easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: upgrade kube-ovn to 0.6.0

pull/649/head
MengxinLiu 2019-07-23 13:28:46 +08:00 committed by jmgao
parent 2830a3587b
commit effebf094b
6 changed files with 155 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/setup/network-plugin/kube-ovn.md
View File

@ -14,6 +14,9 @@ kube-ovn 提供了针对企业应用场景下容器网络实用功能,并为
- 3.动态QoS;
- 4.分布式和集中式网关;
- 5.内嵌 LoadBalancer;
- 6.Pod IP对外直接暴露
- 7.流量镜像
- 8.IPv6
### kubeasz 集成安装 kube-ovn
@ -31,8 +34,10 @@ roles/kube-ovn
├── tasks
│   └── main.yml # 安装执行文件
└── templates
├── crd.yaml.j2 # crd 模板
├── kube-ovn.yaml.j2 # kube-ovn yaml 模板
└── ovn.yaml.j2 # ovn yaml 模板
```
安装成功后,可以验证所有 k8s 集群功能正常,查看集群的 pod 网络如下:
@ -63,7 +68,7 @@ kube-system metrics-server-6c898b5b8b-zvct2 1/1 Running 0
### 测试 namespace 子网分配
新建一个 namespace 测试分配一个新的 pod 子网
新建一个 subnet 并绑定 namespace 测试分配一个新的 pod 子网
```
# 创建一个 namespace: test-ns
@ -72,14 +77,28 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
ovn.kubernetes.io/cidr: 10.17.0.0/24
ovn.kubernetes.io/gateway: 10.17.0.1
ovn.kubernetes.io/logical_switch: test-ns-subnet
ovn.kubernetes.io/exclude_ips: "10.17.0.1..10.17.0.10"
name: test-ns
EOF
$ kubectl apply -f test-ns.yaml
# 创建一个 subnet: test-subnet 并绑定 namespace test-ns
$ cat > test-subnet.yaml << EOF
apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
name: test-subnet
spec:
protocol: IPv4
default: false
namespaces:
- test-ns
cidrBlock: 10.17.0.0/24
gateway: 10.17.0.1
excludeIps:
- 10.17.0.1..10.17.0.10
EOF
$ kubectl apply -f test-subnet.yaml
# 在 test-ns 中创建 nginx 部署
$ kubectl run -n test-ns nginx --image=nginx --replicas=2 --port=80 --expose

2
roles/kube-ovn/defaults/main.yml
View File

@ -2,4 +2,4 @@
OVN_DB_NODE: "{{ groups['kube-master'][0] }}"
# 离线镜像tar包
kube_ovn_offline: "kube_ovn_0.4.0.tar"
kube_ovn_offline: "kube_ovn_0.6.0.tar"

4
roles/kube-ovn/tasks/main.yml
View File

@ -5,6 +5,9 @@
- /opt/kube/images
- /opt/kube/kube-ovn
- name: 配置 crd.yaml 文件
template: src=crd.yaml.j2 dest=/opt/kube/kube-ovn/crd.yaml
- name: 配置 kube-ovn.yaml 文件
template: src=kube-ovn.yaml.j2 dest=/opt/kube/kube-ovn/kube-ovn.yaml
@ -51,6 +54,7 @@
# 只需单节点执行一次
- name: 运行 kube-ovn网络
shell: "{{ bin_dir }}/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/crd.yaml && sleep 5 && \
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/ovn.yaml && sleep 5 && \
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/kube-ovn.yaml"
run_once: true

52
roles/kube-ovn/templates/crd.yaml.j2 100644
View File

@ -0,0 +1,52 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ips.kubeovn.io
spec:
group: kubeovn.io
version: v1
scope: Cluster
names:
plural: ips
singular: ip
kind: IP
shortNames:
- ip
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: subnets.kubeovn.io
spec:
group: kubeovn.io
version: v1
scope: Cluster
names:
plural: subnets
singular: subnet
kind: Subnet
shortNames:
- subnet
additionalPrinterColumns:
- name: Protocol
type: string
JSONPath: .spec.protocol
- name: CIDR
type: string
JSONPath: .spec.cidrBlock
- name: Private
type: boolean
JSONPath: .spec.private
- name: NAT
type: boolean
JSONPath: .spec.natOutgoing
validation:
openAPIV3Schema:
properties:
spec:
required: ["cidrBlock","gateway"]
properties:
cidrBlock:
type: "string"
gateway:
type: "string"

58
roles/kube-ovn/templates/kube-ovn.yaml.j2
View File

@ -8,7 +8,7 @@ metadata:
kubernetes.io/description: |
kube-ovn controller
spec:
replicas: 2
replicas: 1
selector:
matchLabels:
app: kube-ovn-controller
@ -38,12 +38,13 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-controller
image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.4.0"
image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.6.0"
imagePullPolicy: IfNotPresent
command:
- /kube-ovn/start-controller.sh
args:
- --default-cidr=10.16.0.0/16
- --default-gateway=10.16.0.1
- --node-switch-cidr=100.64.0.0/16
env:
- name: POD_NAME
@ -54,6 +55,30 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
readinessProbe:
exec:
command:
- nc
- -z
- -w3
- 127.0.0.1
- "10660"
periodSeconds: 3
livenessProbe:
exec:
command:
- nc
- -z
- -w3
- 127.0.0.1
- "10660"
initialDelaySeconds: 30
periodSeconds: 7
failureThreshold: 5
nodeSelector:
beta.kubernetes.io/os: "linux"
@ -87,7 +112,7 @@ spec:
hostPID: true
initContainers:
- name: install-cni
image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0"
image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/install-cni.sh"]
volumeMounts:
@ -97,8 +122,13 @@ spec:
name: cni-bin
containers:
- name: cni-server
image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0"
image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0"
imagePullPolicy: IfNotPresent
command:
- sh
- /kube-ovn/start-cniserver.sh
args:
- --enable-mirror=false
securityContext:
runAsUser: 0
privileged: true
@ -114,6 +144,26 @@ spec:
volumeMounts:
- mountPath: /run/openvswitch
name: host-run-ovs
readinessProbe:
exec:
command:
- nc
- -z
- -w3
- 127.0.0.1
- "10665"
periodSeconds: 3
livenessProbe:
exec:
command:
- nc
- -z
- -w3
- 127.0.0.1
- "10665"
initialDelaySeconds: 30
periodSeconds: 7
failureThreshold: 5
nodeSelector:
beta.kubernetes.io/os: "linux"
volumes:

52
roles/kube-ovn/templates/ovn.yaml.j2
View File

@ -23,24 +23,36 @@ kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn-reader
name: system:ovn
rules:
- apiGroups:
- "kubeovn.io"
resources:
- subnets
- ips
verbs:
- "*"
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
- nodes
- configmaps
verbs:
- create
- get
- list
- watch
- patch
- update
- apiGroups:
- ""
- networking.k8s.io
resources:
- networkpolicies
- services
- endpoints
verbs:
- get
- list
@ -58,37 +70,9 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-cluster-reader
roleRef:
name: cluster-reader
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-ovn
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-reader
roleRef:
name: system:ovn-reader
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-ovn
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-0
roleRef:
name: cluster-admin
name: system:ovn
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
@ -170,7 +154,7 @@ spec:
hostNetwork: true
containers:
- name: ovn-central
image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.4.0"
image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.6.0"
imagePullPolicy: IfNotPresent
env:
- name: POD_IP
@ -257,7 +241,7 @@ spec:
hostPID: true
containers:
- name: openvswitch
image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.4.0"
image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.6.0"
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0