From f3c41dd13a0a86382b80d564e9de0d6b06fb1dbf Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Sun, 11 Mar 2018 19:56:38 +0100 Subject: Various fixes before moving to hardware installation --- docs/samples/templates/00-katrin-restricted.yml.j2 | 44 ++++++++++++++++++++++ docs/samples/vars/run_oc.yml | 6 +++ docs/samples/vars/variants.yml | 33 ++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 docs/samples/templates/00-katrin-restricted.yml.j2 create mode 100644 docs/samples/vars/run_oc.yml create mode 100644 docs/samples/vars/variants.yml (limited to 'docs/samples') diff --git a/docs/samples/templates/00-katrin-restricted.yml.j2 b/docs/samples/templates/00-katrin-restricted.yml.j2 new file mode 100644 index 0000000..6221f30 --- /dev/null +++ b/docs/samples/templates/00-katrin-restricted.yml.j2 @@ -0,0 +1,44 @@ +# Overriding SCC rules to allow arbitrary gluster mounts in restricted containers +--- +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: v1 +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: +- system:authenticated +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: restricted denies access to all host features and requires + pods to be run with a UID, and SELinux context that are allocated to the namespace. This + is the most restrictive SCC. + creationTimestamp: null + name: katrin-restricted +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SYS_CHROOT +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +volumes: +- glusterfs +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- secret diff --git a/docs/samples/vars/run_oc.yml b/docs/samples/vars/run_oc.yml new file mode 100644 index 0000000..a464549 --- /dev/null +++ b/docs/samples/vars/run_oc.yml @@ -0,0 +1,6 @@ +oc: + - template: "[0-3]*" + - template: "[4-6]*" + - resource: "route/apache" + oc: "expose svc/kaas --name apache --hostname=apache.{{ openshift_master_default_subdomain }}" + - template: "*" diff --git a/docs/samples/vars/variants.yml b/docs/samples/vars/variants.yml new file mode 100644 index 0000000..c7a27b4 --- /dev/null +++ b/docs/samples/vars/variants.yml @@ -0,0 +1,33 @@ +# First port is exposed + +pods: + kaas: + variant: "{{ ands_prefer_docker | default(false) | ternary('docker', 'centos') }}" + centos: + service: { host: "{{ katrin_node }}", ports: [ 80/8080, 443/8043 ] } + sched: { replicas: 1, selector: { master: 1 } } + selector: { master: 1 } + images: + - image: "centos/httpd-24-centos7" + mappings: + - { name: "etc", path: "apache2-kaas-centos", mount: "/etc/httpd" } + - { name: "www", path: "kaas", mount: "/opt/rh/httpd24/root/var/www/html" } + - { name: "log", path: "apache2-kaas", mount: "/var/log/httpd24" } + probes: + - { port: 8080, path: '/index.html' } + docker: + service: { host: "{{ katrin_node }}", ports: [ 80/8080, 443/8043 ] } + sched: { replicas: 1, selector: { master: 1 } } + selector: { master: 1 } + images: + - image: "httpd:2.2" + mappings: + - { name: "etc", path: "apache2-kaas-docker", mount: "/usr/local/apache2/conf" } + - { name: "www", path: "kaas", mount: "/usr/local/apache2/htdocs" } + - { name: "log", path: "apache2-kaas", mount: "/usr/local/apache2/logs" } + probes: + - { port: 8080, path: '/index.html' } + + + + \ No newline at end of file -- cgit v1.2.3