Move flannel to etcd datastore
This commit is contained in:
parent
eb10249a75
commit
307f598bc8
10 changed files with 340 additions and 109 deletions
|
@ -28,10 +28,28 @@
|
||||||
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
|
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
|
||||||
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
|
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
|
||||||
|
|
||||||
|
- name: Slurp etcd cacert file
|
||||||
|
slurp:
|
||||||
|
src: "{{ canal_cert_dir }}/ca_cert.crt"
|
||||||
|
register: etcd_ca_cert_file
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
|
- name: Slurp etcd cert file
|
||||||
|
slurp:
|
||||||
|
src: "{{ canal_cert_dir }}/cert.crt"
|
||||||
|
register: etcd_cert_file
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
|
- name: Slurp etcd key file
|
||||||
|
slurp:
|
||||||
|
src: "{{ canal_cert_dir }}/key.pem"
|
||||||
|
register: etcd_key_file
|
||||||
|
failed_when: false
|
||||||
|
|
||||||
# Flannel need etcd v2 API
|
# Flannel need etcd v2 API
|
||||||
- name: Canal | Set Flannel etcd configuration
|
- name: Canal | Set Flannel etcd configuration
|
||||||
command: |-
|
command: |-
|
||||||
{{ bin_dir }}/etcdctl set /{{ cluster_name }}/network/config \
|
{{ bin_dir }}/etcdctl set /coreos.com/network/config \
|
||||||
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
|
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
|
||||||
register: output
|
register: output
|
||||||
retries: 4
|
retries: 4
|
||||||
|
@ -53,14 +71,17 @@
|
||||||
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
with_items:
|
||||||
|
- {name: canal-calico-etcd-secret, file: canal-secret-calico-etcd.yml, type: secret}
|
||||||
- {name: canal-config, file: canal-config.yaml, type: cm}
|
- {name: canal-config, file: canal-config.yaml, type: cm}
|
||||||
- {name: canal-node, file: canal-node.yaml, type: ds}
|
- {name: canal-node, file: canal-node.yaml, type: ds}
|
||||||
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
|
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment}
|
||||||
|
- {name: canal-cr, file: canal-cr.yml, type: clusterrole}
|
||||||
- {name: canal, file: canal-node-sa.yml, type: sa}
|
- {name: canal, file: canal-node-sa.yml, type: sa}
|
||||||
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
|
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole}
|
||||||
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
|
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole}
|
||||||
- {name: calico-crd, file: canal-crd-calico.yml, type: crd}
|
- {name: calico-crd, file: canal-crd-calico.yml, type: crd}
|
||||||
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
||||||
|
- {name: canal, file: canal-crb-canal.yml, type: clusterrolebinding}
|
||||||
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
|
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
|
||||||
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
|
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
|
||||||
register: canal_manifests
|
register: canal_manifests
|
||||||
|
|
|
@ -33,15 +33,45 @@ spec:
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
serviceAccountName: calico-kube-controllers
|
serviceAccountName: calico-kube-controllers
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
|
# The controllers must run in the host network namespace so that
|
||||||
|
# it isn't governed by policy that would prevent it from working.
|
||||||
|
hostNetwork: true
|
||||||
containers:
|
containers:
|
||||||
- name: calico-kube-controllers
|
- name: calico-kube-controllers
|
||||||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
env:
|
env:
|
||||||
|
# The location of the etcd cluster.
|
||||||
|
- name: ETCD_ENDPOINTS
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_endpoints
|
||||||
|
# Location of the CA certificate for etcd.
|
||||||
|
- name: ETCD_CA_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_ca
|
||||||
|
# Location of the client key for etcd.
|
||||||
|
- name: ETCD_KEY_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_key
|
||||||
|
# Location of the client certificate for etcd.
|
||||||
|
- name: ETCD_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_cert
|
||||||
# Choose which controllers to run.
|
# Choose which controllers to run.
|
||||||
- name: ENABLED_CONTROLLERS
|
- name: ENABLED_CONTROLLERS
|
||||||
value: node
|
value: policy,namespace,serviceaccount,workloadendpoint,node
|
||||||
- name: DATASTORE_TYPE
|
volumeMounts:
|
||||||
value: kubernetes
|
# Mount in the etcd TLS secrets.
|
||||||
|
- mountPath: /calico-secrets
|
||||||
|
name: etcd-certs
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
exec:
|
exec:
|
||||||
command:
|
command:
|
||||||
|
@ -57,3 +87,10 @@ spec:
|
||||||
- /usr/bin/check-status
|
- /usr/bin/check-status
|
||||||
- -r
|
- -r
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
|
volumes:
|
||||||
|
# Mount in the etcd TLS secrets with mode 400.
|
||||||
|
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||||
|
- name: etcd-certs
|
||||||
|
secret:
|
||||||
|
secretName: calico-etcd-secrets
|
||||||
|
defaultMode: 0440
|
||||||
|
|
|
@ -7,6 +7,14 @@ metadata:
|
||||||
name: canal-config
|
name: canal-config
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
data:
|
data:
|
||||||
|
# Configure this with the location of your etcd cluster.
|
||||||
|
etcd_endpoints: "{{ etcd_access_addresses }}"
|
||||||
|
# If you're using TLS enabled etcd uncomment the following.
|
||||||
|
# You must also populate the Secret below with these files.
|
||||||
|
etcd_ca: "/calico-secrets/etcd-ca"
|
||||||
|
etcd_cert: "/calico-secrets/etcd-cert"
|
||||||
|
etcd_key: "/calico-secrets/etcd-key"
|
||||||
|
|
||||||
# Typha is disabled.
|
# Typha is disabled.
|
||||||
typha_service_name: "none"
|
typha_service_name: "none"
|
||||||
|
|
||||||
|
@ -28,41 +36,39 @@ data:
|
||||||
# values in this config will be automatically populated.
|
# values in this config will be automatically populated.
|
||||||
cni_network_config: |-
|
cni_network_config: |-
|
||||||
{
|
{
|
||||||
"name": "k8s-pod-network",
|
"name": "canal",
|
||||||
"cniVersion": "0.3.1",
|
"cniVersion": "0.3.1",
|
||||||
"plugins": [
|
"plugins": [
|
||||||
{
|
{
|
||||||
|
"type": "flannel",
|
||||||
|
"delegate": {
|
||||||
"type": "calico",
|
"type": "calico",
|
||||||
|
"include_default_routes": true,
|
||||||
|
"etcd_endpoints": "__ETCD_ENDPOINTS__",
|
||||||
|
"etcd_key_file": "__ETCD_KEY_FILE__",
|
||||||
|
"etcd_cert_file": "__ETCD_CERT_FILE__",
|
||||||
|
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
|
||||||
"log_level": "info",
|
"log_level": "info",
|
||||||
{% if calico_cni_log_file_path %}
|
{% if calico_cni_log_file_path %}
|
||||||
"log_file_path": "{{ calico_cni_log_file_path }}",
|
"log_file_path": "{{ calico_cni_log_file_path }}",
|
||||||
{% endif %}
|
{% endif %}
|
||||||
"datastore_type": "kubernetes",
|
|
||||||
"nodename": "__KUBERNETES_NODE_NAME__",
|
|
||||||
"mtu": __CNI_MTU__,
|
|
||||||
"ipam": {
|
|
||||||
"type": "host-local",
|
|
||||||
"subnet": "usePodCidr"
|
|
||||||
},
|
|
||||||
"policy": {
|
"policy": {
|
||||||
"type": "k8s"
|
"type": "k8s",
|
||||||
|
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
||||||
|
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
||||||
},
|
},
|
||||||
"kubernetes": {
|
"kubernetes": {
|
||||||
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
||||||
}
|
}
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "portmap",
|
"type": "portmap",
|
||||||
"snat": true,
|
"capabilities": {"portMappings": true},
|
||||||
"capabilities": {"portMappings": true}
|
"snat": true
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "bandwidth",
|
|
||||||
"capabilities": {"bandwidth": true}
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Flannel network configuration. Mounted into the flannel container.
