kubespray/roles/network_plugin/canal/templates/canal-node.yaml.j2

293 lines
10 KiB
Plaintext
Raw Normal View History

---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: canal-node
namespace: kube-system
labels:
k8s-app: canal-node
spec:
selector:
matchLabels:
k8s-app: canal-node
template:
metadata:
labels:
k8s-app: canal-node
spec:
priorityClassName: system-node-critical
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: canal
tolerations:
- operator: Exists
# Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12)
- key: CriticalAddonsOnly
operator: "Exists"
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: var-run-calico
hostPath:
path: /var/run/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Used by flannel daemon.
- name: run-flannel
hostPath:
path: /run/flannel
- name: resolv
hostPath:
path: /etc/resolv.conf
- name: "canal-certs"
hostPath:
path: "{{ canal_cert_dir }}"
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{% if calico_version is version('v3.4.0', '>=') %}
initContainers:
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
command: ["/install-cni.sh"]
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-canal.conflist"
# Install CNI binaries
- name: UPDATE_CNI_BINARIES
value: "true"
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG_FILE
value: "/host/etc/cni/net.d/canal.conflist.template"
# Prevents the container from sleeping forever.
- name: SLEEP
value: "false"
volumeMounts:
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
{% endif %}
containers:
{% if calico_version is version('v3.3.0', '>=') and calico_version is version('v3.4.0', '<') %}
- name: install-cni
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
command: ["/install-cni.sh"]
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-canal.conflist"
# Install CNI binaries
- name: UPDATE_CNI_BINARIES
value: "true"
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG_FILE
value: "/host/etc/cni/net.d/canal.conflist.template"
volumeMounts:
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
{% endif %}
# Runs the flannel daemon to enable vxlan networking between
# container hosts.
- name: flannel
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
resources:
limits:
cpu: {{ flannel_cpu_limit }}
memory: {{ flannel_memory_limit }}
requests:
cpu: {{ flannel_cpu_requests }}
memory: {{ flannel_memory_requests }}
env:
# Cluster name
- name: CLUSTER_NAME
valueFrom:
configMapKeyRef:
name: canal-config
key: cluster_name
# The location of the etcd cluster.
- name: FLANNELD_ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_endpoints
# The interface flannel should run on.
- name: FLANNELD_IFACE
valueFrom:
configMapKeyRef:
name: canal-config
key: flanneld_iface
# Perform masquerade on traffic leaving the pod cidr.
- name: FLANNELD_IP_MASQ
valueFrom:
configMapKeyRef:
name: canal-config
key: masquerade
# Set etcd-prefix
- name: DOCKER_OPT_ETCD_PREFIX
value: "-etcd-prefix=/$(CLUSTER_NAME)/network"
# Write the subnet.env file to the mounted directory.
- name: FLANNELD_SUBNET_FILE
value: "/run/flannel/subnet.env"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
command:
- "/bin/sh"
- "-c"
- "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
ports:
- hostPort: 10253
containerPort: 10253
securityContext:
privileged: true
volumeMounts:
- name: "resolv"
mountPath: "/etc/resolv.conf"
- name: "run-flannel"
mountPath: "/run/flannel"
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and local routes on each
# host.
- name: calico-node
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
resources:
limits:
cpu: {{ calico_node_cpu_limit }}
memory: {{ calico_node_memory_limit }}
requests:
cpu: {{ calico_node_cpu_requests }}
memory: {{ calico_node_memory_requests }}
env:
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_endpoints
# Disable Calico BGP. Calico is simply enforcing policy.
- name: CALICO_NETWORKING_BACKEND
value: "none"
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "kubespray,canal"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: FELIX_HEALTHENABLED
value: "true"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
livenessProbe:
httpGet:
host: 127.0.0.1
path: /liveness
port: 9099
periodSeconds: 10
initialDelaySeconds: 5
failureThreshold: 6
readinessProbe:
{% if calico_version is version('v3.3.0', '<')%}
httpGet:
host: 127.0.0.1
path: /readiness
port: 9099
{% else %}
exec:
command:
- /bin/calico-node
- -felix-ready
{% endif %}
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}
type: RollingUpdate