C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Mount host's xtable lock and enable calico lokcing for <v3.2.1

Browse source
This commit is contained in:
Danny Kulchinsky 2019-01-04 11:00:56 -05:00
parent 4959bfc1b3
commit 257019d424
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
roles/network_plugin/calico/templates/calico-node.yml.j2
View file

@ -76,6 +76,12 @@ spec:
value: "{{ calico_endpoint_to_host_action|default('RETURN') }}" value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
- name: FELIX_HEALTHHOST - name: FELIX_HEALTHHOST
value: "{{ calico_healthhost }}" value: "{{ calico_healthhost }}"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# should be set in etcd before deployment # should be set in etcd before deployment
# # Configure the IP Pool from which Pod IPs will be chosen. # # Configure the IP Pool from which Pod IPs will be chosen.
# - name: CALICO_IPV4POOL_CIDR # - name: CALICO_IPV4POOL_CIDR
@ -170,6 +176,9 @@ spec:
readOnly: false readOnly: false
- mountPath: /calico-secrets - mountPath: /calico-secrets
name: etcd-certs name: etcd-certs
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
volumes: volumes:
# Used by calico/node. # Used by calico/node.
- name: lib-modules - name: lib-modules
@ -192,6 +201,11 @@ spec:
- name: etcd-certs - name: etcd-certs
hostPath: hostPath:
path: "{{ calico_cert_dir }}" path: "{{ calico_cert_dir }}"
# Mount the global iptables lock file, used by calico/node
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
maxUnavailable: {{ serial | default('20%') }} maxUnavailable: {{ serial | default('20%') }}

9
roles/network_plugin/canal/templates/canal-node.yaml.j2
View file

@ -173,6 +173,12 @@ spec:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: FELIX_HEALTHENABLED - name: FELIX_HEALTHENABLED
value: "true" value: "true"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# Etcd SSL vars # Etcd SSL vars
- name: ETCD_CA_CERT_FILE - name: ETCD_CA_CERT_FILE
valueFrom: valueFrom:
@ -220,6 +226,9 @@ spec:
- name: "canal-certs" - name: "canal-certs"
mountPath: "{{ canal_cert_dir }}" mountPath: "{{ canal_cert_dir }}"
readOnly: true readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
maxUnavailable: {{ serial | default('20%') }} maxUnavailable: {{ serial | default('20%') }}