|
# Flannel network configuration. Mounted into the flannel container.
|
||||||
net-conf.json: |
|
net-conf.json: |
|
||||||
{
|
{
|
||||||
|
@ -71,3 +77,4 @@ data:
|
||||||
"Type": "vxlan"
|
"Type": "vxlan"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
# Flannel ClusterRole
|
||||||
# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
|
# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
|
30
roles/network_plugin/canal/templates/canal-cr.yml.j2
Normal file
30
roles/network_plugin/canal/templates/canal-cr.yml.j2
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: canal
|
||||||
|
rules:
|
||||||
|
# Used for creating service account tokens to be used by the CNI plugin
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- serviceaccounts/token
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
# Pod CIDR auto-detection on kubeadm needs access to config maps.
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- list
|
12
roles/network_plugin/canal/templates/canal-crb-canal.yml.j2
Normal file
12
roles/network_plugin/canal/templates/canal-crb-canal.yml.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: canal
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: canal
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: canal
|
||||||
|
namespace: kube-system
|
|
@ -4,3 +4,9 @@ kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: canal
|
name: canal
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: calico-kube-controllers
|
||||||
|
namespace: kube-system
|
||||||
|
|
|
@ -44,6 +44,7 @@ spec:
|
||||||
# and CNI network config file on each node.
|
# and CNI network config file on each node.
|
||||||
- name: install-cni
|
- name: install-cni
|
||||||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
||||||
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
command: ["/opt/cni/bin/install"]
|
command: ["/opt/cni/bin/install"]
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
|
@ -71,6 +72,30 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: spec.nodeName
|
fieldPath: spec.nodeName
|
||||||
|
# The location of the etcd cluster.
|
||||||
|
- name: ETCD_ENDPOINTS
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_endpoints
|
||||||
|
# Location of the CA certificate for etcd.
|
||||||
|
- name: ETCD_CA_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_ca
|
||||||
|
# Location of the client key for etcd.
|
||||||
|
- name: ETCD_KEY_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_key
|
||||||
|
# Location of the client certificate for etcd.
|
||||||
|
- name: ETCD_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_cert
|
||||||
# CNI MTU Config variable
|
# CNI MTU Config variable
|
||||||
- name: CNI_MTU
|
- name: CNI_MTU
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -85,6 +110,8 @@ spec:
|
||||||
name: cni-bin-dir
|
name: cni-bin-dir
|
||||||
- mountPath: /host/etc/cni/net.d
|
- mountPath: /host/etc/cni/net.d
|
||||||
name: cni-net-dir
|
name: cni-net-dir
|
||||||
|
- mountPath: /calico-secrets
|
||||||
|
name: etcd-certs
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
# This init container mounts the necessary filesystems needed by the BPF data plane
|
# This init container mounts the necessary filesystems needed by the BPF data plane
|
||||||
|
@ -125,17 +152,32 @@ spec:
|
||||||
name: kubernetes-services-endpoint
|
name: kubernetes-services-endpoint
|
||||||
optional: true
|
optional: true
|
||||||
env:
|
env:
|
||||||
# Use Kubernetes API as the backing datastore.
|
# The location of the etcd cluster.
|
||||||
- name: DATASTORE_TYPE
|
- name: ETCD_ENDPOINTS
|
||||||
value: "kubernetes"
|
valueFrom:
|
||||||
# Configure route aggregation based on pod CIDR.
|
configMapKeyRef:
|
||||||
- name: USE_POD_CIDR
|
name: canal-config
|
||||||
value: "true"
|
key: etcd_endpoints
|
||||||
# Wait for the datastore.
|
# Location of the CA certificate for etcd.
|
||||||
- name: WAIT_FOR_DATASTORE
|
- name: ETCD_CA_CERT_FILE
|
||||||
value: "true"
|
valueFrom:
|
||||||
# Set based on the k8s node name.
|
configMapKeyRef:
|
||||||
- name: NODENAME
|
name: canal-config
|
||||||
|
key: etcd_ca
|
||||||
|
# Location of the client key for etcd.
|
||||||
|
- name: ETCD_KEY_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_key
|
||||||
|
# Location of the client certificate for etcd.
|
||||||
|
- name: ETCD_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_cert
|
||||||
|
# Set noderef for node controller.
|
||||||
|
- name: CALICO_K8S_NODE_REF
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: spec.nodeName
|
fieldPath: spec.nodeName
|
||||||
|
@ -221,6 +263,8 @@ spec:
|
||||||
- mountPath: /var/lib/calico
|
- mountPath: /var/lib/calico
|
||||||
name: var-lib-calico
|
name: var-lib-calico
|
||||||
readOnly: false
|
readOnly: false
|
||||||
|
- mountPath: /calico-secrets
|
||||||
|
name: etcd-certs
|
||||||
- name: policysync
|
- name: policysync
|
||||||
mountPath: /var/run/nodeagent
|
mountPath: /var/run/nodeagent
|
||||||
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
|
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
|
||||||
|
@ -230,22 +274,70 @@ spec:
|
||||||
- name: cni-log-dir
|
- name: cni-log-dir
|
||||||
mountPath: /var/log/calico/cni
|
mountPath: /var/log/calico/cni
|
||||||
readOnly: true
|
readOnly: true
|
||||||
# This container runs flannel using the kube-subnet-mgr backend
|
# Runs the flannel daemon to enable vxlan networking between
|
||||||
# for allocating subnets.
|
# container hosts.
|
||||||
- name: kube-flannel
|
- name: flannel
|
||||||
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
|
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
|
||||||
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"]
|
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"]
|
||||||
securityContext:
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
privileged: true
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: {{ flannel_cpu_limit }}
|
|
||||||
memory: {{ flannel_memory_limit }}
|
|
||||||
requests:
|
|
||||||
cpu: {{ flannel_cpu_requests }}
|
|
||||||
memory: {{ flannel_memory_requests }}
|
|
||||||
env:
|
env:
|
||||||
|
# The location of the etcd cluster.
|
||||||
|
- name: FLANNELD_ETCD_ENDPOINTS
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_endpoints
|
||||||
|
# Location of the CA certificate for etcd.
|
||||||
|
- name: ETCD_CA_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_ca
|
||||||
|
# Location of the client key for etcd.
|
||||||
|
- name: ETCD_KEY_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_key
|
||||||
|
# Location of the client certificate for etcd.
|
||||||
|
- name: ETCD_CERT_FILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_cert
|
||||||
|
# Location of the CA certificate for etcd.
|
||||||
|
- name: FLANNELD_ETCD_CAFILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_ca
|
||||||
|
# Location of the client key for etcd.
|
||||||
|
- name: FLANNELD_ETCD_KEYFILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_key
|
||||||
|
# Location of the client certificate for etcd.
|
||||||
|
- name: FLANNELD_ETCD_CERTFILE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: etcd_cert
|
||||||
|
# The interface flannel should run on.
|
||||||
|
- name: FLANNELD_IFACE
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: canal_iface
|
||||||
|
# Perform masquerade on traffic leaving the pod cidr.
|
||||||
|
- name: FLANNELD_IP_MASQ
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: canal-config
|
||||||
|
key: masquerade
|
||||||
|
# Write the subnet.env file to the mounted directory.
|
||||||
|
- name: FLANNELD_SUBNET_FILE
|
||||||
|
value: "/run/flannel/subnet.env"
|
||||||
- name: POD_NAME
|
- name: POD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
|
@ -254,24 +346,22 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
- name: FLANNELD_IFACE
|
securityContext:
|
||||||
valueFrom:
|
privileged: true
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: canal_iface
|
|
||||||
- name: FLANNELD_IP_MASQ
|
|
||||||
valueFrom:
|
|
||||||
configMapKeyRef:
|
|
||||||
name: canal-config
|
|
||||||
key: masquerade
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /run/xtables.lock
|
- mountPath: /etc/resolv.conf
|
||||||
name: xtables-lock
|
name: resolv
|
||||||
readOnly: false
|
- mountPath: /run/flannel
|
||||||
|
name: run-flannel
|
||||||
|
- mountPath: /calico-secrets
|
||||||
|
name: etcd-certs
|
||||||
- name: flannel-cfg
|
- name: flannel-cfg
|
||||||
mountPath: /etc/kube-flannel/
|
mountPath: /etc/kube-flannel/
|
||||||
volumes:
|
volumes:
|
||||||
# Used by canal.
|
- name: flannel-cfg
|
||||||
|
configMap:
|
||||||
|
name: canal-config
|
||||||
|
# Used by canal-node.
|
||||||
- name: lib-modules
|
- name: lib-modules
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /lib/modules
|
path: /lib/modules
|
||||||
|
@ -298,9 +388,12 @@ spec:
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /proc
|
path: /proc
|
||||||
# Used by flannel.
|
# Used by flannel.
|
||||||
- name: flannel-cfg
|
- name: run-flannel
|
||||||
configMap:
|
hostPath:
|
||||||
name: canal-config
|
path: /run/flannel
|
||||||
|
- name: resolv
|
||||||
|
hostPath:
|
||||||
|
path: /etc/resolv.conf
|
||||||
# Used to install CNI.
|
# Used to install CNI.
|
||||||
- name: cni-bin-dir
|
- name: cni-bin-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
|
@ -312,6 +405,12 @@ spec:
|
||||||
- name: cni-log-dir
|
- name: cni-log-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/log/calico/cni
|
path: /var/log/calico/cni
|
||||||
|
# Mount in the etcd TLS secrets with mode 400.
|
||||||
|
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||||
|
- name: etcd-certs
|
||||||
|
secret:
|
||||||
|
secretName: calico-etcd-secrets
|
||||||
|
defaultMode: 0400
|
||||||
# Used to create per-pod Unix Domain Sockets
|
# Used to create per-pod Unix Domain Sockets
|
||||||
- name: policysync
|
- name: policysync
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Source: calico/templates/calico-etcd-secrets.yaml
|
||||||
|
# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
|
||||||
|
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: Opaque
|
||||||
|
metadata:
|
||||||
|
name: calico-etcd-secrets
|
||||||
|
namespace: kube-system
|
||||||
|
data:
|
||||||
|
# Populate the following with etcd TLS configuration if desired, but leave blank if
|
||||||
|
# not using TLS for etcd.
|
||||||
|
# The keys below should be uncommented and the values populated with the base64
|
||||||
|
# encoded contents of each file that would be associated with the TLS data.
|
||||||
|
# Example command for encoding a file contents: cat <file> | base64 -w 0
|
||||||
|
etcd-key: {{ etcd_key_file.content }}
|
||||||
|
etcd-cert: {{ etcd_cert_file.content }}
|
||||||
|
etcd-ca: {{ etcd_ca_cert_file.content }}
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
"name": "cni0",
|
"name": "canal",
|
||||||
"cniVersion": "0.3.1",
|
"cniVersion": "0.3.1",
|
||||||
"plugins": [
|
"plugins": [
|
||||||
{
|
{
|
||||||
|
@ -7,16 +7,18 @@
|
||||||
"delegate": {
|
"delegate": {
|
||||||
"type": "calico",
|
"type": "calico",
|
||||||
"include_default_routes": true,
|
"include_default_routes": true,
|
||||||
"etcd_endpoints": "{{ etcd_access_addresses }}",
|
"etcd_endpoints": "__ETCD_ENDPOINTS__",
|
||||||
"etcd_key_file": "{{ canal_cert_dir }}/key.pem",
|
"etcd_key_file": "__ETCD_KEY_FILE__",
|
||||||
"etcd_cert_file": "{{ canal_cert_dir }}/cert.crt",
|
"etcd_cert_file": "__ETCD_CERT_FILE__",
|
||||||
"etcd_ca_cert_file": "{{ canal_cert_dir }}/ca_cert.crt",
|
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
|
||||||
"log_level": "info",
|
"log_level": "info",
|
||||||
{% if calico_cni_log_file_path %}
|
{% if calico_cni_log_file_path %}
|
||||||
"log_file_path": "{{ calico_cni_log_file_path }}",
|
"log_file_path": "{{ calico_cni_log_file_path }}",
|
||||||
{% endif %}
|
{% endif %}
|
||||||
"policy": {
|
"policy": {
|
||||||
"type": "k8s"
|
"type": "k8s",
|
||||||
|
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
|
||||||
|
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
|
||||||
},
|
},
|
||||||
"kubernetes": {
|
"kubernetes": {
|
||||||
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
"kubeconfig": "__KUBECONFIG_FILEPATH__"
|
||||||
|
@ -25,9 +27,8 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "portmap",
|
"type": "portmap",
|
||||||
"capabilities":{
|
"capabilities": {"portMappings": true},
|
||||||
"portMappings":true
|
"snat": true
|
||||||
}
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue