kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update kube-ovn to use 1.12 

Signed-off-by: bobz965 <zhangbingbing2_yewu@cmss.chinamobile.com>
pull/11728/head
bobz965 2024-11-19 15:25:12 +08:00
parent b8541962f3
commit 72716243b9
11 changed files with 1033 additions and 945 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -167,7 +167,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [calico](https://github.com/projectcalico/calico) v3.28.1 - [calico](https://github.com/projectcalico/calico) v3.28.1
- [cilium](https://github.com/cilium/cilium) v1.15.9 - [cilium](https://github.com/cilium/cilium) v1.15.9
- [flannel](https://github.com/flannel-io/flannel) v0.22.0 - [flannel](https://github.com/flannel-io/flannel) v0.22.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21 - [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.28
- [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0 - [kube-router](https://github.com/cloudnativelabs/kube-router) v2.0.0
- [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8 - [multus](https://github.com/k8snetworkplumbingwg/multus-cni) v3.8
- [weave](https://github.com/rajch/weave) v2.8.7 - [weave](https://github.com/rajch/weave) v2.8.7

2
roles/kubespray-defaults/defaults/main/download.yml
View File

@ -118,7 +118,7 @@ cilium_version: "v1.15.9"
cilium_cli_version: "v0.16.0" cilium_cli_version: "v0.16.0"
cilium_enable_hubble: false cilium_enable_hubble: false
kube_ovn_version: "v1.12.21" kube_ovn_version: "v1.12.28"
kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}" kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}"
kube_router_version: "v2.0.0" kube_router_version: "v2.0.0"
multus_version: "v4.1.0" multus_version: "v4.1.0"

87
roles/network_plugin/kube-ovn/defaults/main.yml
View File

@ -1,4 +1,13 @@
--- ---
# image repo and tag
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
kube_ovn_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_vpc_container_image_repo: "{{ docker_image_repo }}/kubeovn/vpc-nat-gateway"
kube_ovn_vpc_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk"
kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_dpdk_version }}"
# request and limit
kube_ovn_db_cpu_request: 500m kube_ovn_db_cpu_request: 500m
kube_ovn_db_memory_request: 200Mi kube_ovn_db_memory_request: 200Mi
kube_ovn_db_cpu_limit: 3000m kube_ovn_db_cpu_limit: 3000m
@ -37,10 +46,16 @@ kube_ovn_central_ips: |-
{%- endfor %} {%- endfor %}
kube_ovn_ic_enable: false kube_ovn_ic_enable: false
kube_ovn_ic_autoroute: true kube_ovn_ic_auto_route: true
kube_ovn_ic_dbhost: "127.0.0.1" kube_ovn_ic_db_host: "127.0.0.1"
kube_ovn_ic_zone: "kubernetes" kube_ovn_ic_zone: "kubernetes"
# kube-ovn default subnet
kube_ovn_default_subnet: "ovn-default"
kube_ovn_default_vpc: "ovn-cluster"
kube_ovn_node_subnet: "join"
kube_ovn_mirror_iface: "mirror0"
# geneve or vlan # geneve or vlan
kube_ovn_network_type: geneve kube_ovn_network_type: geneve
@ -58,7 +73,9 @@ kube_ovn_hw_offload: false
kube_ovn_traffic_mirror: false kube_ovn_traffic_mirror: false
# kube_ovn_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112 # kube_ovn_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112
# kube_ovn_default_interface_name: eth0
# kube_ovn_default_provider_name: provider
# kube_ovn_default_vlan_interface_name: eth0
kube_ovn_external_address: 8.8.8.8 kube_ovn_external_address: 8.8.8.8
kube_ovn_external_address_ipv6: 2400:3200::1 kube_ovn_external_address_ipv6: 2400:3200::1
@ -77,6 +94,7 @@ kube_ovn_node_switch_cidr_ipv6: fd00:100:64::/64
## vlan config, set default interface name and vlan id ## vlan config, set default interface name and vlan id
# kube_ovn_default_interface_name: eth0 # kube_ovn_default_interface_name: eth0
kube_ovn_default_vlan_name: vlan100
kube_ovn_default_vlan_id: 100 kube_ovn_default_vlan_id: 100
kube_ovn_vlan_name: product kube_ovn_vlan_name: product
@ -105,14 +123,71 @@ kube_ovn_dpdk_tunnel_iface: br-phy
## bind local ip ## bind local ip
kube_ovn_bind_local_ip_enabled: true kube_ovn_bind_local_ip_enabled: true
## eip snat ## enable compact
kube_ovn_eip_snat_enabled: true kube_ovn_enable_compact: false
## ovn northd n threads
kube_ovn_northd_n_threads: 1
## ovn leader probe interval
kube_ovn_leader_probe_interval: 5
## ovn probe interval
kube_ovn_probe_interval: 180000
# ovn northd probe interval
kube_ovn_northd_probe_interval: 5000
# ovn remote probe interval
kube_ovn_remote_probe_interval: 10000
# ovn remote openflow interval
kube_ovn_remote_openflow_interval: 180
## eip snat need configmap "ovn-vpc-nat-config" set by user first
kube_ovn_eip_snat_enabled: false
# ls dnat mod dl dst # ls dnat mod dl dst
kube_ovn_ls_dnat_mod_dl_dst: true kube_ovn_ls_dnat_mod_dl_dst: true
# ls ct skip dst lport ips
kube_ovn_ls_ct_skip_dst_lport_ips: true
# enable ecmp
kube_ovn_enable_ecmp: false
# enable metrics
kube_ovn_enable_metrics: true
# enable tproxy
kube_ovn_enable_tproxy: false
# ovs vsctl concurrency
kube_ovn_ovs_vsctl_concurrency: 100
# enable sercure service
kube_ovn_enable_secure_serving: false
# ovn exchange link name with ovs bridge name
kube_ovn_exchange_link_name: false
## keep vm ip ## keep vm ip
kube_ovn_keep_vm_ip: true kube_ovn_keep_vm_ip: true
## cni config priority, default: 01 ## cni config priority, default: 01
kube_ovn_cni_config_priority: '01' kube_ovn_cni_config_priority: "01"
# nodelocaldns_ip
nodelocaldns_ip: 169.254.25.10
# ovs db connection timeout
kube_ovn_ovsdb_connection_timeout: 3
# ovs db inactivity probe timeout
kube_ovn_ovsdb_inactivity_probe: 10
# kube ovn gc interval
kube_ovn_gc_interval: 360
# kube ovn inspect interval
kube_ovn_inspect_interval: 20

8
roles/network_plugin/kube-ovn/tasks/main.yml
View File

@ -11,7 +11,9 @@
dest: "{{ kube_config_dir }}/{{ item.file }}" dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: "0644" mode: "0644"
with_items: with_items:
- {name: kube-ovn-crd, file: cni-kube-ovn-crd.yml} - { name: kube-ovn-crd, file: cni-kube-ovn-crd.yml }
- {name: ovn, file: cni-ovn.yml} - { name: kube-ovn, file: cni-kube-ovn.yml }
- {name: kube-ovn, file: cni-kube-ovn.yml} - { name: ovn-sa, file: ovn-SA.yml }
- { name: ovn-cr, file: ovn-CR.yml }
- { name: ovn-crb, file: ovn-CRB.yml }
register: kube_ovn_node_manifests register: kube_ovn_node_manifests

120
roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2
View File

@ -1454,64 +1454,64 @@ spec:
name: Ready name: Ready
type: boolean type: boolean
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
properties: properties:
status: status:
type: object type: object
properties: properties:
ready: ready:
type: boolean type: boolean
v4Eip: v4Eip:
type: string type: string
v4Ip: v4Ip:
type: string type: string
vpc: vpc:
type: string type: string
externalPort: externalPort:
type: string type: string
internalPort: internalPort:
type: string type: string
protocol: protocol:
type: string type: string
ipName: ipName:
type: string type: string
conditions: conditions:
type: array type: array
items: items:
type: object type: object
properties: properties:
type: type:
type: string type: string
status: status:
type: string type: string
reason: reason:
type: string type: string
message: message:
type: string type: string
lastUpdateTime: lastUpdateTime:
type: string type: string
lastTransitionTime: lastTransitionTime:
type: string type: string
spec: spec:
type: object type: object
properties: properties:
ovnEip: ovnEip:
type: string type: string
ipType: ipType:
type: string type: string
ipName: ipName:
type: string type: string
externalPort: externalPort:
type: string type: string
internalPort: internalPort:
type: string type: string
protocol: protocol:
type: string type: string
vpc: vpc:
type: string type: string
v4Ip: v4Ip:
type: string type: string
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
@ -1823,12 +1823,12 @@ spec:
spec: spec:
type: object type: object
properties: properties:
type:
type: string
namespace: namespace:
type: string type: string
subnet: subnet:
type: string type: string
type:
type: string
attachSubnets: attachSubnets:
type: array type: array
items: items:

