update flannel v0.19.2

example/config.yml

@@ -98,9 +98,8 @@ SYS_RESERVED_ENABLED: "no"
 FLANNEL_BACKEND: "vxlan"
 DIRECT_ROUTING: false
 
-# [flannel] flanneld_image: "quay.io/coreos/flannel:v0.10.0-amd64"
-flannelVer: "__flannel__"
-flanneld_image: "easzlab.io.local:5000/easzlab/flannel:{{ flannelVer }}"
+# [flannel] 
+flannel_ver: "__flannel__"
 
 # ------------------------------------------- calico
 # [calico] IPIP隧道模式可选项有: [Always, CrossSubnet, Never],跨子网可以配置为Always与CrossSubnet(公有云建议使用always比较省事，其他的话需要修改各自公有云的网络配置，具体可以参考各个公有云说明)

ezdown

@@ -16,7 +16,7 @@ set -o errexit
 DOCKER_VER=20.10.16
 KUBEASZ_VER=3.3.1
 K8S_BIN_VER=v1.25.0
-EXT_BIN_VER=1.2.1
+EXT_BIN_VER=1.2.2
 SYS_PKG_VER=0.4.3
 HARBOR_VER=v2.1.3
 REGISTRY_MIRROR=CN
@@ -25,14 +25,14 @@ REGISTRY_MIRROR=CN
 calicoVer=v3.23.3
 dnsNodeCacheVer=1.22.8
 corednsVer=1.9.3
-dashboardVer=v2.5.1
+dashboardVer=v2.6.1
 dashboardMetricsScraperVer=v1.0.8
 metricsVer=v0.5.2
 pauseVer=3.8
 
 # images not downloaded by default(only download  with '-X')
 ciliumVer=1.12.1
-flannelVer=v0.15.1
+flannelVer=v0.19.2
 nfsProvisionerVer=v4.0.2
 promChartVer=39.11.0
 
@@ -389,13 +389,16 @@ function get_extra_images() {
 
   # flannel
   if [[ ! -f "$imageDir/flannel_$flannelVer.tar" ]];then
-    docker pull "easzlab/flannel:$flannelVer" && \
-    docker save -o "$imageDir/flannel_$flannelVer.tar" "easzlab/flannel:$flannelVer"
+    docker pull "rancher/mirrored-flannelcni-flannel:$flannelVer" && \
+    docker pull "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0" && \
+    docker save -o "$imageDir/flannel_$flannelVer.tar" "rancher/mirrored-flannelcni-flannel:$flannelVer" "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0"
   else
     docker load -i "$imageDir/flannel_$flannelVer.tar"
   fi
-  docker tag "easzlab/flannel:$flannelVer" "easzlab.io.local:5000/easzlab/flannel:$flannelVer"
-  docker push "easzlab.io.local:5000/easzlab/flannel:$flannelVer"
+  docker tag "rancher/mirrored-flannelcni-flannel:$flannelVer" "easzlab.io.local:5000/flannelcni/flannel:$flannelVer"
+  docker push "easzlab.io.local:5000/flannelcni/flannel:$flannelVer"
+  docker tag "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0" "easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0"
+  docker push "easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0"
 
   # nfs-provisioner
   if [[ ! -f "$imageDir/nfs-provisioner_$nfsProvisionerVer.tar" ]];then

roles/flannel/templates/kube-flannel.yaml.j2

@@ -1,60 +1,9 @@
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: psp.flannel.unprivileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-spec:
-  privileged: false
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
-  - hostPath
-  allowedHostPaths:
-  - pathPrefix: "/etc/cni/net.d"
-  - pathPrefix: "/etc/kube-flannel"
-  - pathPrefix: "/run/flannel"
-  readOnlyRootFilesystem: false
-  # Users and groups
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  # Privilege Escalation
-  allowPrivilegeEscalation: false
-  defaultAllowPrivilegeEscalation: false
-  # Capabilities
-  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
-  defaultAddCapabilities: []
-  requiredDropCapabilities: []
-  # Host namespaces
-  hostPID: false
-  hostIPC: false
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  # SELinux
-  seLinux:
-    # SELinux is unused in CaaSP
-    rule: 'RunAsAny'
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: flannel
 rules:
-- apiGroups: ['policy']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames: ['psp.flannel.unprivileged']
 - apiGroups:
   - ""
   resources:
@@ -168,8 +117,19 @@ spec:
         effect: NoSchedule
       serviceAccountName: flannel
       initContainers:
+      - name: install-cni-plugin
+        image: easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0
+        command:
+        - cp
+        args:
+        - -f
+        - /flannel
+        - /opt/cni/bin/flannel
+        volumeMounts:
+        - name: cni-plugin
+          mountPath: /opt/cni/bin
       - name: install-cni
-        image: {{ flanneld_image }} 
+        image: easzlab.io.local:5000/flannelcni/flannel:{{ flannel_ver }} 
         command:
         - cp
         args:
@@ -183,7 +143,7 @@ spec:
           mountPath: /etc/kube-flannel/
       containers:
       - name: kube-flannel
-        image: {{ flanneld_image }} 
+        image: easzlab.io.local:5000/flannelcni/flannel:{{ flannel_ver }}
         command:
         - /opt/bin/flanneld
         args:
@@ -209,15 +169,22 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
         volumeMounts:
         - name: run
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
       - name: run
         hostPath:
           path: /run/flannel
+      - name: cni-plugin
+        hostPath:
+          path: {{ bin_dir }}
       - name: cni
         hostPath:
           path: /etc/cni/net.d