update calico template (#11634)

Signed-off-by: KubeKyrie <shaolong.qin@daocloud.io>
pull/11677/head
kyrie 2024-10-31 10:21:26 +08:00 committed by GitHub
parent bb7b4e0c7c
commit d0f1d520ec
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 58 additions and 50 deletions

View File

@ -103,7 +103,6 @@ github_image_repo: "ghcr.io"
calico_version: "v3.28.1"
calico_ctl_version: "{{ calico_version }}"
calico_cni_version: "{{ calico_version }}"
calico_flexvol_version: "{{ calico_version }}"
calico_policy_version: "{{ calico_version }}"
calico_typha_version: "{{ calico_version }}"
calico_apiserver_version: "{{ calico_version }}"
@ -238,8 +237,6 @@ calico_node_image_repo: "{{ quay_image_repo }}/calico/node"
calico_node_image_tag: "{{ calico_version }}"
calico_cni_image_repo: "{{ quay_image_repo }}/calico/cni"
calico_cni_image_tag: "{{ calico_cni_version }}"
calico_flexvol_image_repo: "{{ quay_image_repo }}/calico/pod2daemon-flexvol"
calico_flexvol_image_tag: "{{ calico_flexvol_version }}"
calico_policy_image_repo: "{{ quay_image_repo }}/calico/kube-controllers"
calico_policy_image_tag: "{{ calico_policy_version }}"
calico_typha_image_repo: "{{ quay_image_repo }}/calico/typha"
@ -793,15 +790,6 @@ downloads:
groups:
- k8s_cluster
calico_flexvol:
enabled: "{{ kube_network_plugin == 'calico' }}"
container: true
repo: "{{ calico_flexvol_image_repo }}"
tag: "{{ calico_flexvol_image_tag }}"
sha256: "{{ calico_flexvol_digest_checksum | default(None) }}"
groups:
- k8s_cluster
calico_policy:
enabled: "{{ enable_network_policy and kube_network_plugin in ['calico'] }}"
container: true

View File

@ -13,6 +13,10 @@ spec:
selector:
matchLabels:
k8s-app: calico-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
@ -30,10 +34,16 @@ spec:
{{ calico_ds_nodeselector }}
priorityClassName: system-node-critical
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: calico-node
tolerations:
- operator: Exists
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
@ -90,9 +100,11 @@ spec:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# Install CNI binaries
- name: UPDATE_CNI_BINARIES
value: "true"
{% if calico_mtu is defined %}
# CNI MTU Config variable
- name: CNI_MTU
value: "{{ calico_veth_mtu | default(calico_mtu) }}"
{% endif %}
# Prevents the container from sleeping forever.
- name: SLEEP
value: "false"
@ -117,14 +129,29 @@ spec:
name: cni-bin-dir
securityContext:
privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }}
# This init container mounts the necessary filesystems needed by the BPF data plane
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
- mountPath: /sys/fs
name: sys-fs
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
- mountPath: /var/run/calico
name: var-run-calico
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
- mountPath: /nodeproc
name: nodeproc
readOnly: true
securityContext:
privileged: true
containers:
@ -205,10 +232,7 @@ spec:
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
valueFrom:
configMapKeyRef:
name: calico-config
key: cluster_type
value: "k8s,bgp"
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
@ -230,12 +254,16 @@ spec:
value: "{{ calico_iptables_backend }}"
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "{{ calico_iptables_lock_timeout_secs }}"
# should be set in etcd before deployment
# # Configure the IP Pool from which Pod IPs will be chosen.
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
# - name: CALICO_IPV4POOL_CIDR
# value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
# value: "192.168.0.0/16"
- name: CALICO_IPV4POOL_IPIP
value: "{{ calico_ipv4pool_ipip }}"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
value: "Never"
- name: FELIX_IPV6SUPPORT
value: "{{ enable_dual_stack_networks | default(false) }}"
# Set Felix logging to "info"
@ -391,15 +419,10 @@ spec:
{% endif %}
- name: policysync
mountPath: /var/run/nodeagent
{% if calico_bpf_enabled %}
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory.
- name: sysfs
mountPath: /sys/fs/
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
{% endif %}
- name: bpffs
mountPath: /sys/fs/bpf
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
@ -456,12 +479,18 @@ spec:
hostPath:
path: "/etc/kubernetes/ssl/"
{% endif %}
{% if calico_bpf_enabled %}
- name: sysfs
- name: sys-fs
hostPath:
path: /sys/fs/
type: DirectoryOrCreate
{% endif %}
- name: bpffs
hostPath:
path: /sys/fs/bpf
type: Directory
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
- name: nodeproc
hostPath:
path: /proc
# Used to access CNI logs.
- name: cni-log-dir
hostPath:
@ -471,12 +500,3 @@ spec:
hostPath:
type: DirectoryOrCreate
path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds"
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}
type: RollingUpdate