diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml index 35c1fe48a..63ef6ec60 100644 --- a/roles/kubespray-defaults/defaults/main/download.yml +++ b/roles/kubespray-defaults/defaults/main/download.yml @@ -103,7 +103,6 @@ github_image_repo: "ghcr.io" calico_version: "v3.28.1" calico_ctl_version: "{{ calico_version }}" calico_cni_version: "{{ calico_version }}" -calico_flexvol_version: "{{ calico_version }}" calico_policy_version: "{{ calico_version }}" calico_typha_version: "{{ calico_version }}" calico_apiserver_version: "{{ calico_version }}" @@ -238,8 +237,6 @@ calico_node_image_repo: "{{ quay_image_repo }}/calico/node" calico_node_image_tag: "{{ calico_version }}" calico_cni_image_repo: "{{ quay_image_repo }}/calico/cni" calico_cni_image_tag: "{{ calico_cni_version }}" -calico_flexvol_image_repo: "{{ quay_image_repo }}/calico/pod2daemon-flexvol" -calico_flexvol_image_tag: "{{ calico_flexvol_version }}" calico_policy_image_repo: "{{ quay_image_repo }}/calico/kube-controllers" calico_policy_image_tag: "{{ calico_policy_version }}" calico_typha_image_repo: "{{ quay_image_repo }}/calico/typha" @@ -793,15 +790,6 @@ downloads: groups: - k8s_cluster - calico_flexvol: - enabled: "{{ kube_network_plugin == 'calico' }}" - container: true - repo: "{{ calico_flexvol_image_repo }}" - tag: "{{ calico_flexvol_image_tag }}" - sha256: "{{ calico_flexvol_digest_checksum | default(None) }}" - groups: - - k8s_cluster - calico_policy: enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}" container: true diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index fbaa9fe7e..10151cdb6 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -13,6 +13,10 @@ spec: selector: matchLabels: k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 template: metadata: labels: @@ -30,10 +34,16 @@ spec: {{ calico_ds_nodeselector }} priorityClassName: system-node-critical hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet serviceAccountName: calico-node tolerations: - - operator: Exists + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 @@ -90,9 +100,11 @@ spec: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-calico.conflist" - # Install CNI binaries - - name: UPDATE_CNI_BINARIES - value: "true" +{% if calico_mtu is defined %} + # CNI MTU Config variable + - name: CNI_MTU + value: "{{ calico_veth_mtu | default(calico_mtu) }}" +{% endif %} # Prevents the container from sleeping forever. - name: SLEEP value: "false" @@ -117,14 +129,29 @@ spec: name: cni-bin-dir securityContext: privileged: true - # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes - # to communicate with Felix over the Policy Sync API. - - name: flexvol-driver - image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }} + # This init container mounts the necessary filesystems needed by the BPF data plane + # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed + # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. + - name: "mount-bpffs" + image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} + command: ["calico-node", "-init", "-best-effort"] volumeMounts: - - name: flexvol-driver-host - mountPath: /host/driver + - mountPath: /sys/fs + name: sys-fs + # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + - mountPath: /var/run/calico + name: var-run-calico + # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, + # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. + - mountPath: /nodeproc + name: nodeproc + readOnly: true securityContext: privileged: true containers: @@ -205,10 +232,7 @@ spec: key: calico_backend # Cluster type to identify the deployment type - name: CLUSTER_TYPE - valueFrom: - configMapKeyRef: - name: calico-config - key: cluster_type + value: "k8s,bgp" # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: @@ -230,12 +254,16 @@ spec: value: "{{ calico_iptables_backend }}" - name: FELIX_IPTABLESLOCKTIMEOUTSECS value: "{{ calico_iptables_lock_timeout_secs }}" -# should be set in etcd before deployment -# # Configure the IP Pool from which Pod IPs will be chosen. -# - name: CALICO_IPV4POOL_CIDR -# value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}" + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + # - name: CALICO_IPV4POOL_CIDR + # value: "192.168.0.0/16" - name: CALICO_IPV4POOL_IPIP value: "{{ calico_ipv4pool_ipip }}" + # Enable or Disable VXLAN on the default IP pool. + - name: CALICO_IPV4POOL_VXLAN + value: "Never" - name: FELIX_IPV6SUPPORT value: "{{ enable_dual_stack_networks | default(false) }}" # Set Felix logging to "info" @@ -391,15 +419,10 @@ spec: {% endif %} - name: policysync mountPath: /var/run/nodeagent -{% if calico_bpf_enabled %} # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # parent directory. - - name: sysfs - mountPath: /sys/fs/ - # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. - # If the host is known to mount that filesystem already then Bidirectional can be omitted. - mountPropagation: Bidirectional -{% endif %} + - name: bpffs + mountPath: /sys/fs/bpf - name: cni-log-dir mountPath: /var/log/calico/cni readOnly: true @@ -456,12 +479,18 @@ spec: hostPath: path: "/etc/kubernetes/ssl/" {% endif %} -{% if calico_bpf_enabled %} - - name: sysfs + - name: sys-fs hostPath: path: /sys/fs/ type: DirectoryOrCreate -{% endif %} + - name: bpffs + hostPath: + path: /sys/fs/bpf + type: Directory + # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. + - name: nodeproc + hostPath: + path: /proc # Used to access CNI logs. - name: cni-log-dir hostPath: @@ -471,12 +500,3 @@ spec: hostPath: type: DirectoryOrCreate path: /var/run/nodeagent - # Used to install Flex Volume Driver - - name: flexvol-driver-host - hostPath: - type: DirectoryOrCreate - path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds" - updateStrategy: - rollingUpdate: - maxUnavailable: {{ serial | default('20%') }} - type: RollingUpdate