diff --git a/example/config.yml b/example/config.yml index 0eea35b..19e689b 100644 --- a/example/config.yml +++ b/example/config.yml @@ -98,9 +98,8 @@ SYS_RESERVED_ENABLED: "no" FLANNEL_BACKEND: "vxlan" DIRECT_ROUTING: false -# [flannel] flanneld_image: "quay.io/coreos/flannel:v0.10.0-amd64" -flannelVer: "__flannel__" -flanneld_image: "easzlab.io.local:5000/easzlab/flannel:{{ flannelVer }}" +# [flannel] +flannel_ver: "__flannel__" # ------------------------------------------- calico # [calico] IPIP隧道模式可选项有: [Always, CrossSubnet, Never],跨子网可以配置为Always与CrossSubnet(公有云建议使用always比较省事,其他的话需要修改各自公有云的网络配置,具体可以参考各个公有云说明) diff --git a/ezdown b/ezdown index 3e6f162..f43eb68 100755 --- a/ezdown +++ b/ezdown @@ -16,7 +16,7 @@ set -o errexit DOCKER_VER=20.10.16 KUBEASZ_VER=3.3.1 K8S_BIN_VER=v1.25.0 -EXT_BIN_VER=1.2.1 +EXT_BIN_VER=1.2.2 SYS_PKG_VER=0.4.3 HARBOR_VER=v2.1.3 REGISTRY_MIRROR=CN @@ -25,14 +25,14 @@ REGISTRY_MIRROR=CN calicoVer=v3.23.3 dnsNodeCacheVer=1.22.8 corednsVer=1.9.3 -dashboardVer=v2.5.1 +dashboardVer=v2.6.1 dashboardMetricsScraperVer=v1.0.8 metricsVer=v0.5.2 pauseVer=3.8 # images not downloaded by default(only download with '-X') ciliumVer=1.12.1 -flannelVer=v0.15.1 +flannelVer=v0.19.2 nfsProvisionerVer=v4.0.2 promChartVer=39.11.0 @@ -389,13 +389,16 @@ function get_extra_images() { # flannel if [[ ! -f "$imageDir/flannel_$flannelVer.tar" ]];then - docker pull "easzlab/flannel:$flannelVer" && \ - docker save -o "$imageDir/flannel_$flannelVer.tar" "easzlab/flannel:$flannelVer" + docker pull "rancher/mirrored-flannelcni-flannel:$flannelVer" && \ + docker pull "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0" && \ + docker save -o "$imageDir/flannel_$flannelVer.tar" "rancher/mirrored-flannelcni-flannel:$flannelVer" "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0" else docker load -i "$imageDir/flannel_$flannelVer.tar" fi - docker tag "easzlab/flannel:$flannelVer" "easzlab.io.local:5000/easzlab/flannel:$flannelVer" - docker push "easzlab.io.local:5000/easzlab/flannel:$flannelVer" + docker tag "rancher/mirrored-flannelcni-flannel:$flannelVer" "easzlab.io.local:5000/flannelcni/flannel:$flannelVer" + docker push "easzlab.io.local:5000/flannelcni/flannel:$flannelVer" + docker tag "rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0" "easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0" + docker push "easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0" # nfs-provisioner if [[ ! -f "$imageDir/nfs-provisioner_$nfsProvisionerVer.tar" ]];then diff --git a/roles/flannel/templates/kube-flannel.yaml.j2 b/roles/flannel/templates/kube-flannel.yaml.j2 index be5fc58..f60a478 100644 --- a/roles/flannel/templates/kube-flannel.yaml.j2 +++ b/roles/flannel/templates/kube-flannel.yaml.j2 @@ -1,60 +1,9 @@ --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: psp.flannel.unprivileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default - apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default -spec: - privileged: false - volumes: - - configMap - - secret - - emptyDir - - hostPath - allowedHostPaths: - - pathPrefix: "/etc/cni/net.d" - - pathPrefix: "/etc/kube-flannel" - - pathPrefix: "/run/flannel" - readOnlyRootFilesystem: false - # Users and groups - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny - # Privilege Escalation - allowPrivilegeEscalation: false - defaultAllowPrivilegeEscalation: false - # Capabilities - allowedCapabilities: ['NET_ADMIN', 'NET_RAW'] - defaultAddCapabilities: [] - requiredDropCapabilities: [] - # Host namespaces - hostPID: false - hostIPC: false - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - # SELinux - seLinux: - # SELinux is unused in CaaSP - rule: 'RunAsAny' ---- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flannel rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['psp.flannel.unprivileged'] - apiGroups: - "" resources: @@ -168,8 +117,19 @@ spec: effect: NoSchedule serviceAccountName: flannel initContainers: + - name: install-cni-plugin + image: easzlab.io.local:5000/flannelcni/flannel-cni-plugin:v1.1.0 + command: + - cp + args: + - -f + - /flannel + - /opt/cni/bin/flannel + volumeMounts: + - name: cni-plugin + mountPath: /opt/cni/bin - name: install-cni - image: {{ flanneld_image }} + image: easzlab.io.local:5000/flannelcni/flannel:{{ flannel_ver }} command: - cp args: @@ -183,7 +143,7 @@ spec: mountPath: /etc/kube-flannel/ containers: - name: kube-flannel - image: {{ flanneld_image }} + image: easzlab.io.local:5000/flannelcni/flannel:{{ flannel_ver }} command: - /opt/bin/flanneld args: @@ -209,15 +169,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: EVENT_QUEUE_DEPTH + value: "5000" volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ + - name: xtables-lock + mountPath: /run/xtables.lock volumes: - name: run hostPath: path: /run/flannel + - name: cni-plugin + hostPath: + path: {{ bin_dir }} - name: cni hostPath: path: /etc/cni/net.d