644
roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
View File

@ -18,173 +18,6 @@ metadata:
data: data:
enable-vpc-nat-gw: "true" enable-vpc-nat-gw: "true"
--- ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-cni
rules:
- apiGroups:
- "kubeovn.io"
resources:
- subnets
- vlans
- provider-networks
verbs:
- get
- list
- watch
- apiGroups:
- ""
- "kubeovn.io"
resources:
- ovn-eips
- ovn-eips/status
- nodes
- pods
- vlans
verbs:
- get
- list
- patch
- watch
- apiGroups:
- "kubeovn.io"
resources:
- ips
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-cni
roleRef:
name: system:kube-ovn-cni
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-app
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-app
roleRef:
name: system:kube-ovn-app
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
kind: Deployment kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
@ -240,6 +73,9 @@ spec:
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
args: args:
- /kube-ovn/start-controller.sh - /kube-ovn/start-controller.sh
- --default-ls={{ kube_ovn_default_subnet }}
- --cluster-router={{ kube_ovn_default_vpc }}
- --node-switch={{ kube_ovn_node_subnet }}
- --default-cidr={{ kube_pods_subnet }}{% if enable_dual_stack_networks %},{{ kube_ovn_pool_cidr_ipv6 | default(kube_pods_subnet_ipv6) }}{% endif %}{{ '' }} - --default-cidr={{ kube_pods_subnet }}{% if enable_dual_stack_networks %},{{ kube_ovn_pool_cidr_ipv6 | default(kube_pods_subnet_ipv6) }}{% endif %}{{ '' }}
- --default-gateway={% if kube_ovn_default_gateway is defined %}{{ kube_ovn_default_gateway }}{% endif %}{{ '' }} - --default-gateway={% if kube_ovn_default_gateway is defined %}{{ kube_ovn_default_gateway }}{% endif %}{{ '' }}
- --default-gateway-check={{ kube_ovn_default_gateway_check | string }} - --default-gateway-check={{ kube_ovn_default_gateway_check | string }}
@ -249,28 +85,32 @@ spec:
- --node-switch-cidr={{ kube_ovn_node_switch_cidr }}{% if enable_dual_stack_networks %},{{ kube_ovn_node_switch_cidr_ipv6 }}{% endif %}{{ '' }} - --node-switch-cidr={{ kube_ovn_node_switch_cidr }}{% if enable_dual_stack_networks %},{{ kube_ovn_node_switch_cidr_ipv6 }}{% endif %}{{ '' }}
- --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }} - --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }}
- --network-type={{ kube_ovn_network_type }} - --network-type={{ kube_ovn_network_type }}
- --default-interface-name={{ kube_ovn_default_interface_name | default('') }} - --default-provider-name={{ kube_ovn_default_provider_name | default('')}}
- --default-vlan-id={{ kube_ovn_default_vlan_id }} - --default-interface-name={{ kube_ovn_default_vlan_interface_name | default('') }}
- --default-vlan-id={{ kube_ovn_default_vlan_id | default('') }}
- --default-vlan-name={{ kube_ovn_default_vlan_name | default('') }}
- --ls-dnat-mod-dl-dst={{ kube_ovn_ls_dnat_mod_dl_dst }} - --ls-dnat-mod-dl-dst={{ kube_ovn_ls_dnat_mod_dl_dst }}
- --default-exchange-link-name={{ kube_ovn_exchange_link_name }}
- --ls-ct-skip-dst-lport-ips={{ kube_ovn_ls_ct_skip_dst_lport_ips }}
- --pod-nic-type={{ kube_ovn_pod_nic_type }} - --pod-nic-type={{ kube_ovn_pod_nic_type }}
- --enable-lb={{ kube_ovn_enable_lb | string }} - --enable-lb={{ kube_ovn_enable_lb | string }}
- --enable-np={{ kube_ovn_enable_np | string }} - --enable-np={{ kube_ovn_enable_np | string }}
- --enable-eip-snat={{ kube_ovn_eip_snat_enabled }} - --enable-eip-snat={{ kube_ovn_eip_snat_enabled }}
- --enable-external-vpc={{ kube_ovn_enable_external_vpc | string }} - --enable-external-vpc={{ kube_ovn_enable_external_vpc | string }}
- --enable-ecmp={{ kube_ovn_enable_ecmp }}
- --logtostderr=false - --logtostderr=false
- --alsologtostderr=true - --alsologtostderr=true
- --gc-interval=360 - --gc-interval={{ kube_ovn_gc_interval }}
- --inspect-interval=20 - --inspect-interval={{ kube_ovn_inspect_interval }}
- --log_file=/var/log/kube-ovn/kube-ovn-controller.log - --log_file=/var/log/kube-ovn/kube-ovn-controller.log
- --log_file_max_size=0 - --log_file_max_size=0
- --enable-lb-svc=false - --enable-lb-svc=false
- --keep-vm-ip={{ kube_ovn_keep_vm_ip }} - --keep-vm-ip={{ kube_ovn_keep_vm_ip }}
securityContext: - --enable-metrics={{ kube_ovn_enable_metrics }}
runAsUser: 0 - --node-local-dns-ip={{ nodelocaldns_ip }}
privileged: false - --secure-serving={{ kube_ovn_enable_secure_serving }}
capabilities: - --ovsdb-con-timeout={{ kube_ovn_ovsdb_connection_timeout }}
add: - --ovsdb-inactivity-timeout={{ kube_ovn_ovsdb_inactivity_probe }}
- NET_BIND_SERVICE
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
@ -312,7 +152,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10660 - --port=10660
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower }}
periodSeconds: 3 periodSeconds: 3
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
@ -320,7 +160,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10660 - --port=10660
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower }}
initialDelaySeconds: 300 initialDelaySeconds: 300
periodSeconds: 7 periodSeconds: 7
failureThreshold: 5 failureThreshold: 5
@ -403,6 +243,8 @@ spec:
args: args:
- --enable-mirror={{ kube_ovn_traffic_mirror | lower }} - --enable-mirror={{ kube_ovn_traffic_mirror | lower }}
- --encap-checksum={{ kube_ovn_encap_checksum | lower }} - --encap-checksum={{ kube_ovn_encap_checksum | lower }}
- --mirror-iface={{ kube_ovn_mirror_iface }}
- --node-switch={{ kube_ovn_node_subnet }}
- --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }} - --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{ '' }}
- --iface={{ kube_ovn_iface | default('') }} - --iface={{ kube_ovn_iface | default('') }}
- --dpdk-tunnel-iface={{ kube_ovn_dpdk_tunnel_iface }} - --dpdk-tunnel-iface={{ kube_ovn_dpdk_tunnel_iface }}
@ -416,6 +258,10 @@ spec:
- --alsologtostderr=true - --alsologtostderr=true
- --log_file=/var/log/kube-ovn/kube-ovn-cni.log - --log_file=/var/log/kube-ovn/kube-ovn-cni.log
- --log_file_max_size=0 - --log_file_max_size=0
- --enable-metrics={{ kube_ovn_enable_metrics }}
- --enable-tproxy={{ kube_ovn_enable_tproxy }}
- --ovs-vsctl-concurrency={{ kube_ovn_ovs_vsctl_concurrency }}
- --secure-serving={{ kube_ovn_enable_secure_serving }}
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: false privileged: false
@ -436,6 +282,14 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MODULES - name: MODULES
value: kube_ovn_fastpath.ko value: kube_ovn_fastpath.ko
- name: RPMS - name: RPMS
@ -490,7 +344,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10665 - --port=10665
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower}}
timeoutSeconds: 5 timeoutSeconds: 5
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@ -500,7 +354,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10665 - --port=10665
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower}}
timeoutSeconds: 5 timeoutSeconds: 5
resources: resources:
requests: requests:
@ -580,7 +434,7 @@ spec:
type: infra type: infra
spec: spec:
priorityClassName: system-node-critical priorityClassName: system-node-critical
serviceAccountName: ovn serviceAccountName: kube-ovn-app
hostPID: true hostPID: true
containers: containers:
- name: pinger - name: pinger
@ -618,10 +472,18 @@ spec:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
volumeMounts: volumeMounts:
- mountPath: /lib/modules
name: host-modules
readOnly: true
- mountPath: /run/openvswitch
name: host-run-ovs
- mountPath: /var/run/openvswitch - mountPath: /var/run/openvswitch
name: host-run-ovs name: host-run-ovs
- mountPath: /var/run/ovn - mountPath: /var/run/ovn
name: host-run-ovn name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch - mountPath: /etc/openvswitch
name: host-config-openvswitch name: host-config-openvswitch
- mountPath: /var/log/openvswitch - mountPath: /var/log/openvswitch
@ -629,7 +491,6 @@ spec:
readOnly: true readOnly: true
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
readOnly: true
- mountPath: /var/log/kube-ovn - mountPath: /var/log/kube-ovn
name: kube-ovn-log name: kube-ovn-log
- mountPath: /etc/localtime - mountPath: /etc/localtime
@ -647,12 +508,18 @@ spec:
nodeSelector: nodeSelector:
kubernetes.io/os: "linux" kubernetes.io/os: "linux"
volumes: volumes:
- name: host-modules
hostPath:
path: /lib/modules
- name: host-run-ovs - name: host-run-ovs
hostPath: hostPath:
path: /run/openvswitch path: /run/openvswitch
- name: host-run-ovn - name: host-run-ovn
hostPath: hostPath:
path: /run/ovn path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch - name: host-config-openvswitch
hostPath: hostPath:
path: /etc/origin/openvswitch path: /etc/origin/openvswitch
@ -711,7 +578,7 @@ spec:
app: kube-ovn-monitor app: kube-ovn-monitor
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: ovn serviceAccountName: kube-ovn-app
hostNetwork: true hostNetwork: true
containers: containers:
- name: kube-ovn-monitor - name: kube-ovn-monitor
@ -760,6 +627,8 @@ spec:
name: host-config-openvswitch name: host-config-openvswitch
- mountPath: /etc/ovn - mountPath: /etc/ovn
name: host-config-ovn name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
readOnly: true readOnly: true
@ -779,7 +648,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10661 - --port=10661
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower}}
timeoutSeconds: 5 timeoutSeconds: 5
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@ -790,7 +659,7 @@ spec:
command: command:
- /kube-ovn/kube-ovn-healthcheck - /kube-ovn/kube-ovn-healthcheck
- --port=10661 - --port=10661
- --tls=false - --tls={{ kube_ovn_enable_secure_serving | lower}}
timeoutSeconds: 5 timeoutSeconds: 5
nodeSelector: nodeSelector:
kubernetes.io/os: "linux" kubernetes.io/os: "linux"
@ -904,9 +773,408 @@ metadata:
data: data:
enable-ic: "{{ kube_ovn_ic_enable | lower }}" enable-ic: "{{ kube_ovn_ic_enable | lower }}"
az-name: "{{ kube_ovn_ic_zone }}" az-name: "{{ kube_ovn_ic_zone }}"
ic-db-host: "{{ kube_ovn_ic_dbhost }}" ic-db-host: "{{ kube_ovn_ic_db_host }}"
ic-nb-port: "6645" ic-nb-port: "6645"
ic-sb-port: "6646" ic-sb-port: "6646"
gw-nodes: "{{ kube_ovn_central_hosts | join(',') }}" gw-nodes: "{{ kube_ovn_central_hosts | join(',') }}"
auto-route: "{{ kube_ovn_ic_autoroute | lower }}" auto-route: "{{ kube_ovn_ic_auto_route | lower }}"
{% endif %} {% endif %}
---
kind: Service
apiVersion: v1
metadata:
name: ovn-nb
namespace: kube-system
spec:
ports:
- name: ovn-nb
protocol: TCP
port: 6641
targetPort: 6641
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-nb-leader: "true"
sessionAffinity: None
---
kind: Service
apiVersion: v1
metadata:
name: ovn-sb
namespace: kube-system
spec:
ports:
- name: ovn-sb
protocol: TCP
port: 6642
targetPort: 6642
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-sb-leader: "true"
sessionAffinity: None
---
kind: Service
apiVersion: v1
metadata:
name: ovn-northd
namespace: kube-system
spec:
ports:
- name: ovn-northd
protocol: TCP
port: 6643
targetPort: 6643
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-northd-leader: "true"
