diff --git a/README.md b/README.md index 40dc74502..b9c0fc60d 100644 --- a/README.md +++ b/README.md @@ -167,7 +167,7 @@ Note: Upstart/SysV init based OS types are not supported. - [calico](https://github.com/projectcalico/calico) v3.28.1 - [cilium](https://github.com/cilium/cilium) v1.15.9 - [flannel](https://github.com/flannel-io/flannel) v0.22.0 - - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21 + - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.28 - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0 - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8 - [weave](https://github.com/rajch/weave) v2.8.7 diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml index 81c49a40f..7b69ce0a9 100644 --- a/roles/kubespray-defaults/defaults/main/download.yml +++ b/roles/kubespray-defaults/defaults/main/download.yml @@ -118,7 +118,7 @@ cilium_version: "v1.15.9" cilium_cli_version: "v0.16.0" cilium_enable_hubble: false -kube_ovn_version: "v1.12.21" +kube_ovn_version: "v1.12.28" kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}" kube_router_version: "v2.0.0" multus_version: "v4.1.0" diff --git a/roles/network_plugin/kube-ovn/defaults/main.yml b/roles/network_plugin/kube-ovn/defaults/main.yml index a06cba0b0..43c6b3c9a 100644 --- a/roles/network_plugin/kube-ovn/defaults/main.yml +++ b/roles/network_plugin/kube-ovn/defaults/main.yml @@ -1,4 +1,13 @@ --- +# image repo and tag +kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn" +kube_ovn_container_image_tag: "{{ kube_ovn_version }}" +kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway" +kube_ovn_vpc_container_image_tag: "{{ kube_ovn_version }}" +kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk" +kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}" + +# request and limit kube_ovn_db_cpu_request: 500m kube_ovn_db_memory_request: 200Mi kube_ovn_db_cpu_limit: 3000m @@ -37,10 +46,16 @@ kube_ovn_central_ips: |- {%- endfor %} kube_ovn_ic_enable: false -kube_ovn_ic_autoroute: true -kube_ovn_ic_dbhost: "127.0.0.1" +kube_ovn_ic_auto_route: true +kube_ovn_ic_db_host: "127.0.0.1" kube_ovn_ic_zone: "kubernetes" +# kube-ovn default subnet +kube_ovn_default_subnet: "ovn-default" +kube_ovn_default_vpc: "ovn-cluster" +kube_ovn_node_subnet: "join" +kube_ovn_mirror_iface: "mirror0" + # geneve or vlan kube_ovn_network_type: geneve @@ -58,7 +73,9 @@ kube_ovn_hw_offload: false kube_ovn_traffic_mirror: false # kube_ovn_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112 -# kube_ovn_default_interface_name: eth0 + +# kube_ovn_default_provider_name: provider +# kube_ovn_default_vlan_interface_name: eth0 kube_ovn_external_address: 8.8.8.8 kube_ovn_external_address_ipv6: 2400:3200::1 @@ -77,6 +94,7 @@ kube_ovn_node_switch_cidr_ipv6: fd00:100:64::/64 ## vlan config, set default interface name and vlan id # kube_ovn_default_interface_name: eth0 +kube_ovn_default_vlan_name: vlan100 kube_ovn_default_vlan_id: 100 kube_ovn_vlan_name: product @@ -105,14 +123,71 @@ kube_ovn_dpdk_tunnel_iface: br-phy ## bind local ip kube_ovn_bind_local_ip_enabled: true -## eip snat -kube_ovn_eip_snat_enabled: true +## enable compact +kube_ovn_enable_compact: false + +## ovn northd n threads +kube_ovn_northd_n_threads: 1 + +## ovn leader probe interval +kube_ovn_leader_probe_interval: 5 + +## ovn probe interval +kube_ovn_probe_interval: 180000 + +# ovn northd probe interval +kube_ovn_northd_probe_interval: 5000 + +# ovn remote probe interval +kube_ovn_remote_probe_interval: 10000 + +# ovn remote openflow interval +kube_ovn_remote_openflow_interval: 180 + +## eip snat need configmap "ovn-vpc-nat-config" set by user first +kube_ovn_eip_snat_enabled: false # ls dnat mod dl dst kube_ovn_ls_dnat_mod_dl_dst: true +# ls ct skip dst lport ips +kube_ovn_ls_ct_skip_dst_lport_ips: true + +# enable ecmp +kube_ovn_enable_ecmp: false + +# enable metrics +kube_ovn_enable_metrics: true + +# enable tproxy +kube_ovn_enable_tproxy: false + +# ovs vsctl concurrency +kube_ovn_ovs_vsctl_concurrency: 100 + +# enable sercure service +kube_ovn_enable_secure_serving: false + +# ovn exchange link name with ovs bridge name +kube_ovn_exchange_link_name: false + ## keep vm ip kube_ovn_keep_vm_ip: true ## cni config priority, default: 01 -kube_ovn_cni_config_priority: '01' +kube_ovn_cni_config_priority: "01" + +# nodelocaldns_ip +nodelocaldns_ip: 169.254.25.10 + +# ovs db connection timeout +kube_ovn_ovsdb_connection_timeout: 3 + +# ovs db inactivity probe timeout +kube_ovn_ovsdb_inactivity_probe: 10 + +# kube ovn gc interval +kube_ovn_gc_interval: 360 + +# kube ovn inspect interval +kube_ovn_inspect_interval: 20 diff --git a/roles/network_plugin/kube-ovn/tasks/main.yml