kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[kube-ovn] update version to 1.12.21 (#11445) 

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
pull/11452/head
Mengxin Liu 2024-08-15 21:39:18 +08:00 committed by GitHub
parent ce9ba9a8bf
commit 390d74706c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 1553 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -170,7 +170,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [calico](https://github.com/projectcalico/calico) v3.27.3 - [calico](https://github.com/projectcalico/calico) v3.27.3
- [cilium](https://github.com/cilium/cilium) v1.15.4 - [cilium](https://github.com/cilium/cilium) v1.15.4
- [flannel](https://github.com/flannel-io/flannel) v0.22.0 - [flannel](https://github.com/flannel-io/flannel) v0.22.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5 - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21
- [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0 - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
- [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8 - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
- [weave](https://github.com/rajch/weave) v2.8.7 - [weave](https://github.com/rajch/weave) v2.8.7

4
roles/kubespray-defaults/defaults/main/download.yml
View File

@ -120,7 +120,7 @@ cilium_version: "v1.15.4"
cilium_cli_version: "v0.16.0" cilium_cli_version: "v0.16.0"
cilium_enable_hubble: false cilium_enable_hubble: false
kube_ovn_version: "v1.11.5" kube_ovn_version: "v1.12.21"
kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}" kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}"
kube_router_version: "v2.0.0" kube_router_version: "v2.0.0"
multus_version: "v3.8" multus_version: "v3.8"
@ -275,6 +275,8 @@ cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
cilium_hubble_envoy_image_tag: "v1.22.5" cilium_hubble_envoy_image_tag: "v1.22.5"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn" kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
kube_ovn_container_image_tag: "{{ kube_ovn_version }}" kube_ovn_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
kube_ovn_vpc_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk" kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk"
kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}" kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}"
kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router" kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router"

1110
roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2
View File

File diff suppressed because it is too large Load Diff

325
roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
View File

@ -1,4 +1,190 @@
--- ---
kind: ConfigMap
apiVersion: v1
metadata:
name: ovn-vpc-nat-config
namespace: kube-system
annotations:
kubernetes.io/description: |
kube-ovn vpc-nat common config
data:
image: {{ kube_ovn_vpc_container_image_repo }}:{{ kube_ovn_vpc_container_image_tag }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: ovn-vpc-nat-gw-config
namespace: kube-system
data:
enable-vpc-nat-gw: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-cni
rules:
- apiGroups:
- "kubeovn.io"
resources:
- subnets
- vlans
- provider-networks
verbs:
- get
- list
- watch
- apiGroups:
- ""
- "kubeovn.io"
resources:
- ovn-eips
- ovn-eips/status
- nodes
- pods
- vlans
verbs:
- get
- list
- patch
- watch
- apiGroups:
- "kubeovn.io"
resources:
- ips
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-cni
roleRef:
name: system:kube-ovn-cni
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-app
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-app
roleRef:
name: system:kube-ovn-app
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
kind: Deployment kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
@ -25,8 +211,20 @@ spec:
type: infra type: infra
spec: spec:
tolerations: tolerations:
- operator: Exists - effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
affinity: affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: "ovn.kubernetes.io/ic-gw"
operator: NotIn
values:
- "true"
weight: 100
podAntiAffinity: podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector: - labelSelector:
@ -67,7 +265,12 @@ spec:
- --log_file_max_size=0 - --log_file_max_size=0
- --enable-lb-svc=false - --enable-lb-svc=false
- --keep-vm-ip={{ kube_ovn_keep_vm_ip }} - --keep-vm-ip={{ kube_ovn_keep_vm_ip }}
- --pod-default-fip-type="" securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
@ -85,6 +288,10 @@ spec:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: OVN_DB_IPS - name: OVN_DB_IPS
value: "{{ kube_ovn_central_ips }}" value: "{{ kube_ovn_central_ips }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_IPS - name: POD_IPS
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -96,18 +303,24 @@ spec:
name: localtime name: localtime
- mountPath: /var/log/kube-ovn - mountPath: /var/log/kube-ovn
name: kube-ovn-log name: kube-ovn-log
- mountPath: /var/log/ovn
name: ovn-log
- mountPath: /var/run/tls - mountPath: /var/run/tls
name: kube-ovn-tls name: kube-ovn-tls
readinessProbe: readinessProbe:
exec: exec:
command: command:
- /kube-ovn/kube-ovn-controller-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10660
- --tls=false
periodSeconds: 3 periodSeconds: 3
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
exec: exec:
command: command:
- /kube-ovn/kube-ovn-controller-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10660
- --tls=false
initialDelaySeconds: 300 initialDelaySeconds: 300
periodSeconds: 7 periodSeconds: 7
failureThreshold: 5 failureThreshold: 5
@ -128,6 +341,9 @@ spec:
- name: kube-ovn-log - name: kube-ovn-log
hostPath: hostPath:
path: /var/log/kube-ovn path: /var/log/kube-ovn
- name: ovn-log
hostPath:
path: /var/log/ovn
- name: kube-ovn-tls - name: kube-ovn-tls
secret: secret:
optional: true optional: true
@ -161,7 +377,7 @@ spec:
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists
priorityClassName: system-node-critical priorityClassName: system-node-critical
serviceAccountName: ovn serviceAccountName: kube-ovn-cni
hostNetwork: true hostNetwork: true
hostPID: true hostPID: true
initContainers: initContainers:
@ -202,7 +418,13 @@ spec:
- --log_file_max_size=0 - --log_file_max_size=0
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: true privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
- SYS_ADMIN
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
@ -231,14 +453,15 @@ spec:
mountPath: /lib/modules mountPath: /lib/modules
readOnly: true readOnly: true
- name: shared-dir - name: shared-dir
mountPath: /var/lib/kubelet/pods mountPath: $KUBELET_DIR/pods
- mountPath: /etc/openvswitch - mountPath: /etc/openvswitch
name: systemid name: systemid
readOnly: true
- mountPath: /etc/cni/net.d - mountPath: /etc/cni/net.d
name: cni-conf name: cni-conf
- mountPath: /run/openvswitch - mountPath: /run/openvswitch
name: host-run-ovs name: host-run-ovs
mountPropagation: Bidirectional mountPropagation: HostToContainer
- mountPath: /run/ovn - mountPath: /run/ovn
name: host-run-ovn name: host-run-ovn
- mountPath: /host/var/run/dbus - mountPath: /host/var/run/dbus
@ -255,6 +478,7 @@ spec:
name: host-log-ovn name: host-log-ovn
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
readOnly: true
- mountPath: /tmp - mountPath: /tmp
name: tmp name: tmp
livenessProbe: livenessProbe:
@ -262,17 +486,22 @@ spec:
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 7 periodSeconds: 7
successThreshold: 1 successThreshold: 1
tcpSocket: exec:
port: 10665 command:
timeoutSeconds: 3 - /kube-ovn/kube-ovn-healthcheck
- --port=10665
- --tls=false
timeoutSeconds: 5
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 7 periodSeconds: 7
successThreshold: 1 successThreshold: 1
tcpSocket: exec:
port: 10665 command:
timeoutSeconds: 3 - /kube-ovn/kube-ovn-healthcheck
- --port=10665
- --tls=false
timeoutSeconds: 5
resources: resources:
requests: requests:
cpu: {{ kube_ovn_cni_server_cpu_request }} cpu: {{ kube_ovn_cni_server_cpu_request }}
@ -389,28 +618,23 @@ spec:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
volumeMounts: volumeMounts:
- mountPath: /lib/modules
name: host-modules
readOnly: true
- mountPath: /run/openvswitch
name: host-run-ovs
- mountPath: /var/run/openvswitch - mountPath: /var/run/openvswitch
name: host-run-ovs name: host-run-ovs
- mountPath: /var/run/ovn - mountPath: /var/run/ovn
name: host-run-ovn name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch - mountPath: /etc/openvswitch
name: host-config-openvswitch name: host-config-openvswitch
- mountPath: /var/log/openvswitch - mountPath: /var/log/openvswitch
name: host-log-ovs name: host-log-ovs
readOnly: true
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
readOnly: true
- mountPath: /var/log/kube-ovn - mountPath: /var/log/kube-ovn
name: kube-ovn-log name: kube-ovn-log
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
readOnly: true
- mountPath: /var/run/tls - mountPath: /var/run/tls
name: kube-ovn-tls name: kube-ovn-tls
resources: resources:
@ -423,18 +647,12 @@ spec:
nodeSelector: nodeSelector:
kubernetes.io/os: "linux" kubernetes.io/os: "linux"
volumes: volumes:
- name: host-modules
hostPath:
path: /lib/modules
- name: host-run-ovs - name: host-run-ovs
hostPath: hostPath:
path: /run/openvswitch path: /run/openvswitch
- name: host-run-ovn - name: host-run-ovn
hostPath: hostPath:
path: /run/ovn path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch - name: host-config-openvswitch
hostPath: hostPath:
path: /etc/origin/openvswitch path: /etc/origin/openvswitch
@ -500,6 +718,12 @@ spec:
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/start-ovn-monitor.sh"] command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
- --secure-serving=false
- --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
- --logtostderr=false
- --alsologtostderr=true
- --log_file_max_size=200
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: false privileged: false
@ -510,6 +734,10 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_IPS - name: POD_IPS
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -532,30 +760,38 @@ spec:
name: host-config-openvswitch name: host-config-openvswitch
- mountPath: /etc/ovn - mountPath: /etc/ovn
name: host-config-ovn name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
readOnly: true
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
readOnly: true
- mountPath: /var/run/tls - mountPath: /var/run/tls
name: kube-ovn-tls name: kube-ovn-tls
readinessProbe: - mountPath: /var/log/kube-ovn
exec: name: kube-ovn-log
command:
- cat
- /var/run/ovn/ovn-controller.pid
periodSeconds: 10
timeoutSeconds: 45
livenessProbe: livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 7
successThreshold: 1
exec: exec:
command: command:
- cat - /kube-ovn/kube-ovn-healthcheck
- /var/run/ovn/ovn-controller.pid - --port=10661
- --tls=false
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 7
failureThreshold: 5 successThreshold: 1
timeoutSeconds: 45 exec:
command:
- /kube-ovn/kube-ovn-healthcheck
- --port=10661
- --tls=false
timeoutSeconds: 5
nodeSelector: nodeSelector:
kubernetes.io/os: "linux" kubernetes.io/os: "linux"
kube-ovn/role: "master" kube-ovn/role: "master"
@ -585,6 +821,9 @@ spec:
secret: secret:
optional: true optional: true
secretName: kube-ovn-tls secretName: kube-ovn-tls
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
--- ---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1

