Service
apiVersion: v1
diff --git a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
index 6371bc0cac08b03b18001db412d7b2ca19814f20..dfaffca6c834270bf907c23f820545e302fdb31b 100644
--- a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
+++ b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
@@ -1,3 +1,31 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: kube-ovn
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ allowedCapabilities:
+ - '*'
+ volumes:
+ - '*'
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostIPC: true
+ hostPID: true
+ runAsUser:
+ rule: 'RunAsAny'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'RunAsAny'
+ fsGroup:
+ rule: 'RunAsAny'
+
---
apiVersion: v1
kind: ConfigMap
@@ -27,6 +55,7 @@ rules:
- subnets/status
- ips
- vlans
+ - networks
verbs:
- "*"
- apiGroups:
@@ -81,7 +110,6 @@ subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
-
---
kind: Service
apiVersion: v1
@@ -99,7 +127,6 @@ spec:
app: ovn-central
ovn-nb-leader: "true"
sessionAffinity: None
-
---
kind: Service
apiVersion: v1
@@ -117,7 +144,6 @@ spec:
app: ovn-central
ovn-sb-leader: "true"
sessionAffinity: None
-
---
kind: Deployment
apiVersion: apps/v1
@@ -166,6 +192,8 @@ spec:
capabilities:
add: ["SYS_NICE"]
env:
+ - name: ENABLE_SSL
+ value: "false"
- name: POD_IP
valueFrom:
fieldRef:
@@ -201,12 +229,15 @@ spec:
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
+ - mountPath: /var/run/tls
+ name: kube-ovn-tls
readinessProbe:
exec:
command:
- sh
- /kube-ovn/ovn-is-leader.sh
periodSeconds: 3
+ timeoutSeconds: 45
livenessProbe:
exec:
command:
@@ -215,6 +246,7 @@ spec:
initialDelaySeconds: 30
periodSeconds: 7
failureThreshold: 5
+ timeoutSeconds: 45
nodeSelector:
kubernetes.io/os: "linux"
kube-ovn/role: "master"
@@ -240,7 +272,10 @@ spec:
- name: host-log-ovn
hostPath:
path: /var/log/ovn
-
+ - name: kube-ovn-tls
+ secret:
+ optional: true
+ secretName: kube-ovn-tls
---
kind: DaemonSet
apiVersion: apps/v1
@@ -279,12 +314,18 @@ spec:
runAsUser: 0
privileged: true
env:
+ - name: ENABLE_SSL
+ value: "false"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: HW_OFFLOAD
value: "false"
+ - name: KUBE_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
volumeMounts:
- mountPath: /lib/modules
name: host-modules
@@ -304,12 +345,15 @@ spec:
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
+ - mountPath: /var/run/tls
+ name: kube-ovn-tls
readinessProbe:
exec:
command:
- sh
- /kube-ovn/ovs-healthcheck.sh
periodSeconds: 5
+ timeoutSeconds: 45
livenessProbe:
exec:
command:
@@ -318,6 +362,7 @@ spec:
initialDelaySeconds: 10
periodSeconds: 5
failureThreshold: 5
+ timeoutSeconds: 45
resources:
requests:
cpu: {{ kube_ovn_node_cpu_request }}
@@ -352,3 +397,7 @@ spec:
- name: host-log-ovn
hostPath:
path: /var/log/ovn
+ - name: kube-ovn-tls
+ secret:
+ optional: true
+ secretName: kube-ovn-tls