Drop canal network_plugin (#10100)
According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canalpull/9983/head
parent
c14d9c5c97
commit
7afbdb3e1e
|
@ -169,7 +169,6 @@ Note: Upstart/SysV init based OS types are not supported.
|
|||
- Network Plugin
|
||||
- [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
|
||||
- [calico](https://github.com/projectcalico/calico) v3.25.1
|
||||
- [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
|
||||
- [cilium](https://github.com/cilium/cilium) v1.13.0
|
||||
- [flannel](https://github.com/flannel-io/flannel) v0.21.4
|
||||
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.10.7
|
||||
|
@ -233,8 +232,6 @@ You can choose among ten network plugins. (default: `calico`, except Vagrant use
|
|||
and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts,
|
||||
pods, and (if using Istio and Envoy) applications at the service mesh layer.
|
||||
|
||||
- [canal](https://github.com/projectcalico/canal): a composition of calico and flannel plugins.
|
||||
|
||||
- [cilium](http://docs.cilium.io/en/latest/): layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.
|
||||
|
||||
- [weave](docs/weave.md): Weave is a lightweight container overlay network that doesn't require an external K/V database cluster.
|
||||
|
|
|
@ -135,7 +135,6 @@ The following tags are defined in playbooks:
|
|||
| bootstrap-os | Anything related to host OS configuration |
|
||||
| calico | Network plugin Calico |
|
||||
| calico_rr | Configuring Calico route reflector |
|
||||
| canal | Network plugin Canal |
|
||||
| cephfs-provisioner | Configuring CephFS |
|
||||
| cert-manager | Configuring certificate manager for K8s |
|
||||
| cilium | Network plugin Cilium |
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
# see roles/network_plugin/canal/defaults/main.yml
|
||||
|
||||
# The interface used by canal for host <-> host communication.
|
||||
# If left blank, then the interface is choosing using the node's
|
||||
# default route.
|
||||
# canal_iface: ""
|
||||
|
||||
# Whether or not to masquerade traffic to destinations not within
|
||||
# the pod network.
|
||||
# canal_masquerade: "true"
|
|
@ -1525,7 +1525,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
flannel:
|
||||
enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'flannel' }}"
|
||||
container: true
|
||||
repo: "{{ flannel_image_repo }}"
|
||||
tag: "{{ flannel_image_tag }}"
|
||||
|
@ -1534,7 +1534,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
flannel_init:
|
||||
enabled: "{{ kube_network_plugin == 'flannel' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'flannel' }}"
|
||||
container: true
|
||||
repo: "{{ flannel_init_image_repo }}"
|
||||
tag: "{{ flannel_init_image_tag }}"
|
||||
|
@ -1543,7 +1543,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
calicoctl:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'calico' }}"
|
||||
file: true
|
||||
version: "{{ calico_ctl_version }}"
|
||||
dest: "{{ local_release_dir }}/calicoctl"
|
||||
|
@ -1558,7 +1558,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
calico_node:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'calico' }}"
|
||||
container: true
|
||||
repo: "{{ calico_node_image_repo }}"
|
||||
tag: "{{ calico_node_image_tag }}"
|
||||
|
@ -1567,7 +1567,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
calico_cni:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'calico' }}"
|
||||
container: true
|
||||
repo: "{{ calico_cni_image_repo }}"
|
||||
tag: "{{ calico_cni_image_tag }}"
|
||||
|
@ -1576,7 +1576,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
calico_flexvol:
|
||||
enabled: "{{ kube_network_plugin == 'calico' or kube_network_plugin == 'canal' }}"
|
||||
enabled: "{{ kube_network_plugin == 'calico' }}"
|
||||
container: true
|
||||
repo: "{{ calico_flexvol_image_repo }}"
|
||||
tag: "{{ calico_flexvol_image_tag }}"
|
||||
|
@ -1585,7 +1585,7 @@ downloads:
|
|||
- k8s_cluster
|
||||
|
||||
calico_policy:
|
||||
enabled: "{{ enable_network_policy and kube_network_plugin in ['calico', 'canal'] }}"
|
||||
enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}"
|
||||
container: true
|
||||
repo: "{{ calico_policy_image_repo }}"
|
||||
tag: "{{ calico_policy_image_tag }}"
|
||||
|
|
|
@ -84,7 +84,7 @@
|
|||
{% if not loop.last %}{{','}}{% endif %}
|
||||
{% endfor %}]