213
roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
View File

@ -1,6 +1,54 @@
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata:
name: ovn-ovs
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn-ovs
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-ovs
roleRef:
name: system:ovn-ovs
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn-ovs
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata: metadata:
name: ovn name: ovn
namespace: kube-system namespace: kube-system
@ -18,8 +66,11 @@ rules:
- vpcs - vpcs
- vpcs/status - vpcs/status
- vpc-nat-gateways - vpc-nat-gateways
- vpc-nat-gateways/status
- subnets - subnets
- subnets/status - subnets/status
- ippools
- ippools/status
- ips - ips
- vips - vips
- vips/status - vips/status
@ -43,59 +94,98 @@ rules:
- ovn-eips/status - ovn-eips/status
- ovn-fips/status - ovn-fips/status
- ovn-snat-rules/status - ovn-snat-rules/status
- ovn-dnat-rules
- ovn-dnat-rules/status
- switch-lb-rules - switch-lb-rules
- switch-lb-rules/status - switch-lb-rules/status
- vpc-dnses - vpc-dnses
- vpc-dnses/status - vpc-dnses/status
- qos-policies
- qos-policies/status
verbs: verbs:
- "*" - "*"
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- pods - pods
- pods/exec
- namespaces - namespaces
- nodes
- configmaps
verbs: verbs:
- create
- get - get
- list - list
- patch
- watch - watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- patch - patch
- update - update
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups: - apiGroups:
- "k8s.cni.cncf.io" - "k8s.cni.cncf.io"
resources: resources:
- network-attachment-definitions - network-attachment-definitions
verbs: verbs:
- create
- delete
- get - get
- list
- update
- apiGroups: - apiGroups:
- "" - ""
- networking.k8s.io - networking.k8s.io
- apps
- extensions
resources: resources:
- networkpolicies - networkpolicies
- services - configmaps
- services/status
- endpoints
- statefulsets
- daemonsets
- deployments
- deployments/scale
verbs: verbs:
- create
- delete
- update
- patch
- get - get
- list - list
- watch - watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- ""
resources:
- services
- services/status
verbs:
- get
- list
- update
- create
- delete
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- deployments/scale
verbs:
- get
- list
- create
- delete
- update
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -118,6 +208,18 @@ rules:
verbs: verbs:
- get - get
- list - list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -132,6 +234,20 @@ subjects:
name: ovn name: ovn
namespace: kube-system namespace: kube-system
--- ---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ovn
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -218,7 +334,12 @@ spec:
type: infra type: infra
spec: spec:
tolerations: tolerations:
- operator: Exists - effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
affinity: affinity:
podAntiAffinity: podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -227,7 +348,7 @@ spec:
app: ovn-central app: ovn-central
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: ovn serviceAccountName: ovn-ovs
hostNetwork: true hostNetwork: true
containers: containers:
- name: ovn-central - name: ovn-central
@ -236,7 +357,9 @@ spec:
command: ["/kube-ovn/start-db.sh"] command: ["/kube-ovn/start-db.sh"]
securityContext: securityContext:
capabilities: capabilities:
add: ["SYS_NICE"] add:
- NET_BIND_SERVICE
- SYS_NICE
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
@ -260,6 +383,12 @@ spec:
fieldPath: status.podIPs fieldPath: status.podIPs
- name: ENABLE_BIND_LOCAL_IP - name: ENABLE_BIND_LOCAL_IP
value: "{{ kube_ovn_bind_local_ip_enabled }}" value: "{{ kube_ovn_bind_local_ip_enabled }}"
- name: PROBE_INTERVAL
value: "180000"
- name: OVN_NORTHD_PROBE_INTERVAL
value: "5000"
- name: OVN_LEADER_PROBE_INTERVAL
value: "5"
resources: resources:
requests: requests:
cpu: {{ kube_ovn_db_cpu_request }} cpu: {{ kube_ovn_db_cpu_request }}
@ -349,7 +478,10 @@ spec:
matchLabels: matchLabels:
app: ovs app: ovs
updateStrategy: updateStrategy:
type: OnDelete type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template: template:
metadata: metadata:
labels: labels:
@ -358,9 +490,14 @@ spec:
type: infra type: infra
spec: spec:
tolerations: tolerations:
- operator: Exists - effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
priorityClassName: system-node-critical priorityClassName: system-node-critical
serviceAccountName: ovn serviceAccountName: ovn-ovs
hostNetwork: true hostNetwork: true
hostPID: true hostPID: true
containers: containers:
@ -371,7 +508,13 @@ spec:
command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}] command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}]
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: true privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
@ -379,6 +522,14 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: status.podIP fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{% if not kube_ovn_dpdk_enabled %} {% if not kube_ovn_dpdk_enabled %}
- name: HW_OFFLOAD - name: HW_OFFLOAD
value: "{{ kube_ovn_hw_offload | string | lower }}" value: "{{ kube_ovn_hw_offload | string | lower }}"
@ -425,6 +576,9 @@ spec:
name: localtime name: localtime
- mountPath: /var/run/tls - mountPath: /var/run/tls
name: kube-ovn-tls name: kube-ovn-tls
- mountPath: /var/run/containerd
name: cruntime
readOnly: true
readinessProbe: readinessProbe:
exec: exec:
command: command:
@ -511,6 +665,9 @@ spec:
- name: localtime - name: localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: cruntime
hostPath:
path: /var/run/containerd
- name: kube-ovn-tls - name: kube-ovn-tls
secret: secret:
optional: true optional: true