Upgrade Weave to 2.2.1

- Fix #2414, so namespace isolation should now works
- Update weave-net.yml.j2 as per latest https://cloud.weave.works/k8s/net
- Other minor fixup

README.md

@@ -83,7 +83,7 @@ Versions of supported components
 -   [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
 -   [cilium](https://github.com/cilium/cilium) v1.0.0-rc8
 -   [contiv](https://github.com/contiv/install/releases) v1.1.7
--   [weave](http://weave.works/) v2.2.0
+-   [weave](http://weave.works/) v2.2.1
 -   [docker](https://www.docker.com/) v17.03 (see note)
 -   [rkt](https://coreos.com/rkt/docs/latest/) v1.21.0 (see Note 2)
 

roles/download/defaults/main.yml

@@ -38,7 +38,7 @@ flannel_version: "v0.10.0"
 flannel_cni_version: "v0.3.0"
 istio_version: "0.2.6"
 vault_version: 0.8.1
-weave_version: 2.2.0
+weave_version: 2.2.1
 pod_infra_version: 3.0
 contiv_version: 1.1.7
 cilium_version: "v1.0.0-rc8"

roles/network_plugin/weave/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 # Limits
-weave_memory_limit: 400M
+weave_memory_limits: 400M
-weave_cpu_limit: 30m
+weave_cpu_limits: 30m
 weave_memory_requests: 64M
 weave_cpu_requests: 10m
 

roles/network_plugin/weave/templates/weave-net.yml.j2

@@ -9,12 +9,13 @@ items:
       labels:
         name: weave-net
       namespace: {{ system_namespace }}
-  - apiVersion: rbac.authorization.k8s.io/v1
+  - apiVersion: rbac.authorization.k8s.io/v1beta1
     kind: ClusterRole
     metadata:
       name: weave-net
       labels:
         name: weave-net
+      namespace: {{ system_namespace }}
     rules:
       - apiGroups:
           - ''
@@ -27,35 +28,42 @@ items:
           - list
           - watch
       - apiGroups:
-          - extensions
+          - networking.k8s.io
-        resources:
-          - networkpolicies
-        verbs:
-          - get
-          - list
-          - watch
-      - apiGroups:
-          - 'networking.k8s.io'
         resources:
           - networkpolicies
         verbs:
           - get
           - list
           - watch
+  - apiVersion: rbac.authorization.k8s.io/v1beta1
+    kind: ClusterRoleBinding
+    metadata:
+      name: weave-net
+      labels:
+        name: weave-net
+      namespace: {{ system_namespace }}
+    roleRef:
+      kind: ClusterRole
+      name: weave-net
+      apiGroup: rbac.authorization.k8s.io
+    subjects:
+      - kind: ServiceAccount
+        name: weave-net
+        namespace: {{ system_namespace }}
   - apiVersion: rbac.authorization.k8s.io/v1beta1
     kind: Role
     metadata:
       name: weave-net
-      namespace: kube-system
       labels:
         name: weave-net
+      namespace: {{ system_namespace }}
     rules:
       - apiGroups:
           - ''
-        resources:
-          - configmaps
         resourceNames:
           - weave-net
+        resources:
+          - configmaps
         verbs:
           - get
           - update
@@ -65,29 +73,31 @@ items:
           - configmaps
         verbs:
           - create
-  - apiVersion: rbac.authorization.k8s.io/v1
+  - apiVersion: rbac.authorization.