b/roles/network_plugin/kube-ovn/tasks/main.yml index a8b942792..e39245686 100644 --- a/roles/network_plugin/kube-ovn/tasks/main.yml +++ b/roles/network_plugin/kube-ovn/tasks/main.yml @@ -11,7 +11,9 @@ dest: "{{ kube_config_dir }}/{{ item.file }}" mode: "0644" with_items: - - {name: kube-ovn-crd, file: cni-kube-ovn-crd.yml} - - {name: ovn, file: cni-ovn.yml} - - {name: kube-ovn, file: cni-kube-ovn.yml} + - { name: kube-ovn-crd, file: cni-kube-ovn-crd.yml } + - { name: kube-ovn, file: cni-kube-ovn.yml } + - { name: ovn-sa, file: ovn-SA.yml } + - { name: ovn-cr, file: ovn-CR.yml } + - { name: ovn-crb, file: ovn-CRB.yml } register: kube_ovn_node_manifests diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 index c531ffcbb..9b7da6be6 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 @@ -1454,64 +1454,64 @@ spec: name: Ready type: boolean schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - ipName: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - vpc: - type: string - v4Ip: - type: string + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + ready: + type: boolean + v4Eip: + type: string + v4Ip: + type: string + vpc: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + ipName: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + ovnEip: + type: string + ipType: + type: string + ipName: + type: string + externalPort: + type: string + internalPort: + type: string + protocol: + type: string + vpc: + type: string + v4Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1823,12 +1823,12 @@ spec: spec: type: object properties: + type: + type: string namespace: type: string subnet: type: string - type: - type: string attachSubnets: type: array items: diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 index f4acdedac..d72ddd929 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2 @@ -18,173 +18,6 @@ metadata: data: enable-vpc-nat-gw: "true" --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-cni - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-cni -rules: - - apiGroups: - - "kubeovn.io" - resources: - - subnets - - vlans - - provider-networks - verbs: - - get - - list - - watch - - apiGroups: - - "" - - "kubeovn.io" - resources: - - ovn-eips - - ovn-eips/status - - nodes - - pods - - vlans - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "kubeovn.io" - resources: - - ips - verbs: - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-cni -roleRef: - name: system:kube-ovn-cni - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kube-ovn-cni - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-app - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-app -rules: - - apiGroups: - - "" - resources: - - pods - - nodes - verbs: - - get - - list - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-app -roleRef: - name: system:kube-ovn-app - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-app - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: kube-ovn-app - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: kube-ovn-app - namespace: kube-system ---- kind: Deployment apiVersion: apps/v1 metadata: @@ -240,6 +73,9 @@ spec: imagePullPolicy: {{ k8s_image_pull_policy }} args: - /kube-ovn/start-controller.sh + - --default-ls={{ kube_ovn_default_subnet }} + - --cluster-router={{ kube_ovn_default_vpc }} + - --node-switch={{ kube_ovn_node_subnet }} - --default-cidr={{ kube_pods_subnet }}{% if enable_dual_stack_networks %},{{ kube_ovn_pool_cidr_ipv6 | default(kube_pods_subnet_ipv6) }}{% endif %}{{ '' }} - --default-gateway={% if kube_ovn_default_gateway is defined %}{{ kube_ovn_default_gateway }}{% endif %}{{ '' }} - --default-gateway-check={{ kube_ovn_default_gateway_check | string }} @@ -249,28 +85,32 @@ spec: - --node-switch-cidr={{ kube_ovn_node_switch_cidr }}{% if enable_dual_stack_networks %},{{ kube_ovn_node_switch_cidr_ipv6 }}{% endif %}{{ '' }} - --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }} - --network-type={{ kube_ovn_network_type }} - - --default-interface-name={{ kube_ovn_default_interface_name | default('') }} - - --default-vlan-id={{ kube_ovn_default_vlan_id }} + - --default-provider-name={{ kube_ovn_default_provider_name | default('')}} + - --default-interface-name={{ kube_ovn_default_vlan_interface_name | default('') }} + - --default-vlan-id={{ kube_ovn_default_vlan_id | default('') }} + - --default-vlan-name={{ kube_ovn_default_vlan_name | default('') }} - --ls-dnat-mod-dl-dst={{ kube_ovn_ls_dnat_mod_dl_dst }} + - --default-exchange-link-name={{ kube_ovn_exchange_link_name }} + - --ls-ct-skip-dst-lport-ips={{ kube_ovn_ls_ct_skip_dst_lport_ips }} - --pod-nic-type={{ kube_ovn_pod_nic_type }} - --enable-lb={{ kube_ovn_enable_lb | string }} - --enable-np={{ kube_ovn_enable_np | string }} - --enable-eip-snat={{ kube_ovn_eip_snat_enabled }} - --enable-external-vpc={{ kube_ovn_enable_external_vpc | string }} + - --enable-ecmp={{ kube_ovn_enable_ecmp }} - --logtostderr=false - --alsologtostderr=true - - --gc-interval=360 - - --inspect-interval=20 + - --gc-interval={{ kube_ovn_gc_interval }} + - --inspect-interval={{ kube_ovn_inspect_interval }} - --log_file=/var/log/kube-ovn/kube-ovn-controller.log - --log_file_max_size=0 - --enable-lb-svc=false - --keep-vm-ip={{ kube_ovn_keep_vm_ip }} - securityContext: - runAsUser: 0 - privileged: false - capabilities: - add: - - NET_BIND_SERVICE + - --enable-metrics={{ kube_ovn_enable_metrics }} + - --node-local-dns-ip={{ nodelocaldns_ip }} + - --secure-serving={{ kube_ovn_enable_secure_serving }} + - --ovsdb-con-timeout={{ kube_ovn_ovsdb_connection_timeout }} + - --ovsdb-inactivity-timeout={{ kube_ovn_ovsdb_inactivity_probe }} env: - name: ENABLE_SSL value: "{{ kube_ovn_enable_ssl | lower }}" @@ -312,7 +152,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10660 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower }} periodSeconds: 3 timeoutSeconds: 45 livenessProbe: @@ -320,7 +160,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10660 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower }} initialDelaySeconds: 300 periodSeconds: 7 failureThreshold: 5 @@ -403,6 +243,8 @@ spec: args: - --enable-mirror={{ kube_ovn_traffic_mirror | lower }} - --encap-checksum={{ kube_ovn_encap_checksum | lower }} + - --mirror-iface={{ kube_ovn_mirror_iface }} + - --node-switch={{ kube_ovn_node_subnet }} - --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }} - --iface={{ kube_ovn_iface | default('') }} - --dpdk-tunnel-iface={{ kube_ovn_dpdk_tunnel_iface }} @@ -416,6 +258,10 @@ spec: - --alsologtostderr=true - --log_file=/var/log/kube-ovn/kube-ovn-cni.log - --log_file_max_size=0 + - --enable-metrics={{ kube_ovn_enable_metrics }} + - --enable-tproxy={{ kube_ovn_enable_tproxy }} + - --ovs-vsctl-concurrency={{ kube_ovn_ovs_vsctl_concurrency }} + - --secure-serving={{ kube_ovn_enable_secure_serving }} securityContext: runAsUser: 0 privileged: false @@ -436,6 +282,14 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: MODULES value: kube_ovn_fastpath.ko - name: RPMS @@ -490,7 +344,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10665 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower}} timeoutSeconds: 5 readinessProbe: failureThreshold: 3 @@ -500,7 +354,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10665 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower}} timeoutSeconds: 5 resources: requests: @@ -580,7 +434,7 @@ spec: type: infra spec: priorityClassName: system-node-critical - serviceAccountName: ovn + serviceAccountName: kube-ovn-app hostPID: true containers: - name: pinger @@ -618,10 +472,18 @@ spec: fieldRef: fieldPath: spec.nodeName volumeMounts: + - mountPath: /lib/modules + name: host-modules + readOnly: true + - mountPath: /run/openvswitch + name: host-run-ovs - mountPath: /var/run/openvswitch name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn + - mountPath: /sys + name: host-sys + readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /var/log/openvswitch @@ -629,7 +491,6 @@ spec: readOnly: true - mountPath: /var/log/ovn name: host-log-ovn - readOnly: true - mountPath: /var/log/kube-ovn name: kube-ovn-log - mountPath: /etc/localtime @@ -647,12 +508,18 @@ spec: nodeSelector: kubernetes.io/os: "linux" volumes: + - name: host-modules + hostPath: + path: /lib/modules - name: host-run-ovs hostPath: path: /run/openvswitch - name: host-run-ovn hostPath: path: /run/ovn + - name: host-sys + hostPath: + path: /sys - name: host-config-openvswitch hostPath: path: /etc/origin/openvswitch @@ -711,7 +578,7 @@ spec: app: kube-ovn-monitor topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical - serviceAccountName: ovn + serviceAccountName: kube-ovn-app hostNetwork: true containers: - name: kube-ovn-monitor @@ -760,6 +627,8 @@ spec: name: host-config-openvswitch - mountPath: /etc/ovn name: host-config-ovn + - mountPath: /var/log/openvswitch + name: host-log-ovs - mountPath: /var/log/ovn name: host-log-ovn readOnly: true @@ -779,7 +648,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10661 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower}} timeoutSeconds: 5 readinessProbe: failureThreshold: 3 @@ -790,7 +659,7 @@ spec: command: - /kube-ovn/kube-ovn-healthcheck - --port=10661 - - --tls=false + - --tls={{ kube_ovn_enable_secure_serving | lower}} timeoutSeconds: 5 nodeSelector: kubernetes.io/os: "linux" @@ -904,9 +773,408 @@ metadata: data: enable-ic: "{{ kube_ovn_ic_enable | lower }}" az-name: "{{ kube_ovn_ic_zone }}" - ic-db-host: "{{ kube_ovn_ic_dbhost }}" + ic-db-host: "{{ kube_ovn_ic_db_host }}" ic-nb-port: "6645" ic-sb-port: "6646" gw-nodes: "{{ kube_ovn_central_hosts | join(',') }}" - auto-route: "{{ kube_ovn_ic_autoroute | lower }}" + auto-route: "{{ kube_ovn_ic_auto_route | lower }}" {% endif %} + +--- +kind: Service +apiVersion: v1 +metadata: + name: ovn-nb + namespace: kube-system +spec: + ports: + - name: ovn-nb + protocol: TCP + port: 6641 + targetPort: 6641 + type: ClusterIP +{% if enable_dual_stack_networks %} + ipFamilyPolicy: PreferDualStack +{% endif %} + selector: + app: ovn-central + ovn-nb-leader: "true" + sessionAffinity: None +--- +kind: Service +apiVersion: v1 +metadata: + name: ovn-sb + namespace: kube-system +spec: + ports: + - name: ovn-sb + protocol: TCP + port: 6642 + targetPort: 6642 + type: ClusterIP +{% if enable_dual_stack_networks %} + ipFamilyPolicy: PreferDualStack +{% endif %} + selector: + app: ovn-central + ovn-sb-leader: "true" + sessionAffinity: None +--- +kind: Service +apiVersion: v1 +metadata: + name: ovn-northd + namespace: kube-system +spec: + ports: + - name: ovn-northd + protocol: TCP + port: 6643 + targetPort: 6643 + type: ClusterIP +{% if enable_dual_stack_networks %} + ipFamilyPolicy: PreferDualStack +{% endif %} + selector: + app: ovn-central + ovn-northd-leader: "true" + sessionAffinity: None +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: ovn-central + namespace: kube-system + annotations: + kubernetes.io/description: | + OVN components: northd, nb and sb. +spec: + replicas: {{ kube_ovn_central_replics }} + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + selector: + matchLabels: + app: ovn-central + template: + metadata: + labels: + app: ovn-central + component: network + type: infra + spec: + tolerations: + - operator: Exists + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: ovn-central + topologyKey: kubernetes.io/hostname + priorityClassName: system-cluster-critical + serviceAccountName: ovn-ovs + hostNetwork: true + containers: + - name: ovn-central + image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} + imagePullPolicy: {{ k8s_image_pull_policy }} + command: ["/kube-ovn/start-db.sh"] + securityContext: + capabilities: + add: ["SYS_NICE"] + env: + - name: ENABLE_SSL + value: "{{ kube_ovn_enable_ssl | lower }}" + - name: NODE_IPS + value: "{{ kube_ovn_central_ips }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: PROBE_INTERVAL + value: "{{ kube_ovn_probe_interval }}" + - name: OVN_NORTHD_PROBE_INTERVAL + value: "{{ kube_ovn_northd_probe_interval }}" + - name: OVN_LEADER_PROBE_INTERVAL + value: "{{ kube_ovn_leader_probe_interval }}" + - name: OVN_NORTHD_N_THREADS + value: "{{ kube_ovn_northd_n_threads }}" + - name: ENABLE_COMPACT + value: "{{ kube_ovn_enable_compact }}" + - name: ENABLE_BIND_LOCAL_IP + value: "{{ kube_ovn_bind_local_ip_enabled }}" + resources: + requests: + cpu: {{ kube_ovn_db_cpu_request }} + memory: {{ kube_ovn_db_memory_request }} + limits: + cpu: {{ kube_ovn_db_cpu_limit }} + memory: {{ kube_ovn_db_memory_limit }} + volumeMounts: + - mountPath: /var/run/openvswitch + name: host-run-ovs + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /sys + name: host-sys + readOnly: true + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/openvswitch + name: host-log-ovs + - mountPath: /var/log/ovn + name: host-log-ovn + - mountPath: /etc/localtime + name: localtime + - mountPath: /var/run/tls + name: kube-ovn-tls + readinessProbe: + exec: + command: + - bash + - /kube-ovn/ovn-healthcheck.sh + periodSeconds: 15 + timeoutSeconds: 45 + livenessProbe: + exec: + command: + - bash + - /kube-ovn/ovn-healthcheck.sh + initialDelaySeconds: 30 + periodSeconds: 15 + failureThreshold: 5 + timeoutSeconds: 45 + nodeSelector: + kubernetes.io/os: "linux" + kube-ovn/role: "master" + volumes: + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-sys + hostPath: + path: /sys + - name: host-config-openvswitch + hostPath: + path: /etc/origin/openvswitch + - name: host-config-ovn + hostPath: + path: /etc/origin/ovn + - name: host-log-ovs + hostPath: + path: /var/log/openvswitch + - name: host-log-ovn + hostPath: + path: /var/log/ovn + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: ovs-ovn + namespace: kube-system + annotations: + kubernetes.io/description: | + This daemon set launches the openvswitch daemon. +spec: + selector: + matchLabels: + app: ovs + updateStrategy: + type: OnDelete + template: + metadata: + labels: + app: ovs + component: network + type: infra + spec: + tolerations: + - operator: Exists + priorityClassName: system-node-critical + serviceAccountName: ovn-ovs + hostNetwork: true + hostPID: true + containers: + - name: openvswitch + image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %} + + imagePullPolicy: {{ k8s_image_pull_policy }} + command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}] + securityContext: + runAsUser: 0 + privileged: true + env: + - name: ENABLE_SSL + value: "{{ kube_ovn_enable_ssl | lower }}" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +{% if not kube_ovn_dpdk_enabled %} + - name: HW_OFFLOAD + value: "{{ kube_ovn_hw_offload | string | lower }}" + - name: TUNNEL_TYPE + value: "{{ kube_ovn_tunnel_type }}" +{% endif %} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: OVN_DB_IPS + value: "{{ kube_ovn_central_ips }}" + - name: OVN_REMOTE_PROBE_INTERVAL + value: "{{ kube_ovn_remote_probe_interval }}" + - name: OVN_REMOTE_OPENFLOW_INTERVAL + value: "{{ kube_ovn_remote_openflow_interval }}" + volumeMounts: + - mountPath: /var/run/netns + name: host-ns + mountPropagation: HostToContainer + - mountPath: /lib/modules + name: host-modules + readOnly: true + - mountPath: /var/run/openvswitch + name: host-run-ovs + - mountPath: /var/run/ovn + name: host-run-ovn + - mountPath: /sys + name: host-sys + readOnly: true + - mountPath: /etc/cni/net.d + name: cni-conf + - mountPath: /etc/openvswitch + name: host-config-openvswitch + - mountPath: /etc/ovn + name: host-config-ovn + - mountPath: /var/log/openvswitch + name: host-log-ovs + - mountPath: /var/log/ovn + name: host-log-ovn +{% if kube_ovn_dpdk_enabled %} + - mountPath: /opt/ovs-config + name: host-config-ovs + - mountPath: /dev/hugepages + name: hugepage +{% endif %} + - mountPath: /etc/localtime + name: localtime + - mountPath: /var/run/tls + name: kube-ovn-tls + readinessProbe: + exec: + command: + - bash +{% if kube_ovn_dpdk_enabled %} + - /kube-ovn/ovs-dpdk-healthcheck.sh +{% else %} + - /kube-ovn/ovs-healthcheck.sh +{% endif %} + periodSeconds: 5 + timeoutSeconds: 45 + livenessProbe: + exec: + command: + - bash +{% if kube_ovn_dpdk_enabled %} + - /kube-ovn/ovs-dpdk-healthcheck.sh +{% else %} + - /kube-ovn/ovs-healthcheck.sh +{% endif %} + initialDelaySeconds: 60 + periodSeconds: 5 + failureThreshold: 5 + timeoutSeconds: 45 + resources: +{% if kube_ovn_dpdk_enabled %} + requests: + cpu: {{ kube_ovn_dpdk_node_cpu_request }} + memory: {{ kube_ovn_dpdk_node_memory_request }} + limits: + cpu: {{ kube_ovn_dpdk_node_cpu_limit }} + memory: {{ kube_ovn_dpdk_node_memory_limit }} + hugepages-1Gi: 1Gi +{% else %} + requests: + cpu: {{ kube_ovn_node_cpu_request }} + memory: {{ kube_ovn_node_memory_request }} + limits: + cpu: {{ kube_ovn_node_cpu_limit }} + memory: {{ kube_ovn_node_memory_limit }} +{% endif %} + nodeSelector: + kubernetes.io/os: "linux" + volumes: + - name: host-modules + hostPath: + path: /lib/modules + - name: host-run-ovs + hostPath: + path: /run/openvswitch + - name: host-run-ovn + hostPath: + path: /run/ovn + - name: host-sys + hostPath: + path: /sys + - name: host-ns + hostPath: + path: /var/run/netns + - name: cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-config-openvswitch + hostPath: + path: /etc/origin/openvswitch + - name: host-config-ovn + hostPath: + path: /etc/origin/ovn + - name: host-log-ovs + hostPath: + path: /var/log/openvswitch + - name: host-log-ovn + hostPath: + path: /var/log/ovn +{% if kube_ovn_dpdk_enabled %} + - name: host-config-ovs + hostPath: + path: /opt/ovs-config + type: DirectoryOrCreate + - name: hugepage + emptyDir: + medium: HugePages +{% endif %} + - name: localtime + hostPath: + path: /etc/localtime + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls diff --git a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 deleted file mode 100644 index 453ac6072..000000000 --- a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 +++ /dev/null @@ -1,674 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn-ovs - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-ovs -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - patch - - apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-ovs -roleRef: - name: system:ovn-ovs - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn-ovs - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn -rules: - - apiGroups: - - "kubeovn.io" - resources: - - vpcs - - vpcs/status - - vpc-nat-gateways - - vpc-nat-gateways/status - - subnets - - subnets/status - - ippools - - ippools/status - - ips - - vips - - vips/status - - vlans - - vlans/status - - provider-networks - - provider-networks/status - - security-groups - - security-groups/status - - iptables-eips - - iptables-fip-rules - - iptables-dnat-rules - - iptables-snat-rules - - iptables-eips/status - - iptables-fip-rules/status - - iptables-dnat-rules/status - - iptables-snat-rules/status - - ovn-eips - - ovn-fips - - ovn-snat-rules - - ovn-eips/status - - ovn-fips/status - - ovn-snat-rules/status - - ovn-dnat-rules - - ovn-dnat-rules/status - - switch-lb-rules - - switch-lb-rules/status - - vpc-dnses - - vpc-dnses/status - - qos-policies - - qos-policies/status - verbs: - - "*" - - apiGroups: - - "" - resources: - - pods - - namespaces - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - apiGroups: - - "k8s.cni.cncf.io" - resources: - - network-attachment-definitions - verbs: - - get - - apiGroups: - - "" - - networking.k8s.io - resources: - - networkpolicies - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - apiGroups: - - "" - resources: - - services - - services/status - verbs: - - get - - list - - update - - create - - delete - - watch - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - deployments - - deployments/scale - verbs: - - get - - list - - create - - delete - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - "*" - - apiGroups: - - "kubevirt.io" - resources: - - virtualmachines - - virtualmachineinstances - verbs: - - get - - list - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn -roleRef: - name: system:ovn - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ovn - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: - - kind: ServiceAccount - name: ovn - namespace: kube-system ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-nb - namespace: kube-system -spec: - ports: - - name: ovn-nb - protocol: TCP - port: 6641 - targetPort: 6641 - type: ClusterIP -{% if enable_dual_stack_networks %} - ipFamilyPolicy: PreferDualStack -{% endif %} - selector: - app: ovn-central - ovn-nb-leader: "true" - sessionAffinity: None ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-sb - namespace: kube-system -spec: - ports: - - name: ovn-sb - protocol: TCP - port: 6642 - targetPort: 6642 - type: ClusterIP -{% if enable_dual_stack_networks %} - ipFamilyPolicy: PreferDualStack -{% endif %} - selector: - app: ovn-central - ovn-sb-leader: "true" - sessionAffinity: None ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-northd - namespace: kube-system -spec: - ports: - - name: ovn-northd - protocol: TCP - port: 6643 - targetPort: 6643 - type: ClusterIP -{% if enable_dual_stack_networks %} - ipFamilyPolicy: PreferDualStack -{% endif %} - selector: - app: ovn-central - ovn-northd-leader: "true" - sessionAffinity: None ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ovn-central - namespace: kube-system - annotations: - kubernetes.io/description: | - OVN components: northd, nb and sb. -spec: - replicas: {{ kube_ovn_central_replics }} - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: ovn-central - template: - metadata: - labels: - app: ovn-central - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: ovn-central - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn-ovs - hostNetwork: true - containers: - - name: ovn-central - image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} - imagePullPolicy: {{ k8s_image_pull_policy }} - command: ["/kube-ovn/start-db.sh"] - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - SYS_NICE - env: - - name: ENABLE_SSL - value: "{{ kube_ovn_enable_ssl | lower }}" - - name: NODE_IPS - value: "{{ kube_ovn_central_ips }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{ kube_ovn_bind_local_ip_enabled }}" - - name: PROBE_INTERVAL - value: "180000" - - name: OVN_NORTHD_PROBE_INTERVAL - value: "5000" - - name: OVN_LEADER_PROBE_INTERVAL - value: "5" - resources: - requests: - cpu: {{ kube_ovn_db_cpu_request }} - memory: {{ kube_ovn_db_memory_request }} - limits: - cpu: {{ kube_ovn_db_cpu_limit }} - memory: {{ kube_ovn_db_memory_limit }} - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - periodSeconds: 15 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - initialDelaySeconds: 30 - periodSeconds: 15 - failureThreshold: 5 - timeoutSeconds: 45 - nodeSelector: - kubernetes.io/os: "linux" - kube-ovn/role: "master" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-config-openvswitch - hostPath: - path: /etc/origin/openvswitch - - name: host-config-ovn - hostPath: - path: /etc/origin/ovn - - name: host-log-ovs - hostPath: - path: /var/log/openvswitch - - name: host-log-ovn - hostPath: - path: /var/log/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn - namespace: kube-system - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %} - - imagePullPolicy: {{ k8s_image_pull_policy }} - command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}] - securityContext: - runAsUser: 0 - privileged: false - capabilities: - add: - - NET_ADMIN - - NET_BIND_SERVICE - - SYS_MODULE - - SYS_NICE - env: - - name: ENABLE_SSL - value: "{{ kube_ovn_enable_ssl | lower }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{% if not kube_ovn_dpdk_enabled %} - - name: HW_OFFLOAD - value: "{{ kube_ovn_hw_offload | string | lower }}" - - name: TUNNEL_TYPE - value: "{{ kube_ovn_tunnel_type }}" -{% endif %} - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ kube_ovn_central_ips }}" - volumeMounts: - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - - mountPath: /etc/cni/net.d - name: cni-conf - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn -{% if kube_ovn_dpdk_enabled %} - - mountPath: /opt/ovs-config - name: host-config-ovs - - mountPath: /dev/hugepages - name: hugepage -{% endif %} - - mountPath: /etc/localtime - name: localtime - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/run/containerd - name: cruntime - readOnly: true - readinessProbe: - exec: - command: - - bash -{% if kube_ovn_dpdk_enabled %} - - /kube-ovn/ovs-dpdk-healthcheck.sh -{% else %} - - /kube-ovn/ovs-healthcheck.sh -{% endif %} - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash -{% if kube_ovn_dpdk_enabled %} - - /kube-ovn/ovs-dpdk-healthcheck.sh -{% else %} - - /kube-ovn/ovs-healthcheck.sh -{% endif %} - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: -{% if kube_ovn_dpdk_enabled %} - requests: - cpu: {{ kube_ovn_dpdk_node_cpu_request }} - memory: {{ kube_ovn_dpdk_node_memory_request }} - limits: - cpu: {{ kube_ovn_dpdk_node_cpu_limit }} - memory: {{ kube_ovn_dpdk_node_memory_limit }} - hugepages-1Gi: 1Gi -{% else %} - requests: - cpu: {{ kube_ovn_node_cpu_request }} - memory: {{ kube_ovn_node_memory_request }} - limits: - cpu: {{ kube_ovn_node_cpu_limit }} - memory: {{ kube_ovn_node_memory_limit }} -{% endif %} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-ns - hostPath: - path: /var/run/netns - - name: cni-conf - hostPath: - path: /etc/cni/net.d - - name: host-config-openvswitch - hostPath: - path: /etc/origin/openvswitch - - name: host-config-ovn - hostPath: - path: /etc/origin/ovn - - name: host-log-ovs - hostPath: - path: /var/log/openvswitch - - name: host-log-ovn - hostPath: - path: /var/log/ovn -{% if kube_ovn_dpdk_enabled %} - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: hugepage - emptyDir: - medium: HugePages -{% endif %} - - name: localtime - hostPath: - path: /etc/localtime - - name: cruntime - hostPath: - path: /var/run/containerd - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls diff --git a/roles/network_plugin/kube-ovn/templates/ovn-CR.yml.j2 b/roles/network_plugin/kube-ovn/templates/ovn-CR.yml.j2 new file mode 100644 index 000000000..9086b42cd --- /dev/null +++ b/roles/network_plugin/kube-ovn/templates/ovn-CR.yml.j2 @@ -0,0 +1,299 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:ovn +rules: + - apiGroups: + - "kubeovn.io" + resources: + - vpcs + - vpcs/status + - vpc-nat-gateways + - vpc-nat-gateways/status + - subnets + - subnets/status + - ippools + - ippools/status + - ips + - vips + - vips/status + - vlans + - vlans/status + - provider-networks + - provider-networks/status + - security-groups + - security-groups/status + - iptables-eips + - iptables-fip-rules + - iptables-dnat-rules + - iptables-snat-rules + - iptables-eips/status + - iptables-fip-rules/status + - iptables-dnat-rules/status + - iptables-snat-rules/status + - ovn-eips + - ovn-fips + - ovn-snat-rules + - ovn-eips/status + - ovn-fips/status + - ovn-snat-rules/status + - ovn-dnat-rules + - ovn-dnat-rules/status + - switch-lb-rules + - switch-lb-rules/status + - vpc-dnses + - vpc-dnses/status + - qos-policies + - qos-policies/status + verbs: + - "*" + - apiGroups: + - "" + resources: + - pods + - namespaces + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - apiGroups: + - "k8s.cni.cncf.io" + resources: + - network-attachment-definitions + verbs: + - get + - apiGroups: + - "" + - networking.k8s.io + resources: + - networkpolicies + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - "" + resources: + - services + - services/status + verbs: + - get + - list + - update + - create + - delete + - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + - deployments + - deployments/scale + verbs: + - get + - list + - create + - delete + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - "*" + - apiGroups: + - "kubevirt.io" + resources: + - virtualmachines + - virtualmachineinstances + verbs: + - get + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:ovn-ovs +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - patch + - apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - get + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:kube-ovn-cni +rules: + - apiGroups: + - "kubeovn.io" + resources: + - subnets + - vlans + - provider-networks + verbs: + - get + - list + - watch + - apiGroups: + - "" + - "kubeovn.io" + resources: + - ovn-eips + - ovn-eips/status + - nodes + - pods + - vlans + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.k8s.io/system-only: "true" + name: system:kube-ovn-app +rules: + - apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/roles/network_plugin/kube-ovn/templates/ovn-CRB.yml.j2 b/roles/network_plugin/kube-ovn/templates/ovn-CRB.yml.j2 new file mode 100644 index 000000000..87ca13d56 --- /dev/null +++ b/roles/network_plugin/kube-ovn/templates/ovn-CRB.yml.j2 @@ -0,0 +1,94 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn +roleRef: + name: system:ovn + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovn + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ovn + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: ovn + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ovn-ovs +roleRef: + name: system:ovn-ovs + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: ovn-ovs + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-cni +roleRef: + name: system:kube-ovn-cni + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-cni + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-ovn-app +roleRef: + name: system:kube-ovn-app + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kube-ovn-app + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: kube-ovn-app + namespace: kube-system diff --git a/roles/network_plugin/kube-ovn/templates/ovn-SA.yml.j2 b/roles/network_plugin/kube-ovn/templates/ovn-SA.yml.j2 new file mode 100644 index 000000000..7a691c802 --- /dev/null +++ b/roles/network_plugin/kube-ovn/templates/ovn-SA.yml.j2 @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovn-ovs + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ovn + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-cni + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-ovn-app + namespace: kube-system diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml index b68a1777b..d20d2d736 100644 --- a/roles/reset/tasks/main.yml +++ b/roles/reset/tasks/main.yml @@ -43,7 +43,7 @@ tags: - docker -- name: Reset | systemctl daemon-reload # noqa no-handler +- name: Reset | systemctl daemon-reload # noqa no-handler systemd_service: daemon_reload: true when: services_removed.changed @@ -71,7 +71,7 @@ - crictl.stat.exists - container_manager in ["crio", "containerd"] - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors - name: Reset | force remove all cri containers command: "{{ bin_dir }}/crictl rm -a -f" @@ -87,7 +87,7 @@ - container_manager in ["crio", "containerd"] - deploy_container_engine - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors - name: Reset | stop and disable crio service service: @@ -95,13 +95,13 @@ state: stopped enabled: false failed_when: false - tags: [ crio ] + tags: [crio] when: container_manager == "crio" - name: Reset | forcefully wipe CRI-O's container and image storage command: "crio wipe -f" failed_when: false - tags: [ crio ] + tags: [crio] when: container_manager == "crio" - name: Reset | stop all cri pods @@ -112,12 +112,12 @@ retries: 5 until: remove_all_cri_containers.rc == 0 delay: 5 - tags: [ containerd ] + tags: [containerd] when: - crictl.stat.exists - container_manager == "containerd" - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors - name: Reset | force remove all cri pods block: @@ -127,7 +127,7 @@ retries: 5 until: remove_all_cri_containers.rc == 0 delay: 5 - tags: [ containerd ] + tags: [containerd] when: - crictl.stat.exists - container_manager == "containerd" @@ -136,7 +136,7 @@ rescue: - name: Reset | force remove all cri pods (rescue) shell: "ip netns list | cut -d' ' -f 1 | xargs -n1 ip netns delete && {{ bin_dir }}/crictl rmp -a -f" - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors changed_when: true - name: Reset | remove containerd @@ -209,7 +209,7 @@ - name: Clear IPVS virtual server table command: "ipvsadm -C" - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors when: - kube_proxy_mode == 'ipvs' and 'k8s_cluster' in group_names @@ -358,7 +358,7 @@ - /etc/origin/ovn - "{{ sysctl_file_path }}" - /etc/crictl.yaml - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors tags: - files @@ -377,7 +377,7 @@ - ctd-decoder - ctr - runc - ignore_errors: true # noqa ignore-errors + ignore_errors: true # noqa ignore-errors when: container_manager == 'containerd' tags: - files