diff --git a/roles/kubernetes-apps/ansible/tasks/main.yaml b/roles/kubernetes-apps/ansible/tasks/main.yaml index ccbca3c80..130a17a6f 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yaml +++ b/roles/kubernetes-apps/ansible/tasks/main.yaml @@ -19,4 +19,5 @@ when: inventory_hostname == groups['kube-master'][0] - include: tasks/calico-policy-controller.yml - when: enable_network_policy is defined and enable_network_policy == True + when: ( enable_network_policy is defined and enable_network_policy == True ) or + ( kube_network_plugin == 'canal' ) diff --git a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yaml b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yaml index 46105126b..c6bcd6992 100644 --- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yaml +++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yaml @@ -1,3 +1,12 @@ +- name: Create canal ConfigMap + run_once: true + kube: + name: "canal-config" + kubectl: "{{bin_dir}}/kubectl" + filename: "/etc/kubernetes/canal-config.yaml" + resource: "configmap" + namespace: "kube-system" + - name: Start flannel and calico-node run_once: true kube: diff --git a/roles/kubernetes/node/templates/cni-canal.conf.j2 b/roles/kubernetes/node/templates/cni-canal.conf.j2 index db3e9231c..b835443c7 100644 --- a/roles/kubernetes/node/templates/cni-canal.conf.j2 +++ b/roles/kubernetes/node/templates/cni-canal.conf.j2 @@ -5,11 +5,9 @@ "type": "calico", "etcd_endpoints": "{{ etcd_access_endpoint }}", "log_level": "info", - {% if enable_network_policy is defined and enable_network_policy == True %} - "policy": { - "type": "k8s" - }, - {% endif %} + "policy": { + "type": "k8s" + }, "kubernetes": { "kubeconfig": "{{ kube_config_dir }}/node-kubeconfig.yaml" } diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml index eb833bf0a..ba83edee8 100644 --- a/roles/network_plugin/canal/tasks/main.yml +++ b/roles/network_plugin/canal/tasks/main.yml @@ -5,7 +5,12 @@ dest: /etc/flannel-network.json backup: yes -- name: Canal | Write canal configuration +- name: Canal | Write canal configmap + template: + src: canal-config.yml.j2 + dest: /etc/kubernetes/canal-config.yaml + +- name: Canal | Write canal node configuration template: src: canal-node.yml.j2 dest: /etc/kubernetes/canal-node.yaml diff --git a/roles/network_plugin/canal/templates/canal-config.yml.j2 b/roles/network_plugin/canal/templates/canal-config.yml.j2 new file mode 100644 index 000000000..34f3faedb --- /dev/null +++ b/roles/network_plugin/canal/templates/canal-config.yml.j2 @@ -0,0 +1,22 @@ +# This ConfigMap can be used to configure a self-hosted Canal installation. +# See `canal.yaml` for an example of a Canal deployment which uses +# the config in this ConfigMap. +kind: ConfigMap +apiVersion: v1 +metadata: + name: canal-config +data: + # Configure this with the location of your etcd cluster. + etcd_endpoints: "{{ etcd_access_endpoint }}" + + # The interface used by canal for host <-> host communication. + # If left blank, then the interface is chosing using the node's + # default route. + flanneld_iface: "{{ canal_iface }}" + + # Whether or not to masquerade traffic to destinations not within + # the pod network. + masquerade: "{{ canal_masquerade }}" + + # Cluster name for Flannel etcd path + cluster_name: "{{ cluster_name }}" diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2 index 0b4ea24e4..bdeae6cfd 100644 --- a/roles/network_plugin/canal/templates/canal-node.yml.j2 +++ b/roles/network_plugin/canal/templates/canal-node.yml.j2 @@ -47,10 +47,23 @@ spec: containers: - name: "flannel-server-helper" image: "{{ flannel_server_helper_image_repo }}:{{ flannel_server_helper_image_tag }}" + env: + # Cluster name + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: canal-config + key: cluster_name + # The location of the etcd cluster. + - name: FLANNELD_ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints args: - "--network-config=/etc/flannel-network.json" - - "--etcd-prefix=/{{ cluster_name }}/network" - - "--etcd-server={{ etcd_endpoint }}" + - "--etcd-prefix=/$(CLUSTER_NAME)/network" + - "--etcd-server=$(FLANNELD_ETCD_ENDPOINTS)" volumeMounts: - name: "networkconfig" mountPath: "/etc/flannel-network.json" @@ -60,22 +73,40 @@ spec: - name: flannel image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" env: + # Cluster name + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: canal-config + key: cluster_name # The location of the etcd cluster. - name: FLANNELD_ETCD_ENDPOINTS - value: "{{ etcd_access_endpoint }}" + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints # The interface flannel should run on. - name: FLANNELD_IFACE - value: "{{ canal_iface }}" + valueFrom: + configMapKeyRef: + name: canal-config + key: flanneld_iface # Perform masquerade on traffic leaving the pod cidr. - name: FLANNELD_IP_MASQ - value: "{{ canal_masquerade }}" + valueFrom: + configMapKeyRef: + name: canal-config + key: masquerade + # Set etcd-prefix + - name: DOCKER_OPT_ETCD_PREFIX + value: "-etcd-prefix=/$(CLUSTER_NAME)/network" # Write the subnet.env file to the mounted directory. - name: FLANNELD_SUBNET_FILE value: "/run/flannel/subnet.env" command: - "/bin/sh" - "-c" - - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network {% if canal_iface %}-iface {{ canal_iface }}{% endif %}" + - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network" ports: - hostPort: 10253 containerPort: 10253 @@ -94,7 +125,10 @@ spec: env: # The location of the etcd cluster. - name: ETCD_ENDPOINTS - value: "{{ etcd_access_endpoint }}" + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints # Disable Calico BGP. Calico is simply enforcing policy. - name: CALICO_NETWORKING value: "false"