c12s-kubespray/roles/network_plugin/calico/defaults/main.yml

---
# Enables Internet connectivity from containers
nat_outgoing: true

# Use IP-over-IP encapsulation across hosts
ipip: false

# Set to true if you want your calico cni binaries to overwrite the
# ones from hyperkube while leaving other cni plugins intact.
overwrite_hyperkube_cni: true

calico_cert_dir: /etc/calico/certs
etcd_cert_dir: /etc/ssl/etcd/ssl

# Global as_num (/calico/bgp/v1/global/as_num)
global_as_num: "64512"

# You can set MTU value here. If left undefined or empty, it will
# not be specified in calico CNI config, so Calico will use built-in
# defaults. The value should be a number, not a string.
# calico_mtu: 1500

# Linux capabilities to be dropped for container engines
calico_drop_cap:
  - chown
  - dac_override
  - fowner
  - fsetid
  - kill
  - setgid
  - setuid
  - setpcap
  - net_bind_service
  - net_raw
  - sys_chroot
  - mknod
  - audit_write
  - setfcap

# Limits for apps
calico_node_memory_limit: 500M
calico_node_cpu_limit: 300m
calico_node_memory_requests: 256M
calico_node_cpu_requests: 150m
calicoctl_memory_limit: 170M
calicoctl_cpu_limit: 100m
calicoctl_memory_requests: 70M
calicoctl_cpu_requests: 50m
split network plugins into distinct roles 2016-01-30 15:04:47 +00:00			`---`
calico: enabling nat outgoing by default 2016-02-21 11:42:23 +00:00			`# Enables Internet connectivity from containers`
			`nat_outgoing: true`
choose between gce and aws cloud providers 2016-03-23 16:27:06 +00:00
Support --ipip option for calico pool Adds new boolean configuration variable for calico network plugin `ipip`. When it's enabled calico pool is created with '--ipip' option (IP-over-IP encapsulation across hosts). Also refactor pool creation tasks to simplify logic and make tasks more readable. 2016-07-21 11:05:40 +00:00			`# Use IP-over-IP encapsulation across hosts`
			`ipip: false`

Allow to use custom "canalized" calico cni - Allow to overwrite calico cni binaries copied from hyperkube by the custom ones. - Fix calico-ipam deployment (it had wrong source in rsync) - Make copy from hyperkube idempotent (use rsync instead of cp) - Remove some orphaned comments 2016-09-22 15:34:11 +00:00			`# Set to true if you want your calico cni binaries to overwrite the`
			`# ones from hyperkube while leaving other cni plugins intact.`
upgrade to kubernetes version 1.4.0 test to change the machine type Revert "test to change the machine type" This reverts commit 7a91f1b5405a39bee6cb91940b09a0b0f9d3aee1. use google dns server when no upstream dns are defined comment upstream_dns_servers update documentation remove deprecated kubelet flags Revert "remove deprecated kubelet flags" This reverts commit 21e3b893c896d0291c36a07d0414f4cb88b8d8ac. 2016-10-08 17:19:25 +00:00			`overwrite_hyperkube_cni: true`
Add etcd TLS support 2016-11-09 10:44:41 +00:00
			`calico_cert_dir: /etc/calico/certs`
			`etcd_cert_dir: /etc/ssl/etcd/ssl`
Move CNI config and add MTU support for calico-cni - Move CNI configuration creation for Calico to appropriate network_plugin role from kubernetes/node. - Add support for MTU configuration in Calico. 2016-11-14 07:48:28 +00:00
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes. 2016-12-08 16:48:54 +00:00			`# Global as_num (/calico/bgp/v1/global/as_num)`
			`global_as_num: "64512"`

Move CNI config and add MTU support for calico-cni - Move CNI configuration creation for Calico to appropriate network_plugin role from kubernetes/node. - Add support for MTU configuration in Calico. 2016-11-14 07:48:28 +00:00			`# You can set MTU value here. If left undefined or empty, it will`
			`# not be specified in calico CNI config, so Calico will use built-in`
			`# defaults. The value should be a number, not a string.`
			`# calico_mtu: 1500`
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-23 14:44:44 +00:00
Drop linux capabilities and rework users/groups * Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> 2016-12-28 13:58:37 +00:00			`# Linux capabilities to be dropped for container engines`
			`calico_drop_cap:`
			`- chown`
			`- dac_override`
			`- fowner`
			`- fsetid`
			`- kill`
			`- setgid`
			`- setuid`
			`- setpcap`
			`- net_bind_service`
			`- net_raw`
			`- sys_chroot`
			`- mknod`
			`- audit_write`
			`- setfcap`

Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-23 14:44:44 +00:00			`# Limits for apps`
			`calico_node_memory_limit: 500M`
			`calico_node_cpu_limit: 300m`
			`calico_node_memory_requests: 256M`
			`calico_node_cpu_requests: 150m`
			`calicoctl_memory_limit: 170M`
			`calicoctl_cpu_limit: 100m`
			`calicoctl_memory_requests: 70M`
			`calicoctl_cpu_requests: 50m`