appuio · simu · May 30, 2024
@@ -15,5 +15,6 @@ parameters:
           - openshift4-nodes/component/oc-debug-node.jsonnet
           - openshift4-nodes/component/aggregated-clusterroles.jsonnet
           - openshift4-nodes/component/egress-interfaces.jsonnet
+          - openshift4-nodes/component/ip-monitor-daemonset.jsonnet
         input_type: jsonnet
         output_path: openshift4-nodes/
@@ -0,0 +1,77 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.openshift4_nodes;
+
+local command = 'ip -ts monitor address link mroute netconf nexthop nsid prefix route rule';
+
+// what do we need:
+// namespace
+// serviceaccount
+// rolebinding for scc hostnetwork
+// daemonset which has hostNetwork: true and which runs the comment
+
+local namespace = 'appuio-ip-monitor';
+
+local ns = kube.Namespace('appuio-ip-monitor') {
+  metadata+: {
+    annotations+: {
+      'openshift.io/node-selector': '',
+    },
+    labels+: {
+      'openshift.io/cluster-monitoring': 'true',
+    },
+  },
+};
+
+local sa = kube.ServiceAccount('ip-monitor') {
+  metadata+: {
+    namespace: namespace,
+  },
+};
+
+local sccRoleBinding = kube.RoleBinding('ip-monitor-scc-hostnetwork') {
+  metadata+: {
+    namespace: namespace,
+  },
+  subjects_: [ sa ],
+  roleRef: {
+    kind: 'ClusterRole',
+    name: 'system:openshift:scc:hostnetwork-v2',
+  },
+};
+
+local ds = kube.DaemonSet('ip-monitor') {
+  metadata+: {
+    namespace: namespace,
+  },
+  spec+: {
+    template+: {
+      spec+: {
+        containers_+: {
+          ipmon: kube.Container('ip-monitor') {
+            image: 'image-registry.openshift-image-registry.svc:5000/openshift/tools:latest',
+            command: [ '/bin/sh', '-c', 'trap : TERM INT; %s & wait' % command ],
+          },
+        },
+        hostNetwork: true,
+        priorityClassName: 'system-node-critical',
+        // run on all nodes
+        tolerations: [
+          { operator: 'Exists' },
+        ],
+        serviceAccountName: sa.metadata.name,
+      },
+    },
+  },
+};
+
+{
+  '40_ip_monitor': [
+    ns,
+    sa,
+    sccRoleBinding,
+    ds,
+  ],
+}
@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ''
+  labels:
+    name: appuio-ip-monitor
+    openshift.io/cluster-monitoring: 'true'
+  name: appuio-ip-monitor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor-scc-hostnetwork
+  name: ip-monitor-scc-hostnetwork
+  namespace: appuio-ip-monitor
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:hostnetwork-v2
+subjects:
+  - kind: ServiceAccount
+    name: ip-monitor
+    namespace: appuio-ip-monitor
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+spec:
+  selector:
+    matchLabels:
+      name: ip-monitor
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        name: ip-monitor
+    spec:
+      containers:
+        - args: []
+          command:
+            - /bin/sh
+            - -c
+            - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop
+              nsid prefix route rule & wait'
+          env: []
+          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
+          imagePullPolicy: Always
+          name: ip-monitor
+          ports: []
+          stdin: false
+          tty: false
+          volumeMounts: []
+      hostNetwork: true
+      imagePullSecrets: []
+      initContainers: []
+      priorityClassName: system-node-critical
+      serviceAccountName: ip-monitor
+      terminationGracePeriodSeconds: 30
+      tolerations:
+        - operator: Exists
+      volumes: []
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ''
+  labels:
+    name: appuio-ip-monitor
+    openshift.io/cluster-monitoring: 'true'
+  name: appuio-ip-monitor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor-scc-hostnetwork
+  name: ip-monitor-scc-hostnetwork
+  namespace: appuio-ip-monitor
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:hostnetwork-v2
+subjects:
+  - kind: ServiceAccount
+    name: ip-monitor
+    namespace: appuio-ip-monitor
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+spec:
+  selector:
+    matchLabels:
+      name: ip-monitor
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        name: ip-monitor
+    spec:
+      containers:
+        - args: []
+          command:
+            - /bin/sh
+            - -c
+            - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop
+              nsid prefix route rule & wait'
+          env: []
+          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
+          imagePullPolicy: Always
+          name: ip-monitor
+          ports: []
+          stdin: false
+          tty: false
+          volumeMounts: []
+      hostNetwork: true
+      imagePullSecrets: []
+      initContainers: []
+      priorityClassName: system-node-critical
+      serviceAccountName: ip-monitor
+      terminationGracePeriodSeconds: 30
+      tolerations:
+        - operator: Exists
+      volumes: []
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/node-selector: ''
+  labels:
+    name: appuio-ip-monitor
+    openshift.io/cluster-monitoring: 'true'
+  name: appuio-ip-monitor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor-scc-hostnetwork
+  name: ip-monitor-scc-hostnetwork
+  namespace: appuio-ip-monitor
+roleRef:
+  kind: ClusterRole
+  name: system:openshift:scc:hostnetwork-v2
+subjects:
+  - kind: ServiceAccount
+    name: ip-monitor
+    namespace: appuio-ip-monitor
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations: {}
+  labels:
+    name: ip-monitor
+  name: ip-monitor
+  namespace: appuio-ip-monitor
+spec:
+  selector:
+    matchLabels:
+      name: ip-monitor
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        name: ip-monitor
+    spec:
+      containers:
+        - args: []
+          command:
+            - /bin/sh
+            - -c
+            - 'trap : TERM INT; ip -ts monitor address link mroute netconf nexthop
+              nsid prefix route rule & wait'
+          env: []
+          image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest
+          imagePullPolicy: Always
+          name: ip-monitor
+          ports: []
+          stdin: false
+          tty: false
+          volumeMounts: []
+      hostNetwork: true
+      imagePullSecrets: []
+      initContainers: []
+      priorityClassName: system-node-critical
+      serviceAccountName: ip-monitor
+      terminationGracePeriodSeconds: 30
+      tolerations:
+        - operator: Exists
+      volumes: []
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate