diff --git a/roles/kube-node/files/rbac.yaml b/roles/kube-node/files/rbac.yaml new file mode 100644 index 0000000..e1398ef --- /dev/null +++ b/roles/kube-node/files/rbac.yaml @@ -0,0 +1,41 @@ +# Calico Version v2.6.2 +# https://docs.projectcalico.org/v2.6/releases#v2.6.2 + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-kube-controllers +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: +- kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system diff --git a/roles/kube-node/tasks/main.yml b/roles/kube-node/tasks/main.yml index c93274c..73d6400 100644 --- a/roles/kube-node/tasks/main.yml +++ b/roles/kube-node/tasks/main.yml @@ -104,3 +104,25 @@ - name: start-kube-proxy shell: systemctl restart kube-proxy + +##-------calico-kube-controllers部分---------------- +# +- name: 创建calico-kube-controllers目录 + tags: calico-controller + file: name=/root/local/kube-system/calico state=directory + +- name: 准备RBAC 配置文件 + tags: calico-controller + copy: src=rbac.yaml dest=/root/local/kube-system/calico/rbac.yaml + +- name: 准备calico-kube-controllers.yaml 文件 + tags: calico-controller + template: src=calico-kube-controllers.yaml.j2 dest=/root/local/kube-system/calico/calico-kube-controllers.yaml + +# 只需单节点执行一次,重复执行的报错可以忽略 +- name: 运行calico-kube-controllers + tags: calico-controller + shell: "{{ bin_dir }}/kubectl create -f /root/local/kube-system/calico/rbac.yaml && \ + {{ bin_dir }}/kubectl create -f /root/local/kube-system/calico/calico-kube-controllers.yaml" + when: NODE_ID is defined and NODE_ID == "node1" + ignore_errors: true diff --git a/roles/kube-node/templates/calico-kube-controllers.yaml.j2 b/roles/kube-node/templates/calico-kube-controllers.yaml.j2 new file mode 100644 index 0000000..57cbf1f --- /dev/null +++ b/roles/kube-node/templates/calico-kube-controllers.yaml.j2 @@ -0,0 +1,60 @@ +# Calico Version v2.6.2 +# https://docs.projectcalico.org/v2.6/releases#v2.6.2 +# This manifest includes the following component versions: +# calico/kube-controllers:v1.0.0 + +# Create this manifest using kubectl to deploy +# the Calico Kubernetes controllers. +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # Only a single instance of the this pod should be + # active at a time. Since this pod is run as a Deployment, + # Kubernetes will ensure the pod is recreated in case of failure, + # removing the need for passive backups. + replicas: 1 + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + spec: + hostNetwork: true + serviceAccountName: calico-kube-controllers + containers: + - name: calico-kube-controllers + #image: quay.io/calico/kube-controllers:v1.0.0 + image: calico/kube-controllers:v1.0.0 + env: + # Configure the location of your etcd cluster. + - name: ETCD_ENDPOINTS + value: "{{ ETCD_ENDPOINTS }}" + # Location of the CA certificate for etcd. + - name: ETCD_CA_CERT_FILE + value: "/calico-secrets/ca.pem" + # Location of the client key for etcd. + - name: ETCD_KEY_FILE + value: "/calico-secrets/etcd-key.pem" + # Location of the client certificate for etcd. + - name: ETCD_CERT_FILE + value: "/calico-secrets/etcd.pem" + volumeMounts: + # Mount in the etcd TLS secrets. + - mountPath: /calico-secrets + name: etcd-certs + volumes: + # Mount in the etcd TLS secrets. + - name: etcd-certs + hostPath: + path: /etc/calico/ssl + +--- +