kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[kube-ovn] update version to 1.12.21 (#11445) 

Signed-off-by: Mengxin Liu <liumengxinfly@gmail.com>
pull/11452/head
Mengxin Liu 2024-08-15 21:39:18 +08:00 committed by GitHub
parent ce9ba9a8bf
commit 390d74706c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 1553 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -170,7 +170,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [calico](https://github.com/projectcalico/calico) v3.27.3
- [cilium](https://github.com/cilium/cilium) v1.15.4
- [flannel](https://github.com/flannel-io/flannel) v0.22.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21
- [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
- [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
- [weave](https://github.com/rajch/weave) v2.8.7

4
roles/kubespray-defaults/defaults/main/download.yml
View File

@ -120,7 +120,7 @@ cilium_version: "v1.15.4"
cilium_cli_version: "v0.16.0"
cilium_enable_hubble: false
kube_ovn_version: "v1.11.5"
kube_ovn_version: "v1.12.21"
kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}"
kube_router_version: "v2.0.0"
multus_version: "v3.8"
@ -275,6 +275,8 @@ cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
cilium_hubble_envoy_image_tag: "v1.22.5"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
kube_ovn_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
kube_ovn_vpc_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk"
kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}"
kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router"

1108
roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2
View File

File diff suppressed because it is too large Load Diff

325
roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
View File

@ -1,4 +1,190 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
name: ovn-vpc-nat-config
namespace: kube-system
annotations:
kubernetes.io/description: |
kube-ovn vpc-nat common config
data:
image: {{ kube_ovn_vpc_container_image_repo }}:{{ kube_ovn_vpc_container_image_tag }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: ovn-vpc-nat-gw-config
namespace: kube-system
data:
enable-vpc-nat-gw: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-cni
rules:
- apiGroups:
- "kubeovn.io"
resources:
- subnets
- vlans
- provider-networks
verbs:
- get
- list
- watch
- apiGroups:
- ""
- "kubeovn.io"
resources:
- ovn-eips
- ovn-eips/status
- nodes
- pods
- vlans
verbs:
- get
- list
- patch
- watch
- apiGroups:
- "kubeovn.io"
resources:
- ips
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-cni
roleRef:
name: system:kube-ovn-cni
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-app
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-app
roleRef:
name: system:kube-ovn-app
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1
metadata:
@ -25,8 +211,20 @@ spec:
type: infra
spec:
tolerations:
- operator: Exists
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: "ovn.kubernetes.io/ic-gw"
operator: NotIn
values:
- "true"
weight: 100
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
@ -67,7 +265,12 @@ spec:
- --log_file_max_size=0
- --enable-lb-svc=false
- --keep-vm-ip={{ kube_ovn_keep_vm_ip }}
- --pod-default-fip-type=""
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
@ -85,6 +288,10 @@ spec:
fieldPath: spec.nodeName
- name: OVN_DB_IPS
value: "{{ kube_ovn_central_ips }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_IPS
valueFrom:
fieldRef:
@ -96,18 +303,24 @@ spec:
name: localtime
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /var/log/ovn
name: ovn-log
- mountPath: /var/run/tls
name: kube-ovn-tls
readinessProbe:
exec:
command:
- /kube-ovn/kube-ovn-controller-healthcheck
- /kube-ovn/kube-ovn-healthcheck
- --port=10660
- --tls=false
periodSeconds: 3
timeoutSeconds: 45
livenessProbe:
exec:
command:
- /kube-ovn/kube-ovn-controller-healthcheck
- /kube-ovn/kube-ovn-healthcheck
- --port=10660
- --tls=false
initialDelaySeconds: 300
periodSeconds: 7
failureThreshold: 5
@ -128,6 +341,9 @@ spec:
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
- name: ovn-log
hostPath:
path: /var/log/ovn
- name: kube-ovn-tls
secret:
optional: true
@ -161,7 +377,7 @@ spec:
- key: CriticalAddonsOnly
operator: Exists
priorityClassName: system-node-critical
serviceAccountName: ovn
serviceAccountName: kube-ovn-cni
hostNetwork: true
hostPID: true
initContainers:
@ -202,7 +418,13 @@ spec:
- --log_file_max_size=0
securityContext:
runAsUser: 0
privileged: true
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
- SYS_ADMIN
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
@ -231,14 +453,15 @@ spec:
mountPath: /lib/modules
readOnly: true
- name: shared-dir
mountPath: /var/lib/kubelet/pods
mountPath: $KUBELET_DIR/pods
- mountPath: /etc/openvswitch
name: systemid
readOnly: true
- mountPath: /etc/cni/net.d
name: cni-conf
- mountPath: /run/openvswitch
name: host-run-ovs
mountPropagation: Bidirectional
mountPropagation: HostToContainer
- mountPath: /run/ovn
name: host-run-ovn
- mountPath: /host/var/run/dbus
@ -255,6 +478,7 @@ spec:
name: host-log-ovn
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /tmp
name: tmp
livenessProbe:
@ -262,17 +486,22 @@ spec:
initialDelaySeconds: 30
periodSeconds: 7
successThreshold: 1
tcpSocket:
port: 10665
timeoutSeconds: 3
exec:
command:
- /kube-ovn/kube-ovn-healthcheck
- --port=10665
- --tls=false
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 7
successThreshold: 1
tcpSocket:
port: 10665
timeoutSeconds: 3
exec:
command:
- /kube-ovn/kube-ovn-healthcheck
- --port=10665
- --tls=false
timeoutSeconds: 5
resources:
requests:
cpu: {{ kube_ovn_cni_server_cpu_request }}
@ -389,28 +618,23 @@ spec:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /lib/modules
name: host-modules
readOnly: true
- mountPath: /run/openvswitch
name: host-run-ovs
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /var/log/openvswitch
name: host-log-ovs
readOnly: true
- mountPath: /var/log/ovn
name: host-log-ovn
readOnly: true
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /var/run/tls
name: kube-ovn-tls
resources:
@ -423,18 +647,12 @@ spec:
nodeSelector:
kubernetes.io/os: "linux"
volumes:
- name: host-modules
hostPath:
path: /lib/modules
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch
hostPath:
path: /etc/origin/openvswitch
@ -500,6 +718,12 @@ spec:
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
- --secure-serving=false
- --log_file=/var/log/kube-ovn/kube-ovn-monitor.log
- --logtostderr=false
- --alsologtostderr=true
- --log_file_max_size=200
securityContext:
runAsUser: 0
privileged: false
@ -510,6 +734,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_IPS
valueFrom:
fieldRef:
@ -532,30 +760,38 @@ spec:
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
readOnly: true
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /var/run/tls
name: kube-ovn-tls
readinessProbe:
exec:
command:
- cat
- /var/run/ovn/ovn-controller.pid
periodSeconds: 10
timeoutSeconds: 45
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 7
successThreshold: 1
exec:
command:
- cat
- /var/run/ovn/ovn-controller.pid
- /kube-ovn/kube-ovn-healthcheck
- --port=10661
- --tls=false
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 5
timeoutSeconds: 45
periodSeconds: 7
successThreshold: 1
exec:
command:
- /kube-ovn/kube-ovn-healthcheck
- --port=10661
- --tls=false
timeoutSeconds: 5
nodeSelector:
kubernetes.io/os: "linux"
kube-ovn/role: "master"
@ -585,6 +821,9 @@ spec:
secret:
optional: true
secretName: kube-ovn-tls
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
---
kind: Service
apiVersion: v1

