Align canal templates with calico official ones (k8s datastore)

pull/9144/head
Florian Ruynat 2022-07-22 09:46:19 +02:00 committed by Kubernetes Prow Robot
parent b4318e9967
commit eb10249a75
11 changed files with 4548 additions and 271 deletions

View File

@ -55,8 +55,11 @@
with_items: with_items:
- {name: canal-config, file: canal-config.yaml, type: cm} - {name: canal-config, file: canal-config.yaml, type: cm}
- {name: canal-node, file: canal-node.yaml, type: ds} - {name: canal-node, file: canal-node.yaml, type: ds}
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
- {name: canal, file: canal-node-sa.yml, type: sa} - {name: canal, file: canal-node-sa.yml, type: sa}
- {name: calico, file: canal-cr-calico.yml, type: clusterrole} - {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
- {name: calico-crd, file: canal-crd-calico.yml, type: crd}
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole} - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding} - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding} - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}

View File

@ -0,0 +1,59 @@
---
# Source: calico/templates/calico-kube-controllers.yaml
# See https://github.com/projectcalico/kube-controllers
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
# The controllers can only have a single active instance.
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
strategy:
type: Recreate
template:
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: calico-kube-controllers
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
value: node
- name: DATASTORE_TYPE
value: kubernetes
livenessProbe:
exec:
command:
- /usr/bin/check-status
- -l
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /usr/bin/check-status
- -r
periodSeconds: 10

View File

@ -5,23 +5,69 @@ kind: ConfigMap
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: canal-config name: canal-config
namespace: kube-system
data: data:
# Configure this with the location of your etcd cluster. # Typha is disabled.
etcd_endpoints: "{{ etcd_access_addresses }}" typha_service_name: "none"
# The interface used by canal for host <-> host communication. # The interface used by canal for host <-> host communication.
# If left blank, then the interface is choosing using the node's # If left blank, then the interface is chosen using the node's
# default route. # default route.
flanneld_iface: "{{ canal_iface }}" canal_iface: "{{ canal_iface }}"
# Whether or not to masquerade traffic to destinations not within # Whether or not to masquerade traffic to destinations not within
# the pod network. # the pod network.
masquerade: "{{ canal_masquerade }}" masquerade: "{{ canal_masquerade }}"
# Cluster name for Flannel etcd path # Configure the MTU to use for workload interfaces and tunnels.
cluster_name: "{{ cluster_name }}" # By default, MTU is auto-detected, and explicitly setting this field should not be required.
# You can override auto-detection by providing a non-zero value.
veth_mtu: "0"
# SSL Etcd configuration # The CNI network configuration to install on each node. The special
etcd_cafile: "{{ canal_cert_dir }}/ca_cert.crt" # values in this config will be automatically populated.
etcd_certfile: "{{ canal_cert_dir }}/cert.crt" cni_network_config: |-
etcd_keyfile: "{{ canal_cert_dir }}/key.pem" {
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "calico",
"log_level": "info",
{% if calico_cni_log_file_path %}
"log_file_path": "{{ calico_cni_log_file_path }}",
{% endif %}
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "host-local",
"subnet": "usePodCidr"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
# Flannel network configuration. Mounted into the flannel container.
net-conf.json: |
{
"Network": "{{ kube_pods_subnet }}",
"Backend": {
"Type": "vxlan"
}
}

View File

@ -0,0 +1,83 @@
# Source: calico/templates/calico-kube-controllers-rbac.yaml
# Include a clusterrole for the kube-controllers component,
# and bind it to the calico-kube-controllers serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
rules:
# Nodes are watched to monitor for deletions.
- apiGroups: [""]
resources:
- nodes
verbs:
- watch
- list
- get
# Pods are watched to check for existence as part of IPAM controller.
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- watch
# IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ipreservations
verbs:
- list
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
- ipamblocks
- ipamhandles
verbs:
- get
- list
- create
- update
- delete
- watch
# Pools are watched to maintain a mapping of blocks to IP pools.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
verbs:
- list
- watch
# kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"]
resources:
- hostendpoints
verbs:
- get
- list
- create
- update
- delete
# Needs access to update clusterinformations.
- apiGroups: ["crd.projectcalico.org"]
resources:
- clusterinformations
verbs:
- get
- list
- create
- update
- watch
# KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"]
resources:
- kubecontrollersconfigurations
verbs:
# read its own config
- get
# create a default if none exists
- create
# update status
- update
# watch for changes
- watch

