Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
This commit is contained in:
Aleksandr Didenko 2017-03-13 16:04:31 +01:00
parent 565d4a53b0
commit 3a39904011
11 changed files with 33 additions and 22 deletions

View file

@ -70,6 +70,7 @@
- { role: kargo-defaults} - { role: kargo-defaults}
- { role: kubernetes/master, tags: master } - { role: kubernetes/master, tags: master }
- { role: kubernetes-apps/network_plugin, tags: network } - { role: kubernetes-apps/network_plugin, tags: network }
- { role: kubernetes-apps/policy_controller, tags: policy-controller }
- hosts: calico-rr - hosts: calico-rr
any_errors_fatal: true any_errors_fatal: true

View file

@ -80,6 +80,9 @@ kube_users:
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico
# Enable kubernetes network policies
enable_network_policy: false
# Kubernetes internal network for services, unused block of space. # Kubernetes internal network for services, unused block of space.
kube_service_addresses: 10.233.0.0/18 kube_service_addresses: 10.233.0.0/18

View file

@ -19,12 +19,6 @@ kubednsmasq_image_tag: "{{ kubednsmasq_version }}"
exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64" exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64"
exechealthz_image_tag: "{{ exechealthz_version }}" exechealthz_image_tag: "{{ exechealthz_version }}"
# Limits for calico apps
calico_policy_controller_cpu_limit: 100m
calico_policy_controller_memory_limit: 256M
calico_policy_controller_cpu_requests: 30m
calico_policy_controller_memory_requests: 64M
# Netchecker # Netchecker
deploy_netchecker: false deploy_netchecker: false
netchecker_port: 31081 netchecker_port: 31081
@ -45,5 +39,4 @@ netchecker_server_memory_requests: 64M
# SSL # SSL
etcd_cert_dir: "/etc/ssl/etcd/ssl" etcd_cert_dir: "/etc/ssl/etcd/ssl"
calico_cert_dir: "/etc/calico/certs"
canal_cert_dir: "/etc/canal/certs" canal_cert_dir: "/etc/canal/certs"

View file

@ -32,11 +32,6 @@
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
tags: dnsmasq tags: dnsmasq
- include: tasks/calico-policy-controller.yml
when: ( enable_network_policy is defined and enable_network_policy == True ) or
( kube_network_plugin == 'canal' )
tags: [network, canal]
- name: Kubernetes Apps | Netchecker - name: Kubernetes Apps | Netchecker
include: tasks/netchecker.yml include: tasks/netchecker.yml
when: deploy_netchecker when: deploy_netchecker

View file

@ -1,9 +1,4 @@
dependencies: dependencies:
- role: download
file: "{{ downloads.calico_policy }}"
when: ( enable_network_policy is defined and enable_network_policy == True ) or
( kube_network_plugin == 'canal' )
tags: [download, network, canal]
- role: download - role: download
file: "{{ downloads.netcheck_server }}" file: "{{ downloads.netcheck_server }}"
when: deploy_netchecker when: deploy_netchecker

View file

@ -0,0 +1,9 @@
# Limits for calico apps
calico_policy_controller_cpu_limit: 100m
calico_policy_controller_memory_limit: 256M
calico_policy_controller_cpu_requests: 30m
calico_policy_controller_memory_requests: 64M
# SSL
calico_cert_dir: "/etc/calico/certs"
canal_cert_dir: "/etc/canal/certs"

View file

@ -1,14 +1,14 @@
---
- set_fact: - set_fact:
calico_cert_dir: "{{ canal_cert_dir }}" calico_cert_dir: "{{ canal_cert_dir }}"
when: kube_network_plugin == 'canal' when: kube_network_plugin == 'canal'
tags: facts tags: [facts, canal]
- name: Write calico-policy-controller yaml - name: Write calico-policy-controller yaml
template: template:
src: calico-policy-controller.yml.j2 src: calico-policy-controller.yml.j2
dest: "{{kube_config_dir}}/calico-policy-controller.yml" dest: "{{kube_config_dir}}/calico-policy-controller.yml"
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
tags: canal
- name: Start of Calico policy controller - name: Start of Calico policy controller
kube: kube:
@ -18,3 +18,4 @@
namespace: "{{system_namespace}}" namespace: "{{system_namespace}}"
resource: "rs" resource: "rs"
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
tags: canal

View file

@ -45,7 +45,7 @@ spec:
# changed so long as it is used in conjunction with # changed so long as it is used in conjunction with
# CONFIGURE_ETC_HOSTS="true". # CONFIGURE_ETC_HOSTS="true".
- name: K8S_API - name: K8S_API
value: "https://kubernetes.default:{{ kube_apiserver_port }}" value: "https://kubernetes.default"
# Configure /etc/hosts within the container to resolve # Configure /etc/hosts within the container to resolve
# the kubernetes.default Service to the correct clusterIP # the kubernetes.default Service to the correct clusterIP
# using the environment provided by the kubelet. # using the environment provided by the kubelet.

View file

@ -0,0 +1,14 @@
---
dependencies:
- role: download
file: "{{ downloads.calico_policy }}"
when: enable_network_policy and
kube_network_plugin in ['calico', 'canal']
tags: [download, canal, policy-controller]
- role: policy_controller/calico
when: kube_network_plugin == 'calico' and
enable_network_policy
tags: policy-controller
- role: policy_controller/calico
when: kube_network_plugin == 'canal'
tags: policy-controller

View file

@ -64,7 +64,7 @@ spec:
- --runtime-config={{ conf }} - --runtime-config={{ conf }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if enable_network_policy is defined and enable_network_policy == True %} {% if enable_network_policy %}
- --runtime-config=extensions/v1beta1/networkpolicies=true - --runtime-config=extensions/v1beta1/networkpolicies=true
{% endif %} {% endif %}
- --v={{ kube_log_level }} - --v={{ kube_log_level }}

View file

@ -12,7 +12,7 @@
"ipam": { "ipam": {
"type": "calico-ipam" "type": "calico-ipam"
}, },
{% if enable_network_policy is defined and enable_network_policy == True %} {% if enable_network_policy %}
"policy": { "policy": {
"type": "k8s" "type": "k8s"
}, },