sessionAffinity: None
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: ovn-central
namespace: kube-system
annotations:
kubernetes.io/description: |
OVN components: northd, nb and sb.
spec:
replicas: {{ kube_ovn_central_replics }}
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app: ovn-central
template:
metadata:
labels:
app: ovn-central
component: network
type: infra
spec:
tolerations:
- operator: Exists
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: ovn-central
topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical
serviceAccountName: ovn-ovs
hostNetwork: true
containers:
- name: ovn-central
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/start-db.sh"]
securityContext:
capabilities:
add: ["SYS_NICE"]
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
- name: NODE_IPS
value: "{{ kube_ovn_central_ips }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: PROBE_INTERVAL
value: "{{ kube_ovn_probe_interval }}"
- name: OVN_NORTHD_PROBE_INTERVAL
value: "{{ kube_ovn_northd_probe_interval }}"
- name: OVN_LEADER_PROBE_INTERVAL
value: "{{ kube_ovn_leader_probe_interval }}"
- name: OVN_NORTHD_N_THREADS
value: "{{ kube_ovn_northd_n_threads }}"
- name: ENABLE_COMPACT
value: "{{ kube_ovn_enable_compact }}"
- name: ENABLE_BIND_LOCAL_IP
value: "{{ kube_ovn_bind_local_ip_enabled }}"
resources:
requests:
cpu: {{ kube_ovn_db_cpu_request }}
memory: {{ kube_ovn_db_memory_request }}
limits:
cpu: {{ kube_ovn_db_cpu_limit }}
memory: {{ kube_ovn_db_memory_limit }}
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
- mountPath: /etc/localtime
name: localtime
- mountPath: /var/run/tls
name: kube-ovn-tls
readinessProbe:
exec:
command:
- bash
- /kube-ovn/ovn-healthcheck.sh
periodSeconds: 15
timeoutSeconds: 45
livenessProbe:
exec:
command:
- bash
- /kube-ovn/ovn-healthcheck.sh
initialDelaySeconds: 30
periodSeconds: 15
failureThreshold: 5
timeoutSeconds: 45
nodeSelector:
kubernetes.io/os: "linux"
kube-ovn/role: "master"
volumes:
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch
hostPath:
path: /etc/origin/openvswitch
- name: host-config-ovn
hostPath:
path: /etc/origin/ovn
- name: host-log-ovs
hostPath:
path: /var/log/openvswitch
- name: host-log-ovn
hostPath:
path: /var/log/ovn
- name: localtime
hostPath:
path: /etc/localtime
- name: kube-ovn-tls
secret:
optional: true
secretName: kube-ovn-tls
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: ovs-ovn
namespace: kube-system
annotations:
kubernetes.io/description: |
This daemon set launches the openvswitch daemon.
spec:
selector:
matchLabels:
app: ovs
updateStrategy:
type: OnDelete
template:
metadata:
labels:
app: ovs
component: network
type: infra
spec:
tolerations:
- operator: Exists
priorityClassName: system-node-critical
serviceAccountName: ovn-ovs
hostNetwork: true
hostPID: true
containers:
- name: openvswitch
image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}]
securityContext:
runAsUser: 0
privileged: true
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{% if not kube_ovn_dpdk_enabled %}
- name: HW_OFFLOAD
value: "{{ kube_ovn_hw_offload | string | lower }}"
- name: TUNNEL_TYPE
value: "{{ kube_ovn_tunnel_type }}"
{% endif %}
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: OVN_DB_IPS
value: "{{ kube_ovn_central_ips }}"
- name: OVN_REMOTE_PROBE_INTERVAL
value: "{{ kube_ovn_remote_probe_interval }}"
- name: OVN_REMOTE_OPENFLOW_INTERVAL
value: "{{ kube_ovn_remote_openflow_interval }}"
volumeMounts:
- mountPath: /var/run/netns
name: host-ns
mountPropagation: HostToContainer
- mountPath: /lib/modules
name: host-modules
readOnly: true
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/cni/net.d
name: cni-conf
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
{% if kube_ovn_dpdk_enabled %}
- mountPath: /opt/ovs-config
name: host-config-ovs
- mountPath: /dev/hugepages
name: hugepage
{% endif %}
- mountPath: /etc/localtime
name: localtime
- mountPath: /var/run/tls
name: kube-ovn-tls
readinessProbe:
exec:
command:
- bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh
{% endif %}
periodSeconds: 5
timeoutSeconds: 45
livenessProbe:
exec:
command:
- bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh
{% endif %}
initialDelaySeconds: 60
periodSeconds: 5
failureThreshold: 5
timeoutSeconds: 45
resources:
{% if kube_ovn_dpdk_enabled %}
requests:
cpu: {{ kube_ovn_dpdk_node_cpu_request }}
memory: {{ kube_ovn_dpdk_node_memory_request }}
limits:
cpu: {{ kube_ovn_dpdk_node_cpu_limit }}
memory: {{ kube_ovn_dpdk_node_memory_limit }}
hugepages-1Gi: 1Gi
{% else %}
requests:
cpu: {{ kube_ovn_node_cpu_request }}
memory: {{ kube_ovn_node_memory_request }}
limits:
cpu: {{ kube_ovn_node_cpu_limit }}
memory: {{ kube_ovn_node_memory_limit }}
{% endif %}
nodeSelector:
kubernetes.io/os: "linux"
volumes:
- name: host-modules
hostPath:
path: /lib/modules
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-ns
hostPath:
path: /var/run/netns
- name: cni-conf
hostPath:
path: /etc/cni/net.d
- name: host-config-openvswitch
hostPath:
path: /etc/origin/openvswitch
- name: host-config-ovn
hostPath:
path: /etc/origin/ovn
- name: host-log-ovs
hostPath:
path: /var/log/openvswitch
- name: host-log-ovn
hostPath:
path: /var/log/ovn
{% if kube_ovn_dpdk_enabled %}
- name: host-config-ovs
hostPath:
path: /opt/ovs-config
type: DirectoryOrCreate
- name: hugepage
emptyDir:
medium: HugePages
{% endif %}
- name: localtime
hostPath:
path: /etc/localtime
- name: kube-ovn-tls
secret:
optional: true
secretName: kube-ovn-tls

