Move flannel to etcd datastore

This commit is contained in:
Florian Ruynat 2022-07-22 15:28:07 +02:00 committed by Kubernetes Prow Robot
parent eb10249a75
commit 307f598bc8
10 changed files with 340 additions and 109 deletions

View file

@ -28,10 +28,28 @@
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"} - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
- name: Slurp etcd cacert file
slurp:
src: "{{ canal_cert_dir }}/ca_cert.crt"
register: etcd_ca_cert_file
failed_when: false
- name: Slurp etcd cert file
slurp:
src: "{{ canal_cert_dir }}/cert.crt"
register: etcd_cert_file
failed_when: false
- name: Slurp etcd key file
slurp:
src: "{{ canal_cert_dir }}/key.pem"
register: etcd_key_file
failed_when: false
# Flannel need etcd v2 API # Flannel need etcd v2 API
- name: Canal | Set Flannel etcd configuration - name: Canal | Set Flannel etcd configuration
command: |- command: |-
{{ bin_dir }}/etcdctl set /{{ cluster_name }}/network/config \ {{ bin_dir }}/etcdctl set /coreos.com/network/config \
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }' '{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
register: output register: output
retries: 4 retries: 4
@ -53,14 +71,17 @@
dest: "{{ kube_config_dir }}/{{ item.file }}" dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644 mode: 0644
with_items: with_items:
- {name: canal-calico-etcd-secret, file: canal-secret-calico-etcd.yml, type: secret}
- {name: canal-config, file: canal-config.yaml, type: cm} - {name: canal-config, file: canal-config.yaml, type: cm}
- {name: canal-node, file: canal-node.yaml, type: ds} - {name: canal-node, file: canal-node.yaml, type: ds}
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment} - {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
- {name: canal-cr, file: canal-cr.yml, type: clusterrole}
- {name: canal, file: canal-node-sa.yml, type: sa} - {name: canal, file: canal-node-sa.yml, type: sa}
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole} - {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole} - {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
- {name: calico-crd, file: canal-crd-calico.yml, type: crd} - {name: calico-crd, file: canal-crd-calico.yml, type: crd}
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole} - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
- {name: canal, file: canal-crb-canal.yml, type: clusterrolebinding}
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding} - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding} - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
register: canal_manifests register: canal_manifests

View file

@ -33,15 +33,45 @@ spec:
effect: NoSchedule effect: NoSchedule
serviceAccountName: calico-kube-controllers serviceAccountName: calico-kube-controllers
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
containers: containers:
- name: calico-kube-controllers - name: calico-kube-controllers
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
env: env:
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cert
# Choose which controllers to run. # Choose which controllers to run.
- name: ENABLED_CONTROLLERS - name: ENABLED_CONTROLLERS
value: node value: policy,namespace,serviceaccount,workloadendpoint,node
- name: DATASTORE_TYPE volumeMounts:
value: kubernetes # Mount in the etcd TLS secrets.
- mountPath: /calico-secrets
name: etcd-certs
livenessProbe: livenessProbe:
exec: exec:
command: command:
@ -57,3 +87,10 @@ spec:
- /usr/bin/check-status - /usr/bin/check-status
- -r - -r
periodSeconds: 10 periodSeconds: 10
volumes:
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
defaultMode: 0440

View file

@ -7,6 +7,14 @@ metadata:
name: canal-config name: canal-config
namespace: kube-system namespace: kube-system
data: data:
# Configure this with the location of your etcd cluster.
etcd_endpoints: "{{ etcd_access_addresses }}"
# If you're using TLS enabled etcd uncomment the following.
# You must also populate the Secret below with these files.
etcd_ca: "/calico-secrets/etcd-ca"
etcd_cert: "/calico-secrets/etcd-cert"
etcd_key: "/calico-secrets/etcd-key"
# Typha is disabled. # Typha is disabled.
typha_service_name: "none" typha_service_name: "none"
@ -28,41 +36,39 @@ data:
# values in this config will be automatically populated. # values in this config will be automatically populated.
cni_network_config: |- cni_network_config: |-
{ {
"name": "k8s-pod-network", "name": "canal",
"cniVersion": "0.3.1", "cniVersion": "0.3.1",
"plugins": [ "plugins": [
{ {
"type": "flannel",
"delegate": {
"type": "calico", "type": "calico",
"include_default_routes": true,
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"log_level": "info", "log_level": "info",
{% if calico_cni_log_file_path %} {% if calico_cni_log_file_path %}
"log_file_path": "{{ calico_cni_log_file_path }}", "log_file_path": "{{ calico_cni_log_file_path }}",
{% endif %} {% endif %}
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "host-local",
"subnet": "usePodCidr"
},
"policy": { "policy": {
"type": "k8s" "type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
}, },
"kubernetes": { "kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__" "kubeconfig": "__KUBECONFIG_FILEPATH__"
} }
}
}, },
{ {
"type": "portmap", "type": "portmap",
"snat": true, "capabilities": {"portMappings": true},
"capabilities": {"portMappings": true} "snat": true
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
} }
] ]
} }
# Flannel network configuration. Mounted into the flannel container. # Flannel network configuration. Mounted into the flannel container.
net-conf.json: | net-conf.json: |
{ {
@ -71,3 +77,4 @@ data:
"Type": "vxlan" "Type": "vxlan"
} }
} }

View file

@ -1,4 +1,4 @@
--- # Flannel ClusterRole
# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

View file

@ -0,0 +1,30 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: canal
rules:
# Used for creating service account tokens to be used by the CNI plugin
- apiGroups: [""]
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
# Pod CIDR auto-detection on kubeadm needs access to config maps.
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list

View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: canal
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: canal
subjects:
- kind: ServiceAccount
name: canal
namespace: kube-system

View file

@ -4,3 +4,9 @@ kind: ServiceAccount
metadata: metadata:
name: canal name: canal
namespace: kube-system namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
namespace: kube-system

View file

@ -44,6 +44,7 @@ spec:
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/opt/cni/bin/install"] command: ["/opt/cni/bin/install"]
envFrom: envFrom:
- configMapRef: - configMapRef:
@ -71,6 +72,30 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cert
# CNI MTU Config variable # CNI MTU Config variable
- name: CNI_MTU - name: CNI_MTU
valueFrom: valueFrom:
@ -85,6 +110,8 @@ spec:
name: cni-bin-dir name: cni-bin-dir
- mountPath: /host/etc/cni/net.d - mountPath: /host/etc/cni/net.d
name: cni-net-dir name: cni-net-dir
- mountPath: /calico-secrets
name: etcd-certs
securityContext: securityContext:
privileged: true privileged: true
# This init container mounts the necessary filesystems needed by the BPF data plane # This init container mounts the necessary filesystems needed by the BPF data plane
@ -125,17 +152,32 @@ spec:
name: kubernetes-services-endpoint name: kubernetes-services-endpoint
optional: true optional: true
env: env:
# Use Kubernetes API as the backing datastore. # The location of the etcd cluster.
- name: DATASTORE_TYPE - name: ETCD_ENDPOINTS
value: "kubernetes" valueFrom:
# Configure route aggregation based on pod CIDR. configMapKeyRef:
- name: USE_POD_CIDR name: canal-config
value: "true" key: etcd_endpoints
# Wait for the datastore. # Location of the CA certificate for etcd.
- name: WAIT_FOR_DATASTORE - name: ETCD_CA_CERT_FILE
value: "true" valueFrom:
# Set based on the k8s node name. configMapKeyRef:
- name: NODENAME name: canal-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cert
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
@ -221,6 +263,8 @@ spec:
- mountPath: /var/lib/calico - mountPath: /var/lib/calico
name: var-lib-calico name: var-lib-calico
readOnly: false readOnly: false
- mountPath: /calico-secrets
name: etcd-certs
- name: policysync - name: policysync
mountPath: /var/run/nodeagent mountPath: /var/run/nodeagent
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
@ -230,22 +274,70 @@ spec:
- name: cni-log-dir - name: cni-log-dir
mountPath: /var/log/calico/cni mountPath: /var/log/calico/cni
readOnly: true readOnly: true
# This container runs flannel using the kube-subnet-mgr backend # Runs the flannel daemon to enable vxlan networking between
# for allocating subnets. # container hosts.
- name: kube-flannel - name: flannel
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"] command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"]
securityContext: imagePullPolicy: {{ k8s_image_pull_policy }}
privileged: true
resources:
limits:
cpu: {{ flannel_cpu_limit }}
memory: {{ flannel_memory_limit }}
requests:
cpu: {{ flannel_cpu_requests }}
memory: {{ flannel_memory_requests }}
env: env:
# The location of the etcd cluster.
- name: FLANNELD_ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cert
# Location of the CA certificate for etcd.
- name: FLANNELD_ETCD_CAFILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_ca
# Location of the client key for etcd.
- name: FLANNELD_ETCD_KEYFILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_key
# Location of the client certificate for etcd.
- name: FLANNELD_ETCD_CERTFILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cert
# The interface flannel should run on.
- name: FLANNELD_IFACE
valueFrom:
configMapKeyRef:
name: canal-config
key: canal_iface
# Perform masquerade on traffic leaving the pod cidr.
- name: FLANNELD_IP_MASQ
valueFrom:
configMapKeyRef:
name: canal-config
key: masquerade
# Write the subnet.env file to the mounted directory.
- name: FLANNELD_SUBNET_FILE
value: "/run/flannel/subnet.env"
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -254,24 +346,22 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
- name: FLANNELD_IFACE securityContext:
valueFrom: privileged: true
configMapKeyRef:
name: canal-config
key: canal_iface
- name: FLANNELD_IP_MASQ
valueFrom:
configMapKeyRef:
name: canal-config
key: masquerade
volumeMounts: volumeMounts:
- mountPath: /run/xtables.lock - mountPath: /etc/resolv.conf
name: xtables-lock name: resolv
readOnly: false - mountPath: /run/flannel
name: run-flannel
- mountPath: /calico-secrets
name: etcd-certs
- name: flannel-cfg - name: flannel-cfg
mountPath: /etc/kube-flannel/ mountPath: /etc/kube-flannel/
volumes: volumes:
# Used by canal. - name: flannel-cfg
configMap:
name: canal-config
# Used by canal-node.
- name: lib-modules - name: lib-modules
hostPath: hostPath:
path: /lib/modules path: /lib/modules
@ -298,9 +388,12 @@ spec:
hostPath: hostPath:
path: /proc path: /proc
# Used by flannel. # Used by flannel.
- name: flannel-cfg - name: run-flannel
configMap: hostPath:
name: canal-config path: /run/flannel
- name: resolv
hostPath:
path: /etc/resolv.conf
# Used to install CNI. # Used to install CNI.
- name: cni-bin-dir - name: cni-bin-dir
hostPath: hostPath:
@ -312,6 +405,12 @@ spec:
- name: cni-log-dir - name: cni-log-dir
hostPath: hostPath:
path: /var/log/calico/cni path: /var/log/calico/cni
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
defaultMode: 0400
# Used to create per-pod Unix Domain Sockets # Used to create per-pod Unix Domain Sockets
- name: policysync - name: policysync
hostPath: hostPath:

View file

@ -0,0 +1,18 @@
# Source: calico/templates/calico-etcd-secrets.yaml
# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: calico-etcd-secrets
namespace: kube-system
data:
# Populate the following with etcd TLS configuration if desired, but leave blank if
# not using TLS for etcd.
# The keys below should be uncommented and the values populated with the base64
# encoded contents of each file that would be associated with the TLS data.
# Example command for encoding a file contents: cat <file> | base64 -w 0
etcd-key: {{ etcd_key_file.content }}
etcd-cert: {{ etcd_cert_file.content }}
etcd-ca: {{ etcd_ca_cert_file.content }}

View file

@ -1,5 +1,5 @@
{ {
"name": "cni0", "name": "canal",
"cniVersion": "0.3.1", "cniVersion": "0.3.1",
"plugins": [ "plugins": [
{ {
@ -7,16 +7,18 @@
"delegate": { "delegate": {
"type": "calico", "type": "calico",
"include_default_routes": true, "include_default_routes": true,
"etcd_endpoints": "{{ etcd_access_addresses }}", "etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "{{ canal_cert_dir }}/key.pem", "etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "{{ canal_cert_dir }}/cert.crt", "etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "{{ canal_cert_dir }}/ca_cert.crt", "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"log_level": "info", "log_level": "info",
{% if calico_cni_log_file_path %} {% if calico_cni_log_file_path %}
"log_file_path": "{{ calico_cni_log_file_path }}", "log_file_path": "{{ calico_cni_log_file_path }}",
{% endif %} {% endif %}
"policy": { "policy": {
"type": "k8s" "type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
}, },
"kubernetes": { "kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__" "kubeconfig": "__KUBECONFIG_FILEPATH__"
@ -25,9 +27,8 @@
}, },
{ {
"type": "portmap", "type": "portmap",
"capabilities":{ "capabilities": {"portMappings": true},
"portMappings":true "snat": true
}
} }
] ]
} }