From f6d60a7e89e7474e8a8cbee1b8c29bb9535b8a10 Mon Sep 17 00:00:00 2001 From: Erwan Miran Date: Thu, 31 Jan 2019 22:39:13 +0100 Subject: [PATCH] Calico: Ability to define the default IPPool CIDR (instead of kube_pods_subnet) (#4131) * Calico: Ability to define the default IPPool CIDR (instead of kube_pods_subnet) * Documentation for calico_pool_cidr (and calico_advertise_cluster_ips which has been forgotten...) --- docs/calico.md | 15 +++++++++++++++ .../group_vars/k8s-cluster/k8s-net-calico.yml | 3 +++ roles/network_plugin/calico/tasks/install.yml | 16 +++++++++++++--- .../calico/templates/cni-calico.conflist.j2 | 2 +- 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/calico.md b/docs/calico.md index d213f1f72..5eedef8ac 100644 --- a/docs/calico.md +++ b/docs/calico.md @@ -67,6 +67,15 @@ To re-define you need to edit the inventory and add a group variable `calico_net calico_network_backend: none ``` +##### Optional : Define the default pool CIDR + +By default, `kube_pods_subnet` is used as the IP range CIDR for the default IP Pool. +In some cases you may want to add several pools and not have them considered by Kubernetes as external (which means that they must be within or equal to the range defined in `kube_pods_subnet`), it starts with the default IP Pool of which IP range CIDR can by defined in group_vars (k8s-cluster/k8s-net-calico.yml): + +``` +calico_pool_cidr: 10.233.64.0/20 +``` + ##### Optional : BGP Peering with border routers In some cases you may want to route the pods subnet and so NAT is not needed on the nodes. @@ -86,6 +95,12 @@ In order to define global peers, the `peers` variable can be defined in group_va In order to define peers on a per node basis, the `peers` variable must be defined in hostvars. NB: Ansible's `hash_behaviour` is by default set to "replace", thus defining both global and per node peers would end up with having only per node peers. If having both global and per node peers defined was meant to happen, global peers would have to be defined in hostvars for each host (as well as per node peers) +Since calico 3.4, Calico supports advertising Kubernetes service cluster IPs over BGP, just as it advertises pod IPs. +This can be enabled by setting the following variable as follow in group_vars (k8s-cluster/k8s-net-calico.yml) +``` +calico_advertise_cluster_ips: true +``` + ##### Optional : Define global AS number Optional parameter `global_as_num` defines Calico global AS number (`/calico/bgp/v1/global/as_num` etcd key). diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml index 21fd7994f..6ca30a244 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml @@ -11,6 +11,9 @@ # add default ippool name # calico_pool_name: "default-pool" +# add default ippool CIDR (must be inside kube_pods_subnet, defaults to kube_pods_subnet otherwise) +# calico_pool_cidr: 1.2.3.4/5 + # Global as_num (/calico/bgp/v1/global/as_num) # global_as_num: "64512" diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml index 69611c33f..0d0cad250 100644 --- a/roles/network_plugin/calico/tasks/install.yml +++ b/roles/network_plugin/calico/tasks/install.yml @@ -75,13 +75,23 @@ - name: Calico | Check if calico network pool has already been configured shell: > - {{ bin_dir }}/calicoctl get ippool | grep -w "{{ kube_pods_subnet }}" | wc -l + {{ bin_dir }}/calicoctl get ippool | grep -w "{{ calico_pool_cidr | default(kube_pods_subnet) }}" | wc -l register: calico_conf retries: 4 delay: "{{ retry_stagger | random + 3 }}" delegate_to: "{{ groups['kube-master'][0] }}" run_once: true +- name: Calico | Ensure that calico_pool_cidr is within kube_pods_subnet when defined + assert: + that: "[calico_pool_cidr] | ipaddr(kube_pods_subnet) | length == 1" + msg: "{{ calico_pool_cidr }} is not within or equal to {{ kube_pods_subnet }}" + delegate_to: localhost + run_once: true + when: + - 'calico_conf.stdout == "0"' + - calico_pool_cidr is defined + - name: Calico | Configure calico network pool shell: > echo " @@ -91,7 +101,7 @@ "name": "{{ calico_pool_name }}", }, "spec": { - "cidr": "{{ kube_pods_subnet }}", + "cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}", "ipipMode": "{{ ipip_mode }}", "natOutgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }} }} " | {{ bin_dir }}/calicoctl create -f - run_once: true @@ -107,7 +117,7 @@ "spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}, "mode": "{{ ipip_mode|lower }}"}, "nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}}, "apiVersion": "v1", - "metadata": {"cidr": "{{ kube_pods_subnet }}"} + "metadata": {"cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}"} }' | {{ bin_dir }}/calicoctl apply -f - environment: NO_DEFAULT_POOLS: true diff --git a/roles/network_plugin/calico/templates/cni-calico.conflist.j2 b/roles/network_plugin/calico/templates/cni-calico.conflist.j2 index 9ce2483cc..be76da0ab 100644 --- a/roles/network_plugin/calico/templates/cni-calico.conflist.j2 +++ b/roles/network_plugin/calico/templates/cni-calico.conflist.j2 @@ -17,7 +17,7 @@ "ipam": { "type": "calico-ipam", "assign_ipv4": "true", - "ipv4_pools": ["{{ kube_pods_subnet }}"] + "ipv4_pools": ["{{ calico_pool_cidr | default(kube_pods_subnet) }}"] }, {% if enable_network_policy %} "policy": {