674
roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
View File

@ -1,674 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn-ovs
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn-ovs
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-ovs
roleRef:
name: system:ovn-ovs
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn-ovs
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn
rules:
- apiGroups:
- "kubeovn.io"
resources:
- vpcs
- vpcs/status
- vpc-nat-gateways
- vpc-nat-gateways/status
- subnets
- subnets/status
- ippools
- ippools/status
- ips
- vips
- vips/status
- vlans
- vlans/status
- provider-networks
- provider-networks/status
- security-groups
- security-groups/status
- iptables-eips
- iptables-fip-rules
- iptables-dnat-rules
- iptables-snat-rules
- iptables-eips/status
- iptables-fip-rules/status
- iptables-dnat-rules/status
- iptables-snat-rules/status
- ovn-eips
- ovn-fips
- ovn-snat-rules
- ovn-eips/status
- ovn-fips/status
- ovn-snat-rules/status
- ovn-dnat-rules
- ovn-dnat-rules/status
- switch-lb-rules
- switch-lb-rules/status
- vpc-dnses
- vpc-dnses/status
- qos-policies
- qos-policies/status
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- "k8s.cni.cncf.io"
resources:
- network-attachment-definitions
verbs:
- get
- apiGroups:
- ""
- networking.k8s.io
resources:
- networkpolicies
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- ""
resources:
- services
- services/status
verbs:
- get
- list
- update
- create
- delete
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- deployments/scale
verbs:
- get
- list
- create
- delete
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- "*"
- apiGroups:
- "kubevirt.io"
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn
roleRef:
name: system:ovn
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ovn
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
kind: Service
apiVersion: v1
metadata:
name: ovn-nb
namespace: kube-system
spec:
ports:
- name: ovn-nb
protocol: TCP
port: 6641
targetPort: 6641
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-nb-leader: "true"
sessionAffinity: None
---
kind: Service
apiVersion: v1
metadata:
name: ovn-sb
namespace: kube-system
spec:
ports:
- name: ovn-sb
protocol: TCP
port: 6642
targetPort: 6642
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-sb-leader: "true"
sessionAffinity: None
---
kind: Service
apiVersion: v1
metadata:
name: ovn-northd
namespace: kube-system
spec:
ports:
- name: ovn-northd
protocol: TCP
port: 6643
targetPort: 6643
type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector:
app: ovn-central
ovn-northd-leader: "true"
sessionAffinity: None
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: ovn-central
namespace: kube-system
annotations:
kubernetes.io/description: |
OVN components: northd, nb and sb.
spec:
replicas: {{ kube_ovn_central_replics }}
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
selector:
matchLabels:
app: ovn-central
template:
metadata:
labels:
app: ovn-central
component: network
type: infra
spec:
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: ovn-central
topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical
serviceAccountName: ovn-ovs
hostNetwork: true
containers:
- name: ovn-central
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/start-db.sh"]
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
- name: NODE_IPS
value: "{{ kube_ovn_central_ips }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: ENABLE_BIND_LOCAL_IP
value: "{{ kube_ovn_bind_local_ip_enabled }}"
- name: PROBE_INTERVAL
value: "180000"
- name: OVN_NORTHD_PROBE_INTERVAL
value: "5000"
- name: OVN_LEADER_PROBE_INTERVAL
value: "5"
resources:
requests:
cpu: {{ kube_ovn_db_cpu_request }}
memory: {{ kube_ovn_db_memory_request }}
limits:
cpu: {{ kube_ovn_db_cpu_limit }}
memory: {{ kube_ovn_db_memory_limit }}
volumeMounts:
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
- mountPath: /etc/localtime
name: localtime
- mountPath: /var/run/tls
name: kube-ovn-tls
readinessProbe:
exec:
command:
- bash
- /kube-ovn/ovn-healthcheck.sh
periodSeconds: 15
timeoutSeconds: 45
livenessProbe:
exec:
command:
- bash
- /kube-ovn/ovn-healthcheck.sh
initialDelaySeconds: 30
periodSeconds: 15
failureThreshold: 5
timeoutSeconds: 45
nodeSelector:
kubernetes.io/os: "linux"
kube-ovn/role: "master"
volumes:
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch
hostPath:
path: /etc/origin/openvswitch
- name: host-config-ovn
hostPath:
path: /etc/origin/ovn
- name: host-log-ovs
hostPath:
path: /var/log/openvswitch
- name: host-log-ovn
hostPath:
path: /var/log/ovn
- name: localtime
hostPath:
path: /etc/localtime
- name: kube-ovn-tls
secret:
optional: true
secretName: kube-ovn-tls
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: ovs-ovn
namespace: kube-system
annotations:
kubernetes.io/description: |
This daemon set launches the openvswitch daemon.
spec:
selector:
matchLabels:
app: ovs
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: ovs
component: network
type: infra
spec:
tolerations:
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
priorityClassName: system-node-critical
serviceAccountName: ovn-ovs
hostNetwork: true
hostPID: true
containers:
- name: openvswitch
image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}]
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{% if not kube_ovn_dpdk_enabled %}
- name: HW_OFFLOAD
value: "{{ kube_ovn_hw_offload | string | lower }}"
- name: TUNNEL_TYPE
value: "{{ kube_ovn_tunnel_type }}"
{% endif %}
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: OVN_DB_IPS
value: "{{ kube_ovn_central_ips }}"
volumeMounts:
- mountPath: /var/run/netns
name: host-ns
mountPropagation: HostToContainer
- mountPath: /lib/modules
name: host-modules
readOnly: true
- mountPath: /var/run/openvswitch
name: host-run-ovs
- mountPath: /var/run/ovn
name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/cni/net.d
name: cni-conf
- mountPath: /etc/openvswitch
name: host-config-openvswitch
- mountPath: /etc/ovn
name: host-config-ovn
- mountPath: /var/log/openvswitch
name: host-log-ovs
- mountPath: /var/log/ovn
name: host-log-ovn
{% if kube_ovn_dpdk_enabled %}
- mountPath: /opt/ovs-config
name: host-config-ovs
- mountPath: /dev/hugepages
name: hugepage
{% endif %}
- mountPath: /etc/localtime
name: localtime
- mountPath: /var/run/tls
name: kube-ovn-tls
- mountPath: /var/run/containerd
name: cruntime
readOnly: true
readinessProbe:
exec:
command:
- bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh
{% endif %}
periodSeconds: 5
timeoutSeconds: 45
livenessProbe:
exec:
command:
- bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh
{% endif %}
initialDelaySeconds: 60
periodSeconds: 5
failureThreshold: 5
timeoutSeconds: 45
resources:
{% if kube_ovn_dpdk_enabled %}
requests:
cpu: {{ kube_ovn_dpdk_node_cpu_request }}
memory: {{ kube_ovn_dpdk_node_memory_request }}
limits:
cpu: {{ kube_ovn_dpdk_node_cpu_limit }}
memory: {{ kube_ovn_dpdk_node_memory_limit }}
hugepages-1Gi: 1Gi
{% else %}
requests:
cpu: {{ kube_ovn_node_cpu_request }}
memory: {{ kube_ovn_node_memory_request }}
limits:
cpu: {{ kube_ovn_node_cpu_limit }}
memory: {{ kube_ovn_node_memory_limit }}
{% endif %}
nodeSelector:
kubernetes.io/os: "linux"
volumes:
- name: host-modules
hostPath:
path: /lib/modules
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-run-ovn
hostPath:
path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-ns
hostPath:
path: /var/run/netns
- name: cni-conf
hostPath:
path: /etc/cni/net.d
- name: host-config-openvswitch
hostPath:
path: /etc/origin/openvswitch
- name: host-config-ovn
hostPath:
path: /etc/origin/ovn
- name: host-log-ovs
hostPath:
path: /var/log/openvswitch
- name: host-log-ovn
hostPath:
path: /var/log/ovn
{% if kube_ovn_dpdk_enabled %}
- name: host-config-ovs
hostPath:
path: /opt/ovs-config
type: DirectoryOrCreate
- name: hugepage
emptyDir:
medium: HugePages
{% endif %}
- name: localtime
hostPath:
path: /etc/localtime
- name: cruntime
hostPath:
path: /var/run/containerd
- name: kube-ovn-tls
secret:
optional: true
secretName: kube-ovn-tls