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- force_etcd_cert_refresh or not item in etcdcert_master.files|map(attribute='path') | list
|
||||
|
||||
|
|
|
@ -67,7 +67,7 @@
|
|||
run_once: yes
|
||||
delegate_to: "{{ groups['etcd'][0] }}"
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- gen_certs|default(false)
|
||||
notify: set etcd_secret_changed
|
||||
|
@ -124,7 +124,7 @@
|
|||
when:
|
||||
- inventory_hostname in groups['etcd']
|
||||
- inventory_hostname != groups['etcd'][0]
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
notify: set etcd_secret_changed
|
||||
|
||||
|
@ -139,7 +139,7 @@
|
|||
when:
|
||||
- inventory_hostname in groups['etcd']
|
||||
- inventory_hostname != groups['etcd'][0]
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
|
@ -151,7 +151,7 @@
|
|||
|
||||
- include_tasks: gen_nodes_certs_script.yml
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- inventory_hostname in groups['k8s_cluster'] and
|
||||
sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
|
||||
- include_tasks: upd_ca_trust.yml
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- inventory_hostname in groups['k8s_cluster']
|
||||
tags:
|
||||
|
@ -31,7 +31,7 @@
|
|||
changed_when: false
|
||||
check_mode: no
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- inventory_hostname in groups['k8s_cluster']
|
||||
tags:
|
||||
|
@ -42,7 +42,7 @@
|
|||
set_fact:
|
||||
etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}"
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
- inventory_hostname in groups['k8s_cluster']
|
||||
tags:
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Canal | Start Resources
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "kube-system"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ canal_manifests.results }}"
|
||||
when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped
|
|
@ -5,11 +5,6 @@ dependencies:
|
|||
tags:
|
||||
- calico
|
||||
|
||||
- role: kubernetes-apps/network_plugin/canal
|
||||
when: kube_network_plugin == 'canal'
|
||||
tags:
|
||||
- canal
|
||||
|
||||
- role: kubernetes-apps/network_plugin/flannel
|
||||
when: kube_network_plugin == 'flannel'
|
||||
tags:
|
||||
|
|
|
@ -8,4 +8,3 @@ calico_policy_controller_deployment_nodeselector: "kubernetes.io/os: linux"
|
|||
|
||||
# SSL
|
||||
calico_cert_dir: "/etc/calico/certs"
|
||||
canal_cert_dir: "/etc/canal/certs"
|
||||
|
|
|
@ -1,13 +1,4 @@
|
|||
---
|
||||
- name: Set cert dir
|
||||
set_fact:
|
||||
calico_cert_dir: "{{ canal_cert_dir }}"
|
||||
when:
|
||||
- kube_network_plugin == 'canal'
|
||||
tags:
|
||||
- facts
|
||||
- canal
|
||||
|
||||
- name: Create calico-kube-controllers manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
dependencies:
|
||||
- role: policy_controller/calico
|
||||
when:
|
||||
- kube_network_plugin in ['calico', 'canal']
|
||||
- kube_network_plugin in ['calico']
|
||||
- enable_network_policy
|
||||
tags:
|
||||
- policy-controller
|
||||
|
|
|
@ -172,5 +172,5 @@
|
|||
when:
|
||||
- etcd_deployment_type == "kubeadm"
|
||||
- inventory_hostname not in groups['kube_control_plane']
|
||||
- kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool
|
||||
- kube_network_plugin != "calico" or calico_datastore == "etcd"
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
|
||||
- name: Stop if unknown network plugin
|
||||
assert:
|
||||
that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
|
||||
that: kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni']
|
||||
msg: "{{ kube_network_plugin }} is not supported"
|
||||
when:
|
||||
- kube_network_plugin is defined
|
||||
|
|
|
@ -78,14 +78,13 @@
|
|||
- "/opt/cni/bin"
|
||||
- "/var/lib/calico"
|
||||
when:
|
||||
- kube_network_plugin in ["calico", "weave", "canal", "flannel", "cilium", "kube-ovn", "kube-router", "macvlan"]
|
||||
- kube_network_plugin in ["calico", "weave", "flannel", "cilium", "kube-ovn", "kube-router", "macvlan"]
|
||||
- inventory_hostname in groups['k8s_cluster']
|
||||
tags:
|
||||
- network
|
||||
- cilium
|
||||
- calico
|
||||
- weave
|
||||
- canal
|
||||
- kube-ovn
|
||||
- kube-router
|
||||
- bootstrap-os
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
---
|
||||
# The interface used by canal for host <-> host communication.
|
||||
# If left blank, then the interface is choosing using the node's
|
||||
# default route.
|
||||
canal_iface: ""
|
||||
|
||||
# Whether or not to masquerade traffic to destinations not within
|
||||
# the pod network.
|
||||
canal_masquerade: "true"
|
||||
|
||||
# Etcd SSL dirs
|
||||
canal_cert_dir: /etc/canal/certs
|
||||
|
||||
# Canal Network Policy directory
|
||||
canal_policy_dir: /etc/kubernetes/policy
|
||||
|
||||
# Limits for apps
|
||||
calico_node_memory_limit: 500M
|
||||
calico_node_cpu_limit: 200m
|
||||
calico_node_memory_requests: 64M
|
||||
calico_node_cpu_requests: 50m
|
||||
flannel_memory_limit: 500M
|
||||
flannel_cpu_limit: 200m
|
||||
flannel_memory_requests: 64M
|
||||
flannel_cpu_requests: 50m
|
||||
|
||||
# etcd cert filenames
|
||||
kube_etcd_cacert_file: ca.pem
|
||||
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
||||
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
||||
|
||||
# Set log path for calico CNI plugin. Set to false to disable logging to disk.
|
||||
calico_cni_log_file_path: /var/log/calico/cni/cni.log
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
- name: reset_canal_cni
|
||||
command: /bin/true
|
||||
notify:
|
||||
- delete 10-canal.conflist
|
||||
- delete canal-node containers
|
||||
|
||||
- name: delete 10-canal.conflist
|
||||
file:
|
||||
path: /etc/canal/10-canal.conflist
|
||||
state: absent
|
||||
|
||||
- name: delete canal-node containers
|
||||
shell: "docker ps -af name=k8s_POD_canal-node* -q | xargs --no-run-if-empty docker rm -f"
|
|
@ -1,103 +0,0 @@
|
|||
---
|
||||
- name: Canal | Write Canal cni config
|
||||
template:
|
||||
src: "cni-canal.conflist.j2"
|
||||
dest: "/etc/cni/net.d/canal.conflist.template"
|
||||
mode: 0644
|
||||
owner: "{{ kube_owner }}"
|
||||
register: canal_conflist
|
||||
notify: reset_canal_cni
|
||||
|
||||
- name: Canal | Create canal certs directory
|
||||
file:
|
||||
dest: "{{ canal_cert_dir }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Canal | Link etcd certificates for canal-node
|
||||
file:
|
||||
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
||||
dest: "{{ canal_cert_dir }}/{{ item.d }}"
|
||||
state: hard
|
||||
mode: 0640
|
||||
force: yes
|
||||
with_items:
|
||||
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
|
||||
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
|
||||
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
|
||||
|
||||
- name: Slurp etcd cacert file
|
||||
slurp:
|
||||
src: "{{ canal_cert_dir }}/ca_cert.crt"
|
||||
register: etcd_ca_cert_file
|
||||
failed_when: false
|
||||
|
||||
- name: Slurp etcd cert file
|
||||
slurp:
|
||||
src: "{{ canal_cert_dir }}/cert.crt"
|
||||
register: etcd_cert_file
|
||||
failed_when: false
|
||||
|
||||
- name: Slurp etcd key file
|
||||
slurp:
|
||||
src: "{{ canal_cert_dir }}/key.pem"
|
||||
register: etcd_key_file
|
||||
failed_when: false
|
||||
|
||||
# Flannel need etcd v2 API
|
||||
- name: Canal | Set Flannel etcd configuration
|
||||
command: |-
|
||||
{{ bin_dir }}/etcdctl set /coreos.com/network/config \
|
||||
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
|
||||
register: output
|
||||
retries: 4
|
||||
until: output.rc == 0
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
delegate_to: "{{ groups['etcd'][0] }}"
|
||||
changed_when: false
|
||||
run_once: true
|
||||
environment:
|
||||
ETCDCTL_API: 2
|
||||
ETCDCTL_CA_FILE: "{{ kube_cert_dir + '/etcd/ca.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/ca.pem' }}"
|
||||
ETCDCTL_CERT_FILE: "{{ kube_cert_dir + '/etcd/server.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '.pem' }}"
|
||||
ETCDCTL_KEY_FILE: "{{ kube_cert_dir + '/etcd/server.key' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '-key.pem' }}"
|
||||
ETCDCTL_ENDPOINTS: "{{ etcd_access_addresses }}"
|
||||
|
||||
- name: Canal | Create canal node manifests
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- {name: canal-calico-etcd-secret, file: canal-secret-calico-etcd.yml, type: secret}
|
||||
- {name: canal-config, file: canal-config.yaml, type: cm}
|
||||
- {name: canal-node, file: canal-node.yaml, type: ds}
|
||||
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
|
||||
- {name: canal-cr, file: canal-cr.yml, type: clusterrole}
|
||||
- {name: canal, file: canal-node-sa.yml, type: sa}
|
||||
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
|
||||
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
|
||||
- {name: calico-crd, file: canal-crd-calico.yml, type: crd}
|
||||
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
||||
- {name: canal, file: canal-crb-canal.yml, type: clusterrolebinding}
|
||||
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
|
||||
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
|
||||
register: canal_manifests
|
||||
when:
|
||||
- inventory_hostname in groups['kube_control_plane']
|
||||
|
||||
- name: Canal | Install calicoctl wrapper script
|
||||
template:
|
||||
src: calicoctl.sh.j2
|
||||
dest: "{{ bin_dir }}/calicoctl.sh"
|
||||
mode: 0755
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Canal | Create network policy directory
|
||||
file:
|
||||
path: "{{ canal_policy_dir }}"
|
||||
state: directory
|
||||
mode: 0755
|
|
@ -1,6 +0,0 @@
|
|||
#!/bin/bash
|
||||
ETCD_ENDPOINTS={{ etcd_access_addresses }} \
|
||||
ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
|
||||
ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
|
||||
ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
|
||||
{{ bin_dir }}/calicoctl "$@"
|
|
@ -1,98 +0,0 @@
|
|||
---
|
||||
# Source: calico/templates/calico-kube-controllers.yaml
|
||||
# See https://github.com/projectcalico/kube-controllers
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-kube-controllers
|
||||
spec:
|
||||
# The controllers can only have a single active instance.
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: calico-kube-controllers
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-kube-controllers
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
tolerations:
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
effect: NoSchedule
|
||||
serviceAccountName: calico-kube-controllers
|
||||
priorityClassName: system-cluster-critical
|
||||
# The controllers must run in the host network namespace so that
|
||||
# it isn't governed by policy that would prevent it from working.
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: calico-kube-controllers
|
||||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
env:
|
||||
# The location of the etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_endpoints
|
||||
# Location of the CA certificate for etcd.
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_ca
|
||||
# Location of the client key for etcd.
|
||||
- name: ETCD_KEY_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_key
|
||||
# Location of the client certificate for etcd.
|
||||
- name: ETCD_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_cert
|
||||
# Choose which controllers to run.
|
||||
- name: ENABLED_CONTROLLERS
|
||||
value: policy,namespace,serviceaccount,workloadendpoint,node
|
||||
volumeMounts:
|
||||
# Mount in the etcd TLS secrets.
|
||||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/bin/check-status
|
||||
- -l
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
timeoutSeconds: 10
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/bin/check-status
|
||||
- -r
|
||||
periodSeconds: 10
|
||||
volumes:
|
||||
# Mount in the etcd TLS secrets with mode 400.
|
||||
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||
- name: etcd-certs
|
||||
secret:
|
||||
secretName: calico-etcd-secrets
|
||||
defaultMode: 0440
|
|
@ -1,79 +0,0 @@
|
|||
# This ConfigMap can be used to configure a self-hosted Canal installation.
|
||||
# See `canal.yaml` for an example of a Canal deployment which uses
|
||||
# the config in this ConfigMap.
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: canal-config
|
||||
namespace: kube-system
|
||||
data:
|
||||
# Configure this with the location of your etcd cluster.
|
||||
etcd_endpoints: "{{ etcd_access_addresses }}"
|
||||
# If you're using TLS enabled etcd uncomment the following.
|
||||
# You must also populate the Secret below with these files.
|
||||
etcd_ca: "/calico-secrets/etcd-ca"
|
||||
etcd_cert: "/calico-secrets/etcd-cert"
|
||||
etcd_key: "/calico-secrets/etcd-key"
|
||||
|
||||
# Typha is disabled.
|
||||
typha_service_name: "none"
|
||||
|
||||
# The interface used by canal for host <-> host communication.
|
||||
# If left blank, then the interface is chosen using the node's
|
||||
# default route.
|
||||
canal_iface: "{{ canal_iface }}"
|
||||
|
||||
# Whether or not to masquerade traffic to destinations not within
|
||||
# the pod network.
|
||||
masquerade: "{{ canal_masquerade }}"
|
||||
|
||||
# Configure the MTU to use for workload interfaces and tunnels.
|
||||
# By default, MTU is auto-detected, and explicitly setting this field should not be required.
|
||||
# You can override auto-detection by providing a non-zero value.
|
||||
veth_mtu: "0"
|
||||
|
||||
# The CNI network configuration to install on each node. The special
|
||||
# values in this config will be automatically populated.
|
||||
cni_network_config: |-
|
||||
{
|
||||
"name": "canal",
|
||||
"cniVersion": "0.3.1",
|
||||
"plugins": [
|
||||
{
|
||||
"type": "flannel",
|
||||
"delegate": {
|
||||
"type": "calico",
|
||||
"include_default_routes": true,
|
||||
"etcd_endpoints": "__ETCD_ENDPOINTS__",
|
||||
"etcd_key_file": "__ETCD_KEY_FILE__",
|
||||
"etcd_cert_file": "__ETCD_CERT_FILE__",
|
||||
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
|
||||
"log_level": "info",
|
||||
{% if calico_cni_log_file_path %}
|
||||
"log_file_path": "{{ calico_cni_log_file_path }}",
|
||||
{% endif %}
|
||||
"policy": {
|
||||
"type": "k8s",
|
||||
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
||||
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
||||
},
|
||||
"kubernetes": {
|
||||
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "portmap",
|
||||
"capabilities": {"portMappings": true},
|
||||
"snat": true
|
||||
}
|
||||
]
|
||||
}
|
||||
# Flannel network configuration. Mounted into the flannel container.
|
||||
net-conf.json: |
|
||||
{
|
||||
"Network": "{{ kube_pods_subnet }}",
|
||||
"Backend": {
|
||||
"Type": "vxlan"
|
||||
}
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
# Source: calico/templates/calico-kube-controllers-rbac.yaml
|
||||
|
||||
# Include a clusterrole for the kube-controllers component,
|
||||
# and bind it to the calico-kube-controllers serviceaccount.
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
rules:
|
||||
# Nodes are watched to monitor for deletions.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
- get
|
||||
# Pods are watched to check for existence as part of IPAM controller.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- ipreservations
|
||||
verbs:
|
||||
- list
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- blockaffinities
|
||||
- ipamblocks
|
||||
- ipamhandles
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- watch
|
||||
# Pools are watched to maintain a mapping of blocks to IP pools.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- ippools
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
# kube-controllers manages hostendpoints.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- hostendpoints
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
# Needs access to update clusterinformations.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- clusterinformations
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- watch
|
||||
# KubeControllersConfiguration is where it gets its config
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- kubecontrollersconfigurations
|
||||
verbs:
|
||||
# read its own config
|
||||
- get
|
||||
# create a default if none exists
|
||||
- create
|
||||
# update status
|
||||
- update
|
||||
# watch for changes
|
||||
- watch
|
|
@ -1,133 +0,0 @@
|
|||
# Source: calico/templates/calico-node-rbac.yaml
|
||||
# Include a clusterrole for the calico-node DaemonSet,
|
||||
# and bind it to the calico-node serviceaccount.
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: calico-node
|
||||
rules:
|
||||
# Used for creating service account tokens to be used by the CNI plugin
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- serviceaccounts/token
|
||||
resourceNames:
|
||||
- canal
|
||||
verbs:
|
||||
- create
|
||||
# The CNI plugin needs to get pods, nodes, and namespaces.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
# EndpointSlices are used for Service-based network policy rule
|
||||
# enforcement.
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources:
|
||||
- endpointslices
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- endpoints
|
||||
- services
|
||||
verbs:
|
||||
# Used to discover service IPs for advertisement.
|
||||
- watch
|
||||
- list
|
||||
# Used to discover Typhas.
|
||||
- get
|
||||
# Pod CIDR auto-detection on kubeadm needs access to config maps.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes/status
|
||||
verbs:
|
||||
# Needed for clearing NodeNetworkUnavailable flag.
|
||||
- patch
|
||||
# Calico stores some configuration information in node annotations.
|
||||
- update
|
||||
# Watch for changes to Kubernetes NetworkPolicies.
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources:
|
||||
- networkpolicies
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
# Used by Calico for policy information.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- namespaces
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
# The CNI plugin patches pods/status.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods/status
|
||||
verbs:
|
||||
- patch
|
||||
# Calico monitors various CRDs for config.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- globalfelixconfigs
|
||||
- felixconfigurations
|
||||
- bgppeers
|
||||
- globalbgpconfigs
|
||||
- bgpconfigurations
|
||||
- ippools
|
||||
- ipreservations
|
||||
- ipamblocks
|
||||
- globalnetworkpolicies
|
||||
- globalnetworksets
|
||||
- networkpolicies
|
||||
- networksets
|
||||
- clusterinformations
|
||||
- hostendpoints
|
||||
- blockaffinities
|
||||
- caliconodestatuses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# Calico must create and update some CRDs on startup.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- ippools
|
||||
- felixconfigurations
|
||||
- clusterinformations
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
# Calico must update some CRDs.
|
||||
- apiGroups: [ "crd.projectcalico.org" ]
|
||||
resources:
|
||||
- caliconodestatuses
|
||||
verbs:
|
||||
- update
|
||||
# Calico stores some configuration information on the node.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# These permissions are only required for upgrade from v2.6, and can
|
||||
# be removed after upgrade or on fresh installations.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
- bgpconfigurations
|
||||
- bgppeers
|
||||
verbs:
|
||||
- create
|
||||
- update
|
|
@ -1,23 +0,0 @@
|
|||
# Flannel ClusterRole
|
||||
# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: flannel
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- nodes/status
|
||||
verbs:
|
||||
- patch
|
|
@ -1,30 +0,0 @@
|
|||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: canal
|
||||
rules:
|
||||
# Used for creating service account tokens to be used by the CNI plugin
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- serviceaccounts/token
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
# Pod CIDR auto-detection on kubeadm needs access to config maps.
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- list
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
# Bind the calico ClusterRole to the canal ServiceAccount.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: canal-calico
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: calico-node
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: canal
|
||||
namespace: kube-system
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: calico-kube-controllers
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calico-kube-controllers
|
||||
namespace: kube-system
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: canal
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: canal
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: canal
|
||||
namespace: kube-system
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
# Bind the flannel ClusterRole to the canal ServiceAccount.
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: canal-flannel
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: flannel
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: canal
|
||||
namespace: kube-system
|
File diff suppressed because it is too large
Load Diff
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: canal
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
namespace: kube-system
|
|
@ -1,418 +0,0 @@
|
|||
# Source: calico/templates/calico-node.yaml
|
||||
# This manifest installs the canal container, as well
|
||||
# as the CNI plugins and network config on
|
||||
# each master and worker node in a Kubernetes cluster.
|
||||
kind: DaemonSet
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: canal
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: canal
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: canal
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
maxUnavailable: {{ serial | default('20%') }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: canal
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
hostNetwork: true
|
||||
tolerations:
|
||||
# Make sure canal gets scheduled on all nodes.
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
serviceAccountName: canal
|
||||
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
|
||||
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
|
||||
terminationGracePeriodSeconds: 0
|
||||
priorityClassName: system-node-critical
|
||||
initContainers:
|
||||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
command: ["/opt/cni/bin/install"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||
name: kubernetes-services-endpoint
|
||||
optional: true
|
||||
env:
|
||||
# Set the serviceaccount name to use for the Calico CNI plugin.
|
||||
# We use canal-node instead of calico-node when using flannel networking.
|
||||
- name: CALICO_CNI_SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
# Name of the CNI config file to create.
|
||||
- name: CNI_CONF_NAME
|
||||
value: "10-canal.conflist"
|
||||
# The CNI network config to install on each node.
|
||||
- name: CNI_NETWORK_CONFIG
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: cni_network_config
|
||||
# Set the hostname based on the k8s node name.
|
||||
- name: KUBERNETES_NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
# The location of the etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_endpoints
|
||||
# Location of the CA certificate for etcd.
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_ca
|
||||
# Location of the client key for etcd.
|
||||
- name: ETCD_KEY_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_key
|
||||
# Location of the client certificate for etcd.
|
||||
- name: ETCD_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_cert
|
||||
# CNI MTU Config variable
|
||||
- name: CNI_MTU
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: veth_mtu
|
||||
# Prevents the container from sleeping forever.
|
||||
- name: SLEEP
|
||||
value: "false"
|
||||
volumeMounts:
|
||||
- mountPath: /host/opt/cni/bin
|
||||
name: cni-bin-dir
|
||||
- mountPath: /host/etc/cni/net.d
|
||||
name: cni-net-dir
|
||||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
securityContext:
|
||||
privileged: true
|
||||
# This init container mounts the necessary filesystems needed by the BPF data plane
|
||||
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
|
||||
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
|
||||
- name: "mount-bpffs"
|
||||
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
command: ["calico-node", "-init", "-best-effort"]
|
||||
volumeMounts:
|
||||
- mountPath: /sys/fs
|
||||
name: sys-fs
|
||||
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
|
||||
# so that it outlives the init container.
|
||||
mountPropagation: Bidirectional
|
||||
- mountPath: /var/run/calico
|
||||
name: var-run-calico
|
||||
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
|
||||
# so that it outlives the init container.
|
||||
mountPropagation: Bidirectional
|
||||
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
|
||||
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
|
||||
- mountPath: /nodeproc
|
||||
name: nodeproc
|
||||
readOnly: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
containers:
|
||||
# Runs canal container on each Kubernetes node. This
|
||||
# container programs network policy and routes on each
|
||||
# host.
|
||||
- name: calico-node
|
||||
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||
name: kubernetes-services-endpoint
|
||||
optional: true
|
||||
env:
|
||||
# The location of the etcd cluster.
|
||||
- name: ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_endpoints
|
||||
# Location of the CA certificate for etcd.
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_ca
|
||||
# Location of the client key for etcd.
|
||||
- name: ETCD_KEY_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_key
|
||||
# Location of the client certificate for etcd.
|
||||
- name: ETCD_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_cert
|
||||
# Set noderef for node controller.
|
||||
- name: CALICO_K8S_NODE_REF
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
# Set the serviceaccount name to use for the Calico CNI plugin.
|
||||
# We use canal-node instead of calico-node when using flannel networking.
|
||||
- name: CALICO_CNI_SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
# Don't enable BGP.
|
||||
- name: CALICO_NETWORKING_BACKEND
|
||||
value: "none"
|
||||
# Cluster type to identify the deployment type
|
||||
- name: CLUSTER_TYPE
|
||||
value: "k8s,canal"
|
||||
# Period, in seconds, at which felix re-applies all iptables state
|
||||
- name: FELIX_IPTABLESREFRESHINTERVAL
|
||||
value: "60"
|
||||
# No IP address needed.
|
||||
- name: IP
|
||||
value: ""
|
||||
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
|
||||
# chosen from this range. Changing this value after installation will have
|
||||
# no effect. This should fall within `--cluster-cidr`.
|
||||
# - name: CALICO_IPV4POOL_CIDR
|
||||
# value: "192.168.0.0/16"
|
||||
# Disable file logging so `kubectl logs` works.
|
||||
- name: CALICO_DISABLE_FILE_LOGGING
|
||||
value: "true"
|
||||
# Set Felix endpoint to host default action to ACCEPT.
|
||||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
||||
value: "ACCEPT"
|
||||
# Disable IPv6 on Kubernetes.
|
||||
- name: FELIX_IPV6SUPPORT
|
||||
value: "false"
|
||||
- name: FELIX_HEALTHENABLED
|
||||
value: "true"
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
limits:
|
||||
cpu: {{ calico_node_cpu_limit }}
|
||||
memory: {{ calico_node_memory_limit }}
|
||||
requests:
|
||||
cpu: {{ calico_node_cpu_requests }}
|
||||
memory: {{ calico_node_memory_requests }}
|
||||
lifecycle:
|
||||
preStop:
|
||||
exec:
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -shutdown
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-live
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
timeoutSeconds: 10
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /readiness
|
||||
port: 9099
|
||||
host: localhost
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
volumeMounts:
|
||||
# For maintaining CNI plugin API credentials.
|
||||
- mountPath: /host/etc/cni/net.d
|
||||
name: cni-net-dir
|
||||
readOnly: false
|
||||
- mountPath: /lib/modules
|
||||
name: lib-modules
|
||||
readOnly: true
|
||||
- mountPath: /run/xtables.lock
|
||||
name: xtables-lock
|
||||
readOnly: false
|
||||
- mountPath: /var/run/calico
|
||||
name: var-run-calico
|
||||
readOnly: false
|
||||
- mountPath: /var/lib/calico
|
||||
name: var-lib-calico
|
||||
readOnly: false
|
||||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
- name: policysync
|
||||
mountPath: /var/run/nodeagent
|
||||
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
|
||||
# parent directory.
|
||||
- name: bpffs
|
||||
mountPath: /sys/fs/bpf
|
||||
- name: cni-log-dir
|
||||
mountPath: /var/log/calico/cni
|
||||
readOnly: true
|
||||
# Runs the flannel daemon to enable vxlan networking between
|
||||
# container hosts.
|
||||
- name: flannel
|
||||
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
|
||||
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"]
|
||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||
env:
|
||||
# The location of the etcd cluster.
|
||||
- name: FLANNELD_ETCD_ENDPOINTS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_endpoints
|
||||
# Location of the CA certificate for etcd.
|
||||
- name: ETCD_CA_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_ca
|
||||
# Location of the client key for etcd.
|
||||
- name: ETCD_KEY_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_key
|
||||
# Location of the client certificate for etcd.
|
||||
- name: ETCD_CERT_FILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_cert
|
||||
# Location of the CA certificate for etcd.
|
||||
- name: FLANNELD_ETCD_CAFILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_ca
|
||||
# Location of the client key for etcd.
|
||||
- name: FLANNELD_ETCD_KEYFILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_key
|
||||
# Location of the client certificate for etcd.
|
||||
- name: FLANNELD_ETCD_CERTFILE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: etcd_cert
|
||||
# The interface flannel should run on.
|
||||
- name: FLANNELD_IFACE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: canal_iface
|
||||
# Perform masquerade on traffic leaving the pod cidr.
|
||||
- name: FLANNELD_IP_MASQ
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: canal-config
|
||||
key: masquerade
|
||||
# Write the subnet.env file to the mounted directory.
|
||||
- name: FLANNELD_SUBNET_FILE
|
||||
value: "/run/flannel/subnet.env"
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /etc/resolv.conf
|
||||
name: resolv
|
||||
- mountPath: /run/flannel
|
||||
name: run-flannel
|
||||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
- name: flannel-cfg
|
||||
mountPath: /etc/kube-flannel/
|
||||
volumes:
|
||||
- name: flannel-cfg
|
||||
configMap:
|
||||
name: canal-config
|
||||
# Used by canal-node.
|
||||
- name: lib-modules
|
||||
hostPath:
|
||||
path: /lib/modules
|
||||
- name: var-run-calico
|
||||
hostPath:
|
||||
path: /var/run/calico
|
||||
- name: var-lib-calico
|
||||
hostPath:
|
||||
path: /var/lib/calico
|
||||
- name: xtables-lock
|
||||
hostPath:
|
||||
path: /run/xtables.lock
|
||||
type: FileOrCreate
|
||||
- name: sys-fs
|
||||
hostPath:
|
||||
path: /sys/fs/
|
||||
type: DirectoryOrCreate
|
||||
- name: bpffs
|
||||
hostPath:
|
||||
path: /sys/fs/bpf
|
||||
type: Directory
|
||||
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
|
||||
- name: nodeproc
|
||||
hostPath:
|
||||
path: /proc
|
||||
# Used by flannel.
|
||||
- name: run-flannel
|
||||
hostPath:
|
||||
path: /run/flannel
|
||||
- name: resolv
|
||||
hostPath:
|
||||
path: /etc/resolv.conf
|
||||
# Used to install CNI.
|
||||
- name: cni-bin-dir
|
||||
hostPath:
|
||||
path: /opt/cni/bin
|
||||
- name: cni-net-dir
|
||||
hostPath:
|
||||
path: /etc/cni/net.d
|
||||
# Used to access CNI logs.
|
||||
- name: cni-log-dir
|
||||
hostPath:
|
||||
path: /var/log/calico/cni
|
||||
# Mount in the etcd TLS secrets with mode 400.
|
||||
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||
- name: etcd-certs
|
||||
secret:
|
||||
secretName: calico-etcd-secrets
|
||||
defaultMode: 0400
|
||||
# Used to create per-pod Unix Domain Sockets
|
||||
- name: policysync
|
||||
hostPath:
|
||||
type: DirectoryOrCreate
|
||||
path: /var/run/nodeagent
|
|
@ -1,18 +0,0 @@
|
|||
# Source: calico/templates/calico-etcd-secrets.yaml
|
||||
# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
|
||||
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: calico-etcd-secrets
|
||||
namespace: kube-system
|
||||
data:
|
||||
# Populate the following with etcd TLS configuration if desired, but leave blank if
|
||||
# not using TLS for etcd.
|
||||
# The keys below should be uncommented and the values populated with the base64
|
||||
# encoded contents of each file that would be associated with the TLS data.
|
||||
# Example command for encoding a file contents: cat <file> | base64 -w 0
|
||||
etcd-key: {{ etcd_key_file.content }}
|
||||
etcd-cert: {{ etcd_cert_file.content }}
|
||||
etcd-ca: {{ etcd_ca_cert_file.content }}
|
|
@ -1,34 +0,0 @@
|
|||
{
|
||||
"name": "canal",
|
||||
"cniVersion": "0.3.1",
|
||||
"plugins": [
|
||||
{
|
||||
"type": "flannel",
|
||||
"delegate": {
|
||||
"type": "calico",
|
||||
"include_default_routes": true,
|
||||
"etcd_endpoints": "__ETCD_ENDPOINTS__",
|
||||
"etcd_key_file": "__ETCD_KEY_FILE__",
|
||||
"etcd_cert_file": "__ETCD_CERT_FILE__",
|
||||
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
|
||||
"log_level": "info",
|
||||
{% if calico_cni_log_file_path %}
|
||||
"log_file_path": "{{ calico_cni_log_file_path }}",
|
||||
{% endif %}
|
||||
"policy": {
|
||||
"type": "k8s",
|
||||
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
||||
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
||||
},
|
||||
"kubernetes": {
|
||||
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "portmap",
|
||||
"capabilities": {"portMappings": true},
|
||||
"snat": true
|
||||
}
|
||||
]
|
||||
}
|
|
@ -16,4 +16,4 @@
|
|||
networking
|
||||
{%- endif %}
|
||||
state: restarted
|
||||
when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and kube_network_plugin not in ['canal', 'calico']
|
||||
when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and kube_network_plugin not in ['calico']
|
||||
|
|
|
@ -22,11 +22,6 @@ dependencies:
|
|||
tags:
|
||||
- weave
|
||||
|
||||
- role: network_plugin/canal
|
||||
when: kube_network_plugin == 'canal'
|
||||
tags:
|
||||
- canal
|
||||
|
||||
- role: network_plugin/macvlan
|
||||
when: kube_network_plugin == 'macvlan'
|
||||
tags:
|
||||
|
|
Loading…
Reference in New Issue