213
roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
View File

@ -1,6 +1,54 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn-ovs
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn-ovs
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-ovs
roleRef:
name: system:ovn-ovs
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn-ovs
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn
namespace: kube-system
@ -18,8 +66,11 @@ rules:
- vpcs
- vpcs/status
- vpc-nat-gateways
- vpc-nat-gateways/status
- subnets
- subnets/status
- ippools
- ippools/status
- ips
- vips
- vips/status
@ -43,59 +94,98 @@ rules:
- ovn-eips/status
- ovn-fips/status
- ovn-snat-rules/status
- ovn-dnat-rules
- ovn-dnat-rules/status
- switch-lb-rules
- switch-lb-rules/status
- vpc-dnses
- vpc-dnses/status
- qos-policies
- qos-policies/status
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- pods/exec
- namespaces
- nodes
- configmaps
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- "k8s.cni.cncf.io"
resources:
- network-attachment-definitions
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- ""
- networking.k8s.io
- apps
- extensions
resources:
- networkpolicies
- services
- services/status
- endpoints
- statefulsets
- daemonsets
- deployments
- deployments/scale
- configmaps
verbs:
- create
- delete
- update
- patch
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- ""
resources:
- services
- services/status
verbs:
- get
- list
- update
- create
- delete
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- deployments/scale
verbs:
- get
- list
- create
- delete
- update
- apiGroups:
- ""
resources:
@ -118,6 +208,18 @@ rules:
verbs:
- get
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@ -132,6 +234,20 @@ subjects:
name: ovn
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ovn
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
kind: Service
apiVersion: v1
metadata:
@ -218,7 +334,12 @@ spec:
type: infra
spec:
tolerations:
- operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@ -227,7 +348,7 @@ spec:
app: ovn-central
topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical
serviceAccountName: ovn
serviceAccountName: ovn-ovs
hostNetwork: true
containers:
- name: ovn-central
@ -236,7 +357,9 @@ spec:
command: ["/kube-ovn/start-db.sh"]
securityContext:
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
@ -260,6 +383,12 @@ spec:
fieldPath: status.podIPs
- name: ENABLE_BIND_LOCAL_IP
value: "{{ kube_ovn_bind_local_ip_enabled }}"
- name: PROBE_INTERVAL
value: "180000"
- name: OVN_NORTHD_PROBE_INTERVAL
value: "5000"
- name: OVN_LEADER_PROBE_INTERVAL
value: "5"
resources:
requests:
cpu: {{ kube_ovn_db_cpu_request }}
@ -349,7 +478,10 @@ spec:
matchLabels:
app: ovs
updateStrategy:
type: OnDelete
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
@ -358,9 +490,14 @@ spec:
type: infra
spec:
tolerations:
- operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
priorityClassName: system-node-critical
serviceAccountName: ovn
serviceAccountName: ovn-ovs
hostNetwork: true
hostPID: true
containers:
@ -371,7 +508,13 @@ spec:
command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}]
securityContext:
runAsUser: 0
privileged: true
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
@ -379,6 +522,14 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{% if not kube_ovn_dpdk_enabled %}
- name: HW_OFFLOAD
value: "{{ kube_ovn_hw_offload | string | lower }}"
@ -425,6 +576,9 @@ spec:
name: localtime
- mountPath: /var/run/tls
name: kube-ovn-tls
- mountPath: /var/run/containerd
name: cruntime
readOnly: true
readinessProbe:
exec:
command:
@ -511,6 +665,9 @@ spec:
- name: localtime
hostPath:
path: /etc/localtime
- name: cruntime
hostPath:
path: /var/run/containerd
- name: kube-ovn-tls
secret:
optional: true