diff --git a/99.clean.yml b/99.clean.yml index 27d5af0..c7f6241 100644 --- a/99.clean.yml +++ b/99.clean.yml @@ -84,6 +84,7 @@ - "/run/flannel/" - "/etc/calico/" - "/var/run/calico/" + - "/var/lib/calico/" - "/var/log/calico/" - "/etc/cilium/" - "/var/run/cilium/" diff --git a/roles/calico/defaults/main.yml b/roles/calico/defaults/main.yml index 75529f1..fbf3d4b 100644 --- a/roles/calico/defaults/main.yml +++ b/roles/calico/defaults/main.yml @@ -1,6 +1,6 @@ # 部分calico相关配置,更全配置可以去roles/calico/templates/calico.yaml.j2自定义 -# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 05.安装calico网络组件.md +# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 docs/06.calico.md CALICO_IPV4POOL_IPIP: "always" # 设置 Felix 日志级别 @@ -11,9 +11,9 @@ FELIX_LOG_LVL: "warning" IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}" # 镜像版本 -calico_node_ver: "v3.0.6" -calico_cni_ver: "v2.0.5" -calico_kube_controller_ver: "v2.0.4" +calico_node_ver: "v3.1.3" +calico_cni_ver: "v3.1.3" +calico_kube_controller_ver: "v3.1.3" # 离线镜像tar包 calico_offline: "calico_{{ calico_node_ver }}.tar" diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index 3566205..e47ba09 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -6,9 +6,6 @@ - /opt/kube/kube-system/calico - /opt/kube/images -- name: 复制CA 证书到calico 证书目录 - shell: "cp {{ ca_dir }}/ca.pem /etc/calico/ssl/ca.pem" - - name: 创建calico 证书请求 template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json @@ -19,9 +16,14 @@ -config={{ ca_dir }}/ca-config.json \ -profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico" -# 因官方calico.yaml文件中使用特定的证书名,所以要重命名 -- name: 重命名相关证书 - shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key" +- name: 创建 calico-etcd-secrets + shell: "cd /etc/calico/ssl && \ + {{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \ + --from-file=etcd-ca={{ ca_dir }}/ca.pem \ + --from-file=etcd-key=calico-key.pem \ + --from-file=etcd-cert=calico.pem" + ignore_errors: true + run_once: true - name: 准备 calico DaemonSet yaml文件 template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml diff --git a/roles/calico/templates/calico-rbac.yaml.j2 b/roles/calico/templates/calico-rbac.yaml.j2 index 6cd21e7..09fa476 100644 --- a/roles/calico/templates/calico-rbac.yaml.j2 +++ b/roles/calico/templates/calico-rbac.yaml.j2 @@ -1,10 +1,10 @@ -# Calico Version v2.6.5 -# https://docs.projectcalico.org/v2.6/releases#v2.6.5 +# Calico Version v3.1.3 +# https://docs.projectcalico.org/v3.1/releases#v3.1.3 --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-kube-controllers rules: @@ -19,9 +19,16 @@ rules: verbs: - watch - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - watch + - list --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-kube-controllers roleRef: @@ -36,7 +43,7 @@ subjects: --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-node rules: @@ -49,7 +56,7 @@ rules: --- -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: calico-node @@ -61,4 +68,3 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system - diff --git a/roles/calico/templates/calico.yaml.j2 b/roles/calico/templates/calico.yaml.j2 index ef8d802..371ff9e 100644 --- a/roles/calico/templates/calico.yaml.j2 +++ b/roles/calico/templates/calico.yaml.j2 @@ -1,5 +1,5 @@ -# Calico Version {{ calico_node_ver }} -# https://docs.projectcalico.org/v3.0/releases#{{ calico_node_ver }} +# Calico Version {{ calico_node_ver }} +# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }} # This manifest includes the following component versions: # calico/node:{{ calico_node_ver }} # calico/cni:{{ calico_cni_ver }} @@ -13,7 +13,7 @@ metadata: namespace: kube-system data: # Configure this with the location of your etcd cluster. - etcd_endpoints: "{{ ETCD_ENDPOINTS }}" + etcd_endpoints: "{{ ETCD_ENDPOINTS }}" # Configure the Calico backend to use. calico_backend: "bird" @@ -25,22 +25,22 @@ data: "cniVersion": "0.3.0", "plugins": [ { - "type": "calico", - "etcd_endpoints": "{{ ETCD_ENDPOINTS }}", - "etcd_key_file": "/etc/calico/ssl/calico-key.pem", - "etcd_cert_file": "/etc/calico/ssl/calico.pem", - "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem", - "log_level": "warning", - "mtu": 1500, - "ipam": { - "type": "calico-ipam" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "/root/.kube/config" - } + "type": "calico", + "etcd_endpoints": "{{ ETCD_ENDPOINTS }}", + "etcd_key_file": "/etc/calico/ssl/calico-key.pem", + "etcd_cert_file": "/etc/calico/ssl/calico.pem", + "etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem", + "log_level": "warning", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/root/.kube/config" + } }, { "type": "portmap", @@ -52,12 +52,17 @@ data: # If you're using TLS enabled etcd uncomment the following. # You must also populate the Secret below with these files. - etcd_ca: "/calico-secrets/etcd-ca" + etcd_ca: "/calico-secrets/etcd-ca" etcd_cert: "/calico-secrets/etcd-cert" etcd_key: "/calico-secrets/etcd-key" --- +# We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets', +# refer to 'roles/calico/tasks/main.yml' for details. + +--- + # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. @@ -102,7 +107,6 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - #image: quay.io/calico/node:{{ calico_node_ver }} image: calico/node:{{ calico_node_ver }} env: # The location of the Calico etcd cluster. @@ -131,7 +135,9 @@ spec: # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # Configure the IP Pool from which Pod IPs will be chosen. + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. - name: CALICO_IPV4POOL_CIDR value: "{{ CLUSTER_CIDR }}" - name: CALICO_IPV4POOL_IPIP @@ -139,9 +145,9 @@ spec: # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" - # Set Felix logging to "warning" + # Set Felix logging - name: FELIX_LOGSEVERITYSCREEN - value: {{ FELIX_LOG_LVL }} + value: "{{ FELIX_LOG_LVL }}" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU value: "1440" @@ -194,12 +200,14 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false - mountPath: /calico-secrets name: etcd-certs # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni - #image: quay.io/calico/cni:{{ calico_cni_ver }} image: calico/cni:{{ calico_cni_ver }} command: ["/install-cni.sh"] env: @@ -233,6 +241,9 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico # Used to install CNI. - name: cni-bin-dir hostPath: @@ -240,10 +251,12 @@ spec: - name: cni-net-dir hostPath: path: /etc/cni/net.d - # Mount in the etcd TLS secrets. + # Mount in the etcd TLS secrets with mode 400. + # See https://kubernetes.io/docs/concepts/configuration/secret/ - name: etcd-certs - hostPath: - path: /etc/calico/ssl + secret: + secretName: calico-etcd-secrets + defaultMode: 0400 --- @@ -258,9 +271,6 @@ metadata: k8s-app: calico-kube-controllers annotations: scheduler.alpha.kubernetes.io/critical-pod: '' - scheduler.alpha.kubernetes.io/tolerations: | - [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, - {"key":"CriticalAddonsOnly", "operator":"Exists"}] spec: # The controllers can only have a single active instance. replicas: 1 @@ -279,10 +289,15 @@ spec: # The controllers must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule serviceAccountName: calico-kube-controllers containers: - name: calico-kube-controllers - #image: quay.io/calico/kube-controllers:{{ calico_kube_controller_ver }} image: calico/kube-controllers:{{ calico_kube_controller_ver }} env: # The location of the Calico etcd cluster. @@ -312,7 +327,7 @@ spec: # Choose which controllers to run. - name: ENABLED_CONTROLLERS value: policy,profile,workloadendpoint,node - # 多网卡服务器需要设置以下2个环境变量 + # if hosts have multiple net interfaces, set following two ENVs - name: KUBERNETES_SERVICE_HOST value: "{{ MASTER_IP }}" - name: KUBERNETES_SERVICE_PORT @@ -322,10 +337,12 @@ spec: - mountPath: /calico-secrets name: etcd-certs volumes: - # Mount in the etcd TLS secrets. + # Mount in the etcd TLS secrets with mode 400. + # See https://kubernetes.io/docs/concepts/configuration/secret/ - name: etcd-certs - hostPath: - path: /etc/calico/ssl + secret: + secretName: calico-etcd-secrets + defaultMode: 0400 --- diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 3340e8c..58dab9a 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -119,4 +119,5 @@ # 兼容ansible执行节点与deploy节点分离情况 - name: 复制 manifests至 deploy节点 - copy: src={{ base_dir }}/manifests dest={{ base_dir }}/manifests + copy: src={{ base_dir }}/manifests dest={{ base_dir }} + when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"