Align canal templates with calico official ones (k8s datastore)
parent
b4318e9967
commit
eb10249a75
|
@ -55,8 +55,11 @@
|
||||||
with_items:
|
with_items:
|
||||||
- {name: canal-config, file: canal-config.yaml, type: cm}
|
- {name: canal-config, file: canal-config.yaml, type: cm}
|
||||||
- {name: canal-node, file: canal-node.yaml, type: ds}
|
- {name: canal-node, file: canal-node.yaml, type: ds}
|
||||||
|
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
|
||||||
- {name: canal, file: canal-node-sa.yml, type: sa}
|
- {name: canal, file: canal-node-sa.yml, type: sa}
|
||||||
- {name: calico, file: canal-cr-calico.yml, type: clusterrole}
|
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
|
||||||
|
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
|
||||||
|
- {name: calico-crd, file: canal-crd-calico.yml, type: crd}
|
||||||
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
||||||
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
|
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
|
||||||
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
|
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
---
|
||||||
|
# Source: calico/templates/calico-kube-controllers.yaml
|
||||||
|
# See https://github.com/projectcalico/kube-controllers
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: calico-kube-controllers
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
k8s-app: calico-kube-controllers
|
||||||
|
spec:
|
||||||
|
# The controllers can only have a single active instance.
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
k8s-app: calico-kube-controllers
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: calico-kube-controllers
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
k8s-app: calico-kube-controllers
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
kubernetes.io/os: linux
|
||||||
|
tolerations:
|
||||||
|
# Mark the pod as a critical add-on for rescheduling.
|
||||||
|
- key: CriticalAddonsOnly
|
||||||
|
operator: Exists
|
||||||
|
- key: node-role.kubernetes.io/master
|
||||||
|
effect: NoSchedule
|
||||||
|
serviceAccountName: calico-kube-controllers
|
||||||
|
priorityClassName: system-cluster-critical
|
||||||
|
containers:
|
||||||
|
- name: calico-kube-controllers
|
||||||
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||||
|
env:
|
||||||
|
# Choose which controllers to run.
|
||||||
|
- name: ENABLED_CONTROLLERS
|
||||||
|
value: node
|
||||||
|
- name: DATASTORE_TYPE
|
||||||
|
value: kubernetes
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /usr/bin/check-status
|
||||||
|
- -l
|
||||||
|
periodSeconds: 10
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
failureThreshold: 6
|
||||||
|
timeoutSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /usr/bin/check-status
|
||||||
|
- -r
|
||||||
|
periodSeconds: 10
|
|
@ -5,23 +5,69 @@ kind: ConfigMap
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
metadata:
|
metadata:
|
||||||
name: canal-config
|
name: canal-config
|
||||||
|
namespace: kube-system
|
||||||
data:
|
data:
|
||||||
# Configure this with the location of your etcd cluster.
|
# Typha is disabled.
|
||||||
etcd_endpoints: "{{ etcd_access_addresses }}"
|
typha_service_name: "none"
|
||||||
|
|
||||||
# The interface used by canal for host <-> host communication.
|
# The interface used by canal for host <-> host communication.
|
||||||
# If left blank, then the interface is choosing using the node's
|
# If left blank, then the interface is chosen using the node's
|
||||||
# default route.
|
# default route.
|
||||||
flanneld_iface: "{{ canal_iface }}"
|
canal_iface: "{{ canal_iface }}"
|
||||||
|
|
||||||
# Whether or not to masquerade traffic to destinations not within
|
# Whether or not to masquerade traffic to destinations not within
|
||||||
# the pod network.
|
# the pod network.
|
||||||
masquerade: "{{ canal_masquerade }}"
|
masquerade: "{{ canal_masquerade }}"
|
||||||
|
|
||||||
# Cluster name for Flannel etcd path
|
# Configure the MTU to use for workload interfaces and tunnels.
|
||||||
cluster_name: "{{ cluster_name }}"
|
# By default, MTU is auto-detected, and explicitly setting this field should not be required.
|
||||||
|
# You can override auto-detection by providing a non-zero value.
|
||||||
|
veth_mtu: "0"
|
||||||
|
|
||||||
# SSL Etcd configuration
|
# The CNI network configuration to install on each node. The special
|
||||||
etcd_cafile: "{{ canal_cert_dir }}/ca_cert.crt"