299
roles/network_plugin/kube-ovn/templates/ovn-CR.yml.j2 100644
View File

@ -0,0 +1,299 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn
rules:
- apiGroups:
- "kubeovn.io"
resources:
- vpcs
- vpcs/status
- vpc-nat-gateways
- vpc-nat-gateways/status
- subnets
- subnets/status
- ippools
- ippools/status
- ips
- vips
- vips/status
- vlans
- vlans/status
- provider-networks
- provider-networks/status
- security-groups
- security-groups/status
- iptables-eips
- iptables-fip-rules
- iptables-dnat-rules
- iptables-snat-rules
- iptables-eips/status
- iptables-fip-rules/status
- iptables-dnat-rules/status
- iptables-snat-rules/status
- ovn-eips
- ovn-fips
- ovn-snat-rules
- ovn-eips/status
- ovn-fips/status
- ovn-snat-rules/status
- ovn-dnat-rules
- ovn-dnat-rules/status
- switch-lb-rules
- switch-lb-rules/status
- vpc-dnses
- vpc-dnses/status
- qos-policies
- qos-policies/status
verbs:
- "*"
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- "k8s.cni.cncf.io"
resources:
- network-attachment-definitions
verbs:
- get
- apiGroups:
- ""
- networking.k8s.io
resources:
- networkpolicies
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- ""
resources:
- services
- services/status
verbs:
- get
- list
- update
- create
- delete
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- update
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- deployments/scale
verbs:
- get
- list
- create
- delete
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- "*"
- apiGroups:
- "kubevirt.io"
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:ovn-ovs
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- apiGroups:
- apps
resources:
- controllerrevisions
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-cni
rules:
- apiGroups:
- "kubeovn.io"
resources:
- subnets
- vlans
- provider-networks
verbs:
- get
- list
- watch
- apiGroups:
- ""
- "kubeovn.io"
resources:
- ovn-eips
- ovn-eips/status
- nodes
- pods
- vlans
verbs:
- get
- list
- patch
- watch
- apiGroups:
- "kubeovn.io"
resources:
- ips
verbs:
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.k8s.io/system-only: "true"
name: system:kube-ovn-app
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create

