Merge pull request #3984 from dannyk81/calico_xtables_lock

[calico/canal] mount host's xtables lock and enable calico locking for <v3.2.1
pull/3949/head
Chad Swenson 2019-01-15 23:13:02 -06:00 committed by GitHub
commit 5a7ac7e5c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 0 deletions

View File

@ -76,6 +76,12 @@ spec:
value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
- name: FELIX_HEALTHHOST
value: "{{ calico_healthhost }}"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# should be set in etcd before deployment
# # Configure the IP Pool from which Pod IPs will be chosen.
# - name: CALICO_IPV4POOL_CIDR
@ -170,6 +176,9 @@ spec:
readOnly: false
- mountPath: /calico-secrets
name: etcd-certs
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
volumes:
# Used by calico/node.
- name: lib-modules
@ -192,6 +201,11 @@ spec:
- name: etcd-certs
hostPath:
path: "{{ calico_cert_dir }}"
# Mount the global iptables lock file, used by calico/node
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}

View File

@ -173,6 +173,12 @@ spec:
fieldPath: spec.nodeName
- name: FELIX_HEALTHENABLED
value: "true"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
@ -220,6 +226,9 @@ spec:
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}