|
# values in this config will be automatically populated.
|
||||||
etcd_certfile: "{{ canal_cert_dir }}/cert.crt"
|
cni_network_config: |-
|
||||||
etcd_keyfile: "{{ canal_cert_dir }}/key.pem"
|
{
|
||||||
|
"name": "k8s-pod-network",
|
||||||
|
"cniVersion": "0.3.1",
|
||||||
|
"plugins": [
|
||||||
|
{
|
||||||
|
"type": "calico",
|
||||||
|
"log_level": "info",
|
||||||
|
{% if calico_cni_log_file_path %}
|
||||||
|
"log_file_path": "{{ calico_cni_log_file_path }}",
|
||||||
|
{% endif %}
|
||||||
|
"datastore_type": "kubernetes",
|
||||||
|
"nodename": "__KUBERNETES_NODE_NAME__",
|
||||||
|
"mtu": __CNI_MTU__,
|
||||||
|
"ipam": {
|
||||||
|
"type": "host-local",
|
||||||
|
"subnet": "usePodCidr"
|
||||||
|
},
|
||||||
|
"policy": {
|
||||||
|
"type": "k8s"
|
||||||
|
},
|
||||||
|
"kubernetes": {
|
||||||
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "portmap",
|
||||||
|
"snat": true,
|
||||||
|
"capabilities": {"portMappings": true}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "bandwidth",
|
||||||
|
"capabilities": {"bandwidth": true}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Flannel network configuration. Mounted into the flannel container.
|
||||||
|
net-conf.json: |
|
||||||
|
{
|
||||||
|
"Network": "{{ kube_pods_subnet }}",
|
||||||
|
"Backend": {
|
||||||
|
"Type": "vxlan"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,83 @@
|
||||||
|
# Source: calico/templates/calico-kube-controllers-rbac.yaml
|
||||||
|
|
||||||
|
# Include a clusterrole for the kube-controllers component,
|
||||||
|
# and bind it to the calico-kube-controllers serviceaccount.
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: calico-kube-controllers
|
||||||
|
rules:
|
||||||
|
# Nodes are watched to monitor for deletions.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
- get
|
||||||
|
# Pods are watched to check for existence as part of IPAM controller.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
# IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- ipreservations
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- blockaffinities
|
||||||
|
- ipamblocks
|
||||||
|
- ipamhandles
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
- watch
|
||||||
|
# Pools are watched to maintain a mapping of blocks to IP pools.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- ippools
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
# kube-controllers manages hostendpoints.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- hostendpoints
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- delete
|
||||||
|
# Needs access to update clusterinformations.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- clusterinformations
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
|
# KubeControllersConfiguration is where it gets its config
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- kubecontrollersconfigurations
|
||||||
|
verbs:
|
||||||
|
# read its own config
|
||||||
|
- get
|
||||||
|
# create a default if none exists
|
||||||
|
- create
|
||||||
|
# update status
|
||||||
|
- update
|
||||||
|
# watch for changes
|
||||||
|
- watch
|
|
@ -0,0 +1,133 @@
|
||||||
|
# Source: calico/templates/calico-node-rbac.yaml
|
||||||
|
# Include a clusterrole for the calico-node DaemonSet,
|
||||||
|
# and bind it to the calico-node serviceaccount.
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: calico-node
|
||||||
|
rules:
|
||||||
|
# Used for creating service account tokens to be used by the CNI plugin
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- serviceaccounts/token
|
||||||
|
resourceNames:
|
||||||
|
- canal
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
# The CNI plugin needs to get pods, nodes, and namespaces.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
# EndpointSlices are used for Service-based network policy rule
|
||||||
|
# enforcement.
|
||||||
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- endpointslices
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- endpoints
|
||||||
|
- services
|
||||||
|
verbs:
|
||||||
|
# Used to discover service IPs for advertisement.
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
# Used to discover Typhas.
|
||||||
|
- get
|
||||||
|
# Pod CIDR auto-detection on kubeadm needs access to config maps.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- nodes/status
|
||||||
|
verbs:
|
||||||
|
# Needed for clearing NodeNetworkUnavailable flag.
|
||||||
|
- patch
|
||||||
|
# Calico stores some configuration information in node annotations.
|
||||||
|
- update
|
||||||
|
# Watch for changes to Kubernetes NetworkPolicies.
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
# Used by Calico for policy information.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- namespaces
|
||||||
|
- serviceaccounts
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
# The CNI plugin patches pods/status.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods/status
|
||||||
|
verbs:
|
||||||
|
- patch
|
||||||
|
# Calico monitors various CRDs for config.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- globalfelixconfigs
|
||||||
|
- felixconfigurations
|
||||||
|
- bgppeers
|
||||||
|
- globalbgpconfigs
|
||||||
|
- bgpconfigurations
|
||||||
|
- ippools
|
||||||
|
- ipreservations
|
||||||
|
- ipamblocks
|
||||||
|
- globalnetworkpolicies
|
||||||
|
- globalnetworksets
|
||||||
|
- networkpolicies
|
||||||
|
- networksets
|
||||||
|
- clusterinformations
|
||||||
|
- hostendpoints
|
||||||
|
- blockaffinities
|
||||||
|
- caliconodestatuses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
# Calico must create and update some CRDs on startup.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- ippools
|
||||||
|
- felixconfigurations
|
||||||
|
- clusterinformations
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- update
|
||||||
|
# Calico must update some CRDs.
|
||||||
|
- apiGroups: [ "crd.projectcalico.org" ]
|
||||||
|
resources:
|
||||||
|
- caliconodestatuses
|
||||||
|
verbs:
|
||||||
|
- update
|
||||||
|
# Calico stores some configuration information on the node.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
# These permissions are only required for upgrade from v2.6, and can
|
||||||
|
# be removed after upgrade or on fresh installations.
|
||||||
|
- apiGroups: ["crd.projectcalico.org"]
|
||||||
|
resources:
|
||||||
|
- bgpconfigurations
|
||||||
|
- bgppeers
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- update
|
|
@ -1,43 +0,0 @@
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: calico
|
|
||||||
namespace: kube-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- pods
|
|
||||||
- nodes
|
|
||||||
- namespaces
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- endpoints
|
|
||||||
- services
|
|
||||||
verbs:
|
|
||||||
- watch
|
|
||||||
- list
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources:
|
|
||||||
- nodes/status
|
|
||||||
verbs:
|
|
||||||
- patch
|
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resourceNames:
|
|
||||||
- privileged
|
|
||||||
resources:
|
|
||||||
- podsecuritypolicies
|
|
||||||
verbs:
|
|
||||||
- use
|
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resourceNames:
|
|
||||||
- privileged
|
|
||||||
resources:
|
|
||||||
- podsecuritypolicies
|
|
||||||
verbs:
|
|
||||||
- use
|
|
|
@ -5,30 +5,19 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: flannel
|
name: flannel
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups: [""]
|
||||||
- ""
|
|
||||||
resources:
|
resources:
|
||||||
- pods
|
- pods
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- apiGroups:
|
- apiGroups: [""]
|
||||||
- ""
|
|
||||||
resources:
|
resources:
|
||||||
- nodes
|
- nodes
|
||||||
verbs:
|
verbs:
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups: [""]
|
||||||
- ""
|
|
||||||
resources:
|
resources:
|
||||||
- nodes/status
|
- nodes/status
|
||||||
verbs:
|
verbs:
|
||||||
- patch
|
- patch
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resourceNames:
|
|
||||||
- privileged
|
|
||||||
resources:
|
|
||||||
- podsecuritypolicies
|
|
||||||
verbs:
|
|
||||||
- use
|
|
||||||
|
|
|
@ -7,8 +7,21 @@ metadata:
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: calico
|
name: calico-node
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: canal
|
name: canal
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: calico-kube-controllers
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: calico-kube-controllers
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: calico-kube-controllers
|
||||||
|
namespace: kube-system
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,88 +1,243 @@
|
||||||
---
|
# Source: calico/templates/calico-node.yaml
|
||||||
|
# This manifest installs the canal container, as well
|
||||||
|
# as the CNI plugins and network config on
|
||||||
|
# each master and worker node in a Kubernetes cluster.
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: canal-node
|
name: canal
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
labels:
|
labels:
|
||||||
k8s-app: canal-node
|
k8s-app: canal
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
k8s-app: canal-node
|
k8s-app: canal
|
||||||
|
updateStrategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: {{ serial | default('20%') }}
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: canal-node
|
k8s-app: canal
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-node-critical
|
nodeSelector:
|
||||||
|
kubernetes.io/os: linux
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
|
||||||
serviceAccountName: canal
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- operator: Exists
|
# Make sure canal gets scheduled on all nodes.
|
||||||
volumes:
|
- effect: NoSchedule
|
||||||
# Used by calico/node.
|
operator: Exists
|
||||||
- name: lib-modules
|
# Mark the pod as a critical add-on for rescheduling.
|
||||||
hostPath:
|
- key: CriticalAddonsOnly
|
||||||
path: /lib/modules
|
operator: Exists
|
||||||
- name: var-lib-calico
|
- effect: NoExecute
|
||||||
hostPath:
|
operator: Exists
|
||||||
path: /var/lib/calico
|
serviceAccountName: canal
|
||||||
- name: var-run-calico
|
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
|
||||||
hostPath:
|
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
|
||||||
path: /var/run/calico
|
terminationGracePeriodSeconds: 0
|
||||||
# Used to install CNI.
|
priorityClassName: system-node-critical
|
||||||
- name: cni-bin-dir
|
|
||||||
hostPath:
|
|
||||||
path: /opt/cni/bin
|
|
||||||
- name: cni-net-dir
|
|
||||||
hostPath:
|
|
||||||
path: /etc/cni/net.d
|
|
||||||
# Used by flannel daemon.
|
|
||||||
- name: run-flannel
|
|
||||||
hostPath:
|
|
||||||
path: /run/flannel
|
|
||||||
- name: resolv
|
|
||||||
hostPath:
|
|
||||||
path: /etc/resolv.conf
|
|
||||||
- name: "canal-certs"
|
|
||||||
hostPath:
|
|
||||||
path: "{{ canal_cert_dir }}"
|
|
||||||
- name: xtables-lock
|
|
||||||
hostPath:
|
|
||||||
path: /run/xtables.lock
|
|
||||||
type: FileOrCreate
|
|
||||||
initContainers:
|
initContainers:
|
||||||
# This container installs the Calico CNI binaries
|
# This container installs the CNI binaries
|
||||||
# and CNI network config file on each node.
|
# and CNI network config file on each node.
|
||||||
- name: install-cni
|
- name: install-cni
|
||||||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||||
command: ["/opt/cni/bin/install"]
|
command: ["/opt/cni/bin/install"]
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||||
|
name: kubernetes-services-endpoint
|
||||||
|
optional: true
|
||||||
env:
|
env:
|
||||||
|
# Set the serviceaccount name to use for the Calico CNI plugin.
|
||||||
|
# We use canal-node instead of calico-node when using flannel networking.
|
||||||
|
- name: CALICO_CNI_SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
# Name of the CNI config file to create.
|
# Name of the CNI config file to create.
|
||||||
- name: CNI_CONF_NAME
|
- name: CNI_CONF_NAME
|
||||||
value: "10-canal.conflist"
|
value: "10-canal.conflist"
|
||||||
# Install CNI binaries
|
|
||||||
- name: UPDATE_CNI_BINARIES
|
|
||||||
value: "true"
|
|
||||||
# The CNI network config to install on each node.
|
# The CNI network config to install on each node.
|
||||||
- name: CNI_NETWORK_CONFIG_FILE
|
- name: CNI_NETWORK_CONFIG
|
||||||
value: "/host/etc/cni/net.d/canal.conflist.template"
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: cni_network_config
|
||||||
|
# Set the hostname based on the k8s node name.
|
||||||
|
- name: KUBERNETES_NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
# CNI MTU Config variable
|
||||||
|
- name: CNI_MTU
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: veth_mtu
|
||||||
# Prevents the container from sleeping forever.
|
# Prevents the container from sleeping forever.
|
||||||
- name: SLEEP
|
- name: SLEEP
|
||||||
value: "false"
|
value: "false"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /host/etc/cni/net.d
|
|
||||||
name: cni-net-dir
|
|
||||||
- mountPath: /host/opt/cni/bin
|
- mountPath: /host/opt/cni/bin
|
||||||
name: cni-bin-dir
|
name: cni-bin-dir
|
||||||
|
- mountPath: /host/etc/cni/net.d
|
||||||
|
name: cni-net-dir
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
# This init container mounts the necessary filesystems needed by the BPF data plane
|
||||||
|
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
|
||||||
|
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
|
||||||
|
- name: "mount-bpffs"
|
||||||
|
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
command: ["calico-node", "-init", "-best-effort"]
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /sys/fs
|
||||||
|
name: sys-fs
|
||||||
|
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
|
||||||
|
# so that it outlives the init container.
|
||||||
|
mountPropagation: Bidirectional
|
||||||
|
- mountPath: /var/run/calico
|
||||||
|
name: var-run-calico
|
||||||
|
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
|
||||||
|
# so that it outlives the init container.
|
||||||
|
mountPropagation: Bidirectional
|
||||||
|
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
|
||||||
|
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
|
||||||
|
- mountPath: /nodeproc
|
||||||
|
name: nodeproc
|
||||||
|
readOnly: true
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
containers:
|
containers:
|
||||||
# Runs the flannel daemon to enable vxlan networking between
|
# Runs canal container on each Kubernetes node. This
|
||||||
# container hosts.
|
# container programs network policy and routes on each
|
||||||
- name: flannel
|
# host.
|
||||||
|
- name: calico-node
|
||||||
|
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||||
|
name: kubernetes-services-endpoint
|
||||||
|
optional: true
|
||||||
|
env:
|
||||||
|
# Use Kubernetes API as the backing datastore.
|
||||||
|
- name: DATASTORE_TYPE
|
||||||
|
value: "kubernetes"
|
||||||
|
# Configure route aggregation based on pod CIDR.
|
||||||
|
- name: USE_POD_CIDR
|
||||||
|
value: "true"
|
||||||
|
# Wait for the datastore.
|
||||||
|
- name: WAIT_FOR_DATASTORE
|
||||||
|
value: "true"
|
||||||
|
# Set based on the k8s node name.
|
||||||
|
- name: NODENAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
# Set the serviceaccount name to use for the Calico CNI plugin.
|
||||||
|
# We use canal-node instead of calico-node when using flannel networking.
|
||||||
|
- name: CALICO_CNI_SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
# Don't enable BGP.
|
||||||
|
- name: CALICO_NETWORKING_BACKEND
|
||||||
|
value: "none"
|
||||||
|
# Cluster type to identify the deployment type
|
||||||
|
- name: CLUSTER_TYPE
|
||||||
|
value: "k8s,canal"
|
||||||
|
# Period, in seconds, at which felix re-applies all iptables state
|
||||||
|
- name: FELIX_IPTABLESREFRESHINTERVAL
|
||||||
|
value: "60"
|
||||||
|
# No IP address needed.
|
||||||
|
- name: IP
|
||||||
|
value: ""
|
||||||
|
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
|
||||||
|
# chosen from this range. Changing this value after installation will have
|
||||||
|
# no effect. This should fall within `--cluster-cidr`.
|
||||||
|
# - name: CALICO_IPV4POOL_CIDR
|
||||||
|
# value: "192.168.0.0/16"
|
||||||
|
# Disable file logging so `kubectl logs` works.
|
||||||
|
- name: CALICO_DISABLE_FILE_LOGGING
|
||||||
|
value: "true"
|
||||||
|
# Set Felix endpoint to host default action to ACCEPT.
|
||||||
|
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
||||||
|
value: "ACCEPT"
|
||||||
|
# Disable IPv6 on Kubernetes.
|
||||||
|
- name: FELIX_IPV6SUPPORT
|
||||||
|
value: "false"
|
||||||
|
- name: FELIX_HEALTHENABLED
|
||||||
|
value: "true"
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: {{ calico_node_cpu_limit }}
|
||||||
|
memory: {{ calico_node_memory_limit }}
|
||||||
|
requests:
|
||||||
|
cpu: {{ calico_node_cpu_requests }}
|
||||||
|
memory: {{ calico_node_memory_requests }}
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/calico-node
|
||||||
|
- -shutdown
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/calico-node
|
||||||
|
- -felix-live
|
||||||
|
periodSeconds: 10
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
failureThreshold: 6
|
||||||
|
timeoutSeconds: 10
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readiness
|
||||||
|
port: 9099
|
||||||
|
host: localhost
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 10
|
||||||
|
volumeMounts:
|
||||||
|
# For maintaining CNI plugin API credentials.
|
||||||
|
- mountPath: /host/etc/cni/net.d
|
||||||
|
name: cni-net-dir
|
||||||
|
readOnly: false
|
||||||
|
- mountPath: /lib/modules
|
||||||
|
name: lib-modules
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /run/xtables.lock
|
||||||
|
name: xtables-lock
|
||||||
|
readOnly: false
|
||||||
|
- mountPath: /var/run/calico
|
||||||
|
name: var-run-calico
|
||||||
|
readOnly: false
|
||||||
|
- mountPath: /var/lib/calico
|
||||||
|
name: var-lib-calico
|
||||||
|
readOnly: false
|
||||||
|
- name: policysync
|
||||||
|
mountPath: /var/run/nodeagent
|
||||||
|
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
|
||||||
|
# parent directory.
|
||||||
|
- name: bpffs
|
||||||
|
mountPath: /sys/fs/bpf
|
||||||
|
- name: cni-log-dir
|
||||||
|
mountPath: /var/log/calico/cni
|
||||||
|
readOnly: true
|
||||||
|
# This container runs flannel using the kube-subnet-mgr backend
|
||||||
|
# for allocating subnets.
|
||||||
|
- name: kube-flannel
|
||||||
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
|
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ]
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ flannel_cpu_limit }}
|
cpu: {{ flannel_cpu_limit }}
|
||||||
|
@ -91,164 +246,74 @@ spec:
|
||||||
cpu: {{ flannel_cpu_requests }}
|
cpu: {{ flannel_cpu_requests }}
|
||||||
memory: {{ flannel_memory_requests }}
|
memory: {{ flannel_memory_requests }}
|
||||||
env:
|
env:
|
||||||
# Cluster name
|
- name: POD_NAME
|
||||||
- name: CLUSTER_NAME
|
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
fieldRef:
|
||||||
name: canal-config
|
fieldPath: metadata.name
|
||||||
key: cluster_name
|
- name: POD_NAMESPACE
|
||||||
# The location of the etcd cluster.
|
|
||||||
- name: FLANNELD_ETCD_ENDPOINTS
|
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
fieldRef:
|
||||||
name: canal-config
|
fieldPath: metadata.namespace
|
||||||
key: etcd_endpoints
|
|
||||||
# The interface flannel should run on.
|
|
||||||
- name: FLANNELD_IFACE
|
- name: FLANNELD_IFACE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: canal-config
|
name: canal-config
|
||||||
key: flanneld_iface
|
key: canal_iface
|
||||||
# Perform masquerade on traffic leaving the pod cidr.
|
|
||||||
- name: FLANNELD_IP_MASQ
|
- name: FLANNELD_IP_MASQ
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: canal-config
|
name: canal-config
|
||||||
key: masquerade
|
key: masquerade
|
||||||
# Set etcd-prefix
|
|
||||||
- name: DOCKER_OPT_ETCD_PREFIX
|
|
||||||
value: "-etcd-prefix=/$(CLUSTER_NAME)/network"
|
|
||||||
# Write the subnet.env file to the mounted directory.
|
|
||||||
- name: FLANNELD_SUBNET_FILE
|
|
||||||
value: "/run/flannel/subnet.env"
|
|
||||||
# Etcd SSL vars
|
|
||||||
- name: ETCD_CA_CERT_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_cafile
|
|
||||||
- name: ETCD_CERT_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_certfile
|
|
||||||
- name: ETCD_KEY_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_keyfile
|
|
||||||
command:
|
|
||||||
- "/bin/sh"
|
|
||||||
- "-c"
|
|
||||||
- "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
|
|
||||||
ports:
|
|
||||||
- hostPort: 10253
|
|
||||||
containerPort: 10253
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: "resolv"
|
- mountPath: /run/xtables.lock
|
||||||
mountPath: "/etc/resolv.conf"
|
name: xtables-lock
|
||||||
- name: "run-flannel"
|
readOnly: false
|
||||||
mountPath: "/run/flannel"
|
- name: flannel-cfg
|
||||||
- name: "canal-certs"
|
mountPath: /etc/kube-flannel/
|
||||||
mountPath: "{{ canal_cert_dir }}"
|
volumes:
|
||||||
readOnly: true
|
# Used by canal.
|
||||||
|
- name: lib-modules
|
||||||
|
hostPath:
|
||||||
|
path: /lib/modules
|
||||||
|
- name: var-run-calico
|
||||||
|
hostPath:
|
||||||
|
path: /var/run/calico
|
||||||
|
- name: var-lib-calico
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/calico
|
||||||
- name: xtables-lock
|
- name: xtables-lock
|
||||||
mountPath: /run/xtables.lock
|
hostPath:
|
||||||
readOnly: false
|
path: /run/xtables.lock
|
||||||
# Runs calico/node container on each Kubernetes node. This
|
type: FileOrCreate
|
||||||
# container programs network policy and local routes on each
|
- name: sys-fs
|
||||||
# host.
|
hostPath:
|
||||||
- name: calico-node
|
path: /sys/fs/
|
||||||
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
|
type: DirectoryOrCreate
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
- name: bpffs
|
||||||
resources:
|
hostPath:
|
||||||
limits:
|
path: /sys/fs/bpf
|
||||||
cpu: {{ calico_node_cpu_limit }}
|
type: Directory
|
||||||
memory: {{ calico_node_memory_limit }}
|
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
|
||||||
requests:
|
- name: nodeproc
|
||||||
cpu: {{ calico_node_cpu_requests }}
|
hostPath:
|
||||||
memory: {{ calico_node_memory_requests }}
|
path: /proc
|
||||||
env:
|
# Used by flannel.
|
||||||
# The location of the etcd cluster.
|
- name: flannel-cfg
|
||||||
- name: ETCD_ENDPOINTS
|
configMap:
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
name: canal-config
|
||||||
key: etcd_endpoints
|
# Used to install CNI.
|
||||||
# Disable Calico BGP. Calico is simply enforcing policy.
|
- name: cni-bin-dir
|
||||||
- name: CALICO_NETWORKING_BACKEND
|
hostPath:
|
||||||
value: "none"
|
path: /opt/cni/bin
|
||||||
# Cluster type to identify the deployment type
|
- name: cni-net-dir
|
||||||
- name: CLUSTER_TYPE
|
hostPath:
|
||||||
value: "kubespray,canal"
|
path: /etc/cni/net.d
|
||||||
# Disable file logging so `kubectl logs` works.
|
# Used to access CNI logs.
|
||||||
- name: CALICO_DISABLE_FILE_LOGGING
|
- name: cni-log-dir
|
||||||
value: "true"
|
hostPath:
|
||||||
# Set noderef for node controller.
|
path: /var/log/calico/cni
|
||||||
- name: CALICO_K8S_NODE_REF
|
# Used to create per-pod Unix Domain Sockets
|
||||||
valueFrom:
|
- name: policysync
|
||||||
fieldRef:
|
hostPath:
|
||||||
fieldPath: spec.nodeName
|
type: DirectoryOrCreate
|
||||||
- name: FELIX_HEALTHENABLED
|
path: /var/run/nodeagent
|
||||||
value: "true"
|
|
||||||
# Disable IPv6 on Kubernetes.
|
|
||||||
- name: FELIX_IPV6SUPPORT
|
|
||||||
value: "false"
|
|
||||||
# Etcd SSL vars
|
|
||||||
- name: ETCD_CA_CERT_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_cafile
|
|
||||||
- name: ETCD_CERT_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_certfile
|
|
||||||
- name: ETCD_KEY_FILE
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: etcd_keyfile
|
|
||||||
- name: NODENAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.nodeName
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
host: 127.0.0.1
|
|
||||||
path: /liveness
|
|
||||||
port: 9099
|
|
||||||
periodSeconds: 10
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
failureThreshold: 6
|
|
||||||
readinessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-ready
|
|
||||||
periodSeconds: 10
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /lib/modules
|
|
||||||
name: lib-modules
|
|
||||||
readOnly: true
|
|
||||||
- mountPath: /var/run/calico
|
|
||||||
name: var-run-calico
|
|
||||||
readOnly: false
|
|
||||||
- mountPath: /var/lib/calico
|
|
||||||
name: var-lib-calico
|
|
||||||
readOnly: false
|
|
||||||
- name: "canal-certs"
|
|
||||||
mountPath: "{{ canal_cert_dir }}"
|
|
||||||
readOnly: true
|
|
||||||
- name: xtables-lock
|
|
||||||
mountPath: /run/xtables.lock
|
|
||||||
readOnly: false
|
|
||||||
updateStrategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxUnavailable: {{ serial | default('20%') }}
|
|
||||||
type: RollingUpdate
|
|
||||||
|
|
Loading…
Reference in New Issue