94
roles/network_plugin/kube-ovn/templates/ovn-CRB.yml.j2 100644
View File

@ -0,0 +1,94 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn
roleRef:
name: system:ovn
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ovn
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: ovn
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ovn-ovs
roleRef:
name: system:ovn-ovs
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: ovn-ovs
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-cni
roleRef:
name: system:kube-ovn-cni
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-ovn-app
roleRef:
name: system:kube-ovn-app
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system

24
roles/network_plugin/kube-ovn/templates/ovn-SA.yml.j2 100644
View File

@ -0,0 +1,24 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn-ovs
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovn
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ovn-app
namespace: kube-system

24
roles/reset/tasks/main.yml
View File

@ -43,7 +43,7 @@
tags: tags:
- docker - docker
- name: Reset | systemctl daemon-reload # noqa no-handler - name: Reset | systemctl daemon-reload # noqa no-handler
systemd_service: systemd_service:
daemon_reload: true daemon_reload: true
when: services_removed.changed when: services_removed.changed
@ -71,7 +71,7 @@
- crictl.stat.exists - crictl.stat.exists
- container_manager in ["crio", "containerd"] - container_manager in ["crio", "containerd"]
- ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
- name: Reset | force remove all cri containers - name: Reset | force remove all cri containers
command: "{{ bin_dir }}/crictl rm -a -f" command: "{{ bin_dir }}/crictl rm -a -f"
@ -87,7 +87,7 @@
- container_manager in ["crio", "containerd"] - container_manager in ["crio", "containerd"]
- deploy_container_engine - deploy_container_engine
- ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
- name: Reset | stop and disable crio service - name: Reset | stop and disable crio service
service: service:
@ -95,13 +95,13 @@
state: stopped state: stopped
enabled: false enabled: false
failed_when: false failed_when: false
tags: [ crio ] tags: [crio]
when: container_manager == "crio" when: container_manager == "crio"
- name: Reset | forcefully wipe CRI-O's container and image storage - name: Reset | forcefully wipe CRI-O's container and image storage
command: "crio wipe -f" command: "crio wipe -f"
failed_when: false failed_when: false
tags: [ crio ] tags: [crio]
when: container_manager == "crio" when: container_manager == "crio"
- name: Reset | stop all cri pods - name: Reset | stop all cri pods
@ -112,12 +112,12 @@
retries: 5 retries: 5
until: remove_all_cri_containers.rc == 0 until: remove_all_cri_containers.rc == 0
delay: 5 delay: 5
tags: [ containerd ] tags: [containerd]
when: when:
- crictl.stat.exists - crictl.stat.exists
- container_manager == "containerd" - container_manager == "containerd"
- ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined - ansible_facts.services['containerd.service'] is defined or ansible_facts.services['cri-o.service'] is defined
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
- name: Reset | force remove all cri pods - name: Reset | force remove all cri pods
block: block:
@ -127,7 +127,7 @@
retries: 5 retries: 5
until: remove_all_cri_containers.rc == 0 until: remove_all_cri_containers.rc == 0
delay: 5 delay: 5
tags: [ containerd ] tags: [containerd]
when: when:
- crictl.stat.exists - crictl.stat.exists
- container_manager == "containerd" - container_manager == "containerd"
@ -136,7 +136,7 @@
rescue: rescue:
- name: Reset | force remove all cri pods (rescue) - name: Reset | force remove all cri pods (rescue)
shell: "ip netns list | cut -d' ' -f 1 | xargs -n1 ip netns delete && {{ bin_dir }}/crictl rmp -a -f" shell: "ip netns list | cut -d' ' -f 1 | xargs -n1 ip netns delete && {{ bin_dir }}/crictl rmp -a -f"
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
changed_when: true changed_when: true
- name: Reset | remove containerd - name: Reset | remove containerd
@ -209,7 +209,7 @@
- name: Clear IPVS virtual server table - name: Clear IPVS virtual server table
command: "ipvsadm -C" command: "ipvsadm -C"
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
when: when:
- kube_proxy_mode == 'ipvs' and 'k8s_cluster' in group_names - kube_proxy_mode == 'ipvs' and 'k8s_cluster' in group_names
@ -358,7 +358,7 @@
- /etc/origin/ovn - /etc/origin/ovn
- "{{ sysctl_file_path }}" - "{{ sysctl_file_path }}"
- /etc/crictl.yaml - /etc/crictl.yaml
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
tags: tags:
- files - files
@ -377,7 +377,7 @@
- ctd-decoder - ctd-decoder
- ctr - ctr
- runc - runc
ignore_errors: true # noqa ignore-errors ignore_errors: true # noqa ignore-errors
when: container_manager == 'containerd' when: container_manager == 'containerd'
tags: tags:
- files - files