diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 index 3677ec660..0e8abfcfb 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 @@ -52,6 +52,7 @@ rules: - apiGroups: ["crd.projectcalico.org"] resources: - ippools + - ipreservations verbs: - list - apiGroups: ["crd.projectcalico.org"] diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2 index 5a3d9286f..826f44100 100644 --- a/roles/network_plugin/calico/templates/calico-cr.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2 @@ -83,6 +83,7 @@ rules: - globalbgpconfigs - bgpconfigurations - ippools + - ipreservations - ipamblocks - globalnetworkpolicies - globalnetworksets @@ -91,6 +92,7 @@ rules: - clusterinformations - hostendpoints - blockaffinities + - caliconodestatuses verbs: - get - list @@ -104,6 +106,12 @@ rules: verbs: - create - update + # Calico must update some CRDs. + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - caliconodestatuses + verbs: + - update # Calico stores some configuration information on the node. - apiGroups: [""] resources: diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index 21833e827..e0f2cf62d 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -72,6 +72,11 @@ spec: - name: install-cni image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true env: # Name of the CNI config file to create. - name: CNI_CONF_NAME @@ -214,11 +219,6 @@ spec: # # Configure the IP Pool from which Pod IPs will be chosen. # - name: CALICO_IPV4POOL_CIDR # value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}" -{% if calico_veth_mtu is defined %} -# Set MTU for the Wireguard tunnel device. - - name: FELIX_WIREGUARDMTU - value: "{{ calico_veth_mtu }}" -{% endif %} - name: CALICO_IPV4POOL_IPIP value: "{{ calico_ipv4pool_ipip }}" - name: FELIX_IPV6SUPPORT @@ -234,8 +234,15 @@ spec: value: "{{ calico_usage_reporting }}" # Set MTU for tunnel device used if ipip is enabled {% if calico_mtu is defined %} + # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU value: "{{ calico_veth_mtu | default(calico_mtu) }}" + # Set MTU for the VXLAN tunnel device. + - name: FELIX_VXLANMTU + value: "{{ calico_veth_mtu | default(calico_mtu) }}" + # Set MTU for the Wireguard tunnel device. + - name: FELIX_WIREGUARDMTU + value: "{{ calico_veth_mtu | default(calico_mtu) }}" {% endif %} - name: FELIX_CHAININSERTMODE value: "{{ calico_felix_chaininsertmode }}" @@ -270,6 +277,12 @@ spec: fieldRef: fieldPath: status.hostIP {% endif %} + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" - name: NODENAME valueFrom: fieldRef: @@ -295,6 +308,14 @@ spec: requests: cpu: {{ calico_node_cpu_requests }} memory: {{ calico_node_memory_requests }} +{% if calico_version is version('v3.21.0', '>=') %} + lifecycle: + preStop: + exec: + command: + - /bin/calico-node + - -shutdown +{% endif %} livenessProbe: exec: command: @@ -336,8 +357,10 @@ spec: - name: xtables-lock mountPath: /run/xtables.lock readOnly: false + # For maintaining CNI plugin API credentials. - mountPath: /host/etc/cni/net.d name: cni-net-dir + readOnly: false {% if typha_secure %} - name: typha-client mountPath: /etc/typha-client