kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update calico template (#11634) 

Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>
pull/11677/head
kyrie 2024-10-31 10:21:26 +08:00 committed by GitHub
parent bb7b4e0c7c
commit d0f1d520ec
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 58 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
roles/kubespray-defaults/defaults/main/download.yml
View File

@ -103,7 +103,6 @@ github_image_repo: "ghcr.io"
calico_version: "v3.28.1" calico_version: "v3.28.1"
calico_ctl_version: "{{ calico_version }}" calico_ctl_version: "{{ calico_version }}"
calico_cni_version: "{{ calico_version }}" calico_cni_version: "{{ calico_version }}"
calico_flexvol_version: "{{ calico_version }}"
calico_policy_version: "{{ calico_version }}" calico_policy_version: "{{ calico_version }}"
calico_typha_version: "{{ calico_version }}" calico_typha_version: "{{ calico_version }}"
calico_apiserver_version: "{{ calico_version }}" calico_apiserver_version: "{{ calico_version }}"
@ -238,8 +237,6 @@ calico_node_image_repo: "{{ quay_image_repo }}/calico/node"
calico_node_image_tag: "{{ calico_version }}" calico_node_image_tag: "{{ calico_version }}"
calico_cni_image_repo: "{{ quay_image_repo }}/calico/cni" calico_cni_image_repo: "{{ quay_image_repo }}/calico/cni"
calico_cni_image_tag: "{{ calico_cni_version }}" calico_cni_image_tag: "{{ calico_cni_version }}"
calico_flexvol_image_repo: "{{ quay_image_repo }}/calico/pod2daemon-flexvol"
calico_flexvol_image_tag: "{{ calico_flexvol_version }}"
calico_policy_image_repo: "{{ quay_image_repo }}/calico/kube-controllers" calico_policy_image_repo: "{{ quay_image_repo }}/calico/kube-controllers"
calico_policy_image_tag: "{{ calico_policy_version }}" calico_policy_image_tag: "{{ calico_policy_version }}"
calico_typha_image_repo: "{{ quay_image_repo }}/calico/typha" calico_typha_image_repo: "{{ quay_image_repo }}/calico/typha"
@ -793,15 +790,6 @@ downloads:
groups: groups:
- k8s_cluster - k8s_cluster
calico_flexvol:
enabled: "{{ kube_network_plugin == 'calico' }}"
container: true
repo: "{{ calico_flexvol_image_repo }}"
tag: "{{ calico_flexvol_image_tag }}"
sha256: "{{ calico_flexvol_digest_checksum | default(None) }}"
groups:
- k8s_cluster
calico_policy: calico_policy:
enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}" enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}"
container: true container: true

96
roles/network_plugin/calico/templates/calico-node.yml.j2
View File

@ -13,6 +13,10 @@ spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: calico-node k8s-app: calico-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template: template:
metadata: metadata:
labels: labels:
@ -30,10 +34,16 @@ spec:
{{ calico_ds_nodeselector }} {{ calico_ds_nodeselector }}
priorityClassName: system-node-critical priorityClassName: system-node-critical
hostNetwork: true hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: calico-node serviceAccountName: calico-node
tolerations: tolerations:
- operator: Exists # Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 0
@ -90,9 +100,11 @@ spec:
# Name of the CNI config file to create. # Name of the CNI config file to create.
- name: CNI_CONF_NAME - name: CNI_CONF_NAME
value: "10-calico.conflist" value: "10-calico.conflist"
# Install CNI binaries {% if calico_mtu is defined %}
- name: UPDATE_CNI_BINARIES # CNI MTU Config variable
value: "true" - name: CNI_MTU
value: "{{ calico_veth_mtu | default(calico_mtu) }}"
{% endif %}
# Prevents the container from sleeping forever. # Prevents the container from sleeping forever.
- name: SLEEP - name: SLEEP
value: "false" value: "false"
@ -117,14 +129,29 @@ spec:
name: cni-bin-dir name: cni-bin-dir
securityContext: securityContext:
privileged: true privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # This init container mounts the necessary filesystems needed by the BPF data plane
# to communicate with Felix over the Policy Sync API. # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
- name: flexvol-driver # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }} - name: "mount-bpffs"
image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["calico-node", "-init", "-best-effort"]
volumeMounts: volumeMounts:
- name: flexvol-driver-host - mountPath: /sys/fs
mountPath: /host/driver name: sys-fs
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
- mountPath: /var/run/calico
name: var-run-calico
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
- mountPath: /nodeproc
name: nodeproc
readOnly: true
securityContext: securityContext:
privileged: true privileged: true
containers: containers:
@ -205,10 +232,7 @@ spec:
key: calico_backend key: calico_backend
# Cluster type to identify the deployment type # Cluster type to identify the deployment type
- name: CLUSTER_TYPE - name: CLUSTER_TYPE
valueFrom: value: "k8s,bgp"
configMapKeyRef:
name: calico-config
key: cluster_type
# Set noderef for node controller. # Set noderef for node controller.
- name: CALICO_K8S_NODE_REF - name: CALICO_K8S_NODE_REF
valueFrom: valueFrom:
@ -230,12 +254,16 @@ spec:
value: "{{ calico_iptables_backend }}" value: "{{ calico_iptables_backend }}"
- name: FELIX_IPTABLESLOCKTIMEOUTSECS - name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "{{ calico_iptables_lock_timeout_secs }}" value: "{{ calico_iptables_lock_timeout_secs }}"
# should be set in etcd before deployment # The default IPv4 pool to create on startup if none exists. Pod IPs will be
# # Configure the IP Pool from which Pod IPs will be chosen. # chosen from this range. Changing this value after installation will have
# - name: CALICO_IPV4POOL_CIDR # no effect. This should fall within `--cluster-cidr`.
# value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}" # - name: CALICO_IPV4POOL_CIDR
# value: "192.168.0.0/16"
- name: CALICO_IPV4POOL_IPIP - name: CALICO_IPV4POOL_IPIP
value: "{{ calico_ipv4pool_ipip }}" value: "{{ calico_ipv4pool_ipip }}"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
value: "Never"
- name: FELIX_IPV6SUPPORT - name: FELIX_IPV6SUPPORT
value: "{{ enable_dual_stack_networks | default(false) }}" value: "{{ enable_dual_stack_networks | default(false) }}"
# Set Felix logging to "info" # Set Felix logging to "info"
@ -391,15 +419,10 @@ spec:
{% endif %} {% endif %}
- name: policysync - name: policysync
mountPath: /var/run/nodeagent mountPath: /var/run/nodeagent
{% if calico_bpf_enabled %}
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory. # parent directory.
- name: sysfs - name: bpffs
mountPath: /sys/fs/ mountPath: /sys/fs/bpf
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
{% endif %}
- name: cni-log-dir - name: cni-log-dir
mountPath: /var/log/calico/cni mountPath: /var/log/calico/cni
readOnly: true readOnly: true
@ -456,12 +479,18 @@ spec:
hostPath: hostPath:
path: "/etc/kubernetes/ssl/" path: "/etc/kubernetes/ssl/"
{% endif %} {% endif %}
{% if calico_bpf_enabled %} - name: sys-fs
- name: sysfs
hostPath: hostPath:
path: /sys/fs/ path: /sys/fs/
type: DirectoryOrCreate type: DirectoryOrCreate
{% endif %} - name: bpffs
hostPath:
path: /sys/fs/bpf
type: Directory
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
- name: nodeproc
hostPath:
path: /proc
# Used to access CNI logs. # Used to access CNI logs.
- name: cni-log-dir - name: cni-log-dir
hostPath: hostPath:
@ -471,12 +500,3 @@ spec:
hostPath: hostPath:
type: DirectoryOrCreate type: DirectoryOrCreate
path: /var/run/nodeagent path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds"
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}
type: RollingUpdate