View File

@ -0,0 +1,133 @@
# Source: calico/templates/calico-node-rbac.yaml
# Include a clusterrole for the calico-node DaemonSet,
# and bind it to the calico-node serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
rules:
# Used for creating service account tokens to be used by the CNI plugin
- apiGroups: [""]
resources:
- serviceaccounts/token
resourceNames:
- canal
verbs:
- create
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
# EndpointSlices are used for Service-based network policy rule
# enforcement.
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- watch
- list
- apiGroups: [""]
resources:
- endpoints
- services
verbs:
# Used to discover service IPs for advertisement.
- watch
- list
# Used to discover Typhas.
- get
# Pod CIDR auto-detection on kubeadm needs access to config maps.
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- apiGroups: [""]
resources:
- nodes/status
verbs:
# Needed for clearing NodeNetworkUnavailable flag.
- patch
# Calico stores some configuration information in node annotations.
- update
# Watch for changes to Kubernetes NetworkPolicies.
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
# Used by Calico for policy information.
- apiGroups: [""]
resources:
- pods
- namespaces
- serviceaccounts
verbs:
- list
- watch
# The CNI plugin patches pods/status.
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
# Calico monitors various CRDs for config.
- apiGroups: ["crd.projectcalico.org"]
resources:
- globalfelixconfigs
- felixconfigurations
- bgppeers
- globalbgpconfigs
- bgpconfigurations
- ippools
- ipreservations
- ipamblocks
- globalnetworkpolicies
- globalnetworksets
- networkpolicies
- networksets
- clusterinformations
- hostendpoints
- blockaffinities
- caliconodestatuses
verbs:
- get
- list
- watch
# Calico must create and update some CRDs on startup.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
- felixconfigurations
- clusterinformations
verbs:
- create
- update
# Calico must update some CRDs.
- apiGroups: [ "crd.projectcalico.org" ]
resources:
- caliconodestatuses
verbs:
- update
# Calico stores some configuration information on the node.
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- list
- watch
# These permissions are only required for upgrade from v2.6, and can
# be removed after upgrade or on fresh installations.
- apiGroups: ["crd.projectcalico.org"]
resources:
- bgpconfigurations
- bgppeers
verbs:
- create
- update

View File

@ -1,43 +0,0 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico
namespace: kube-system
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
- configmaps
verbs:
- get
- apiGroups: [""]
resources:
- endpoints
- services
verbs:
- watch
- list
- apiGroups: [""]
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- policy
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- policy
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use

View File

@ -5,30 +5,19 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: flannel name: flannel
rules: rules:
- apiGroups: - apiGroups: [""]
- ""
resources: resources:
- pods - pods
verbs: verbs:
- get - get
- apiGroups: - apiGroups: [""]
- ""
resources: resources:
- nodes - nodes
verbs: verbs:
- list - list
- watch - watch
- apiGroups: - apiGroups: [""]
- ""
resources: resources:
- nodes/status - nodes/status
verbs: verbs:
- patch - patch
- apiGroups:
- policy
resourceNames:
- privileged
resources:
- podsecuritypolicies
verbs:
- use

View File

@ -7,8 +7,21 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: calico name: calico-node
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: canal name: canal
namespace: kube-system namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-kube-controllers
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: kube-system

File diff suppressed because it is too large Load Diff

View File

@ -1,88 +1,243 @@
--- # Source: calico/templates/calico-node.yaml
# This manifest installs the canal container, as well
# as the CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet kind: DaemonSet
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
name: canal-node name: canal
namespace: kube-system namespace: kube-system
labels: labels:
k8s-app: canal-node k8s-app: canal
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: canal-node k8s-app: canal
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}
template: template:
metadata: metadata:
labels: labels:
k8s-app: canal-node k8s-app: canal
spec: spec:
priorityClassName: system-node-critical nodeSelector:
kubernetes.io/os: linux
hostNetwork: true hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: canal
tolerations: tolerations:
- operator: Exists # Make sure canal gets scheduled on all nodes.
volumes: - effect: NoSchedule
# Used by calico/node. operator: Exists
- name: lib-modules # Mark the pod as a critical add-on for rescheduling.
hostPath: - key: CriticalAddonsOnly
path: /lib/modules operator: Exists
- name: var-lib-calico - effect: NoExecute
hostPath: operator: Exists
path: /var/lib/calico serviceAccountName: canal
- name: var-run-calico # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
hostPath: # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
path: /var/run/calico terminationGracePeriodSeconds: 0
# Used to install CNI. priorityClassName: system-node-critical
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Used by flannel daemon.
- name: run-flannel
hostPath:
path: /run/flannel
- name: resolv
hostPath:
path: /etc/resolv.conf
- name: "canal-certs"
hostPath:
path: "{{ canal_cert_dir }}"
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
initContainers: initContainers:
# This container installs the Calico CNI binaries # This container installs the CNI binaries
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
command: ["/opt/cni/bin/install"] command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
name: kubernetes-services-endpoint
optional: true
env: env:
# Set the serviceaccount name to use for the Calico CNI plugin.
# We use canal-node instead of calico-node when using flannel networking.
- name: CALICO_CNI_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
# Name of the CNI config file to create. # Name of the CNI config file to create.
- name: CNI_CONF_NAME - name: CNI_CONF_NAME
value: "10-canal.conflist" value: "10-canal.conflist"
# Install CNI binaries
- name: UPDATE_CNI_BINARIES
value: "true"
# The CNI network config to install on each node. # The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG_FILE - name: CNI_NETWORK_CONFIG
value: "/host/etc/cni/net.d/canal.conflist.template" valueFrom:
configMapKeyRef:
name: canal-config
key: cni_network_config
# Set the hostname based on the k8s node name.
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# CNI MTU Config variable
- name: CNI_MTU
valueFrom:
configMapKeyRef:
name: canal-config
key: veth_mtu
# Prevents the container from sleeping forever. # Prevents the container from sleeping forever.
- name: SLEEP - name: SLEEP
value: "false" value: "false"
volumeMounts: volumeMounts:
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /host/opt/cni/bin - mountPath: /host/opt/cni/bin
name: cni-bin-dir name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
securityContext:
privileged: true
# This init container mounts the necessary filesystems needed by the BPF data plane
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
- mountPath: /sys/fs
name: sys-fs
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
- mountPath: /var/run/calico
name: var-run-calico
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
- mountPath: /nodeproc
name: nodeproc
readOnly: true
securityContext:
privileged: true
containers: containers:
# Runs the flannel daemon to enable vxlan networking between # Runs canal container on each Kubernetes node. This
# container hosts. # container programs network policy and routes on each
- name: flannel # host.
- name: calico-node
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
name: kubernetes-services-endpoint
optional: true
env:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPE
value: "kubernetes"
# Configure route aggregation based on pod CIDR.
- name: USE_POD_CIDR
value: "true"
# Wait for the datastore.
- name: WAIT_FOR_DATASTORE
value: "true"
# Set based on the k8s node name.
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Set the serviceaccount name to use for the Calico CNI plugin.
# We use canal-node instead of calico-node when using flannel networking.
- name: CALICO_CNI_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
# Don't enable BGP.
- name: CALICO_NETWORKING_BACKEND
value: "none"
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,canal"
# Period, in seconds, at which felix re-applies all iptables state
- name: FELIX_IPTABLESREFRESHINTERVAL
value: "60"
# No IP address needed.
- name: IP
value: ""
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
# - name: CALICO_IPV4POOL_CIDR
# value: "192.168.0.0/16"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
- name: FELIX_HEALTHENABLED
value: "true"
securityContext:
privileged: true
resources:
limits:
cpu: {{ calico_node_cpu_limit }}
memory: {{ calico_node_memory_limit }}
requests:
cpu: {{ calico_node_cpu_requests }}
memory: {{ calico_node_memory_requests }}
lifecycle:
preStop:
exec:
command:
- /bin/calico-node
- -shutdown
livenessProbe:
exec:
command:
- /bin/calico-node
- -felix-live
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /readiness
port: 9099
host: localhost
periodSeconds: 10
timeoutSeconds: 10
volumeMounts:
# For maintaining CNI plugin API credentials.
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: false
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: policysync
mountPath: /var/run/nodeagent
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory.
- name: bpffs
mountPath: /sys/fs/bpf
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
# This container runs flannel using the kube-subnet-mgr backend
# for allocating subnets.
- name: kube-flannel
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ]
securityContext:
privileged: true
resources: resources:
limits: limits:
cpu: {{ flannel_cpu_limit }} cpu: {{ flannel_cpu_limit }}
@ -91,164 +246,74 @@ spec:
cpu: {{ flannel_cpu_requests }} cpu: {{ flannel_cpu_requests }}
memory: {{ flannel_memory_requests }} memory: {{ flannel_memory_requests }}
env: env:
# Cluster name - name: POD_NAME
- name: CLUSTER_NAME
valueFrom: valueFrom:
configMapKeyRef: fieldRef:
name: canal-config fieldPath: metadata.name
key: cluster_name - name: POD_NAMESPACE
# The location of the etcd cluster.
- name: FLANNELD_ETCD_ENDPOINTS
valueFrom: valueFrom:
configMapKeyRef: fieldRef:
name: canal-config fieldPath: metadata.namespace
key: etcd_endpoints
# The interface flannel should run on.
- name: FLANNELD_IFACE - name: FLANNELD_IFACE
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: canal-config name: canal-config
key: flanneld_iface key: canal_iface
# Perform masquerade on traffic leaving the pod cidr.
- name: FLANNELD_IP_MASQ - name: FLANNELD_IP_MASQ
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: canal-config name: canal-config
key: masquerade key: masquerade
# Set etcd-prefix
- name: DOCKER_OPT_ETCD_PREFIX
value: "-etcd-prefix=/$(CLUSTER_NAME)/network"
# Write the subnet.env file to the mounted directory.
- name: FLANNELD_SUBNET_FILE
value: "/run/flannel/subnet.env"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
command:
- "/bin/sh"
- "-c"
- "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
ports:
- hostPort: 10253
containerPort: 10253
securityContext:
privileged: true
volumeMounts: volumeMounts:
- name: "resolv" - mountPath: /run/xtables.lock
mountPath: "/etc/resolv.conf" name: xtables-lock
- name: "run-flannel" readOnly: false
mountPath: "/run/flannel" - name: flannel-cfg
- name: "canal-certs" mountPath: /etc/kube-flannel/
mountPath: "{{ canal_cert_dir }}" volumes:
readOnly: true # Used by canal.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: xtables-lock - name: xtables-lock
mountPath: /run/xtables.lock hostPath:
readOnly: false path: /run/xtables.lock
# Runs calico/node container on each Kubernetes node. This type: FileOrCreate
# container programs network policy and local routes on each - name: sys-fs
# host. hostPath:
- name: calico-node path: /sys/fs/
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}" type: DirectoryOrCreate
imagePullPolicy: {{ k8s_image_pull_policy }} - name: bpffs
resources: hostPath:
limits: path: /sys/fs/bpf
cpu: {{ calico_node_cpu_limit }} type: Directory
memory: {{ calico_node_memory_limit }} # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
requests: - name: nodeproc
cpu: {{ calico_node_cpu_requests }} hostPath:
memory: {{ calico_node_memory_requests }} path: /proc
env: # Used by flannel.
# The location of the etcd cluster. - name: flannel-cfg
- name: ETCD_ENDPOINTS configMap:
valueFrom:
configMapKeyRef:
name: canal-config name: canal-config
key: etcd_endpoints # Used to install CNI.
# Disable Calico BGP. Calico is simply enforcing policy. - name: cni-bin-dir
- name: CALICO_NETWORKING_BACKEND hostPath:
value: "none" path: /opt/cni/bin
# Cluster type to identify the deployment type - name: cni-net-dir
- name: CLUSTER_TYPE hostPath:
value: "kubespray,canal" path: /etc/cni/net.d
# Disable file logging so `kubectl logs` works. # Used to access CNI logs.
- name: CALICO_DISABLE_FILE_LOGGING - name: cni-log-dir
value: "true" hostPath:
# Set noderef for node controller. path: /var/log/calico/cni
- name: CALICO_K8S_NODE_REF # Used to create per-pod Unix Domain Sockets
valueFrom: - name: policysync
fieldRef: hostPath:
fieldPath: spec.nodeName type: DirectoryOrCreate
- name: FELIX_HEALTHENABLED path: /var/run/nodeagent
value: "true"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: true
livenessProbe:
httpGet:
host: 127.0.0.1
path: /liveness
port: 9099
periodSeconds: 10
initialDelaySeconds: 5
failureThreshold: 6
readinessProbe:
exec:
command:
- /bin/calico-node
- -felix-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
updateStrategy:
rollingUpdate:
maxUnavailable: {{ serial | default('20%') }}
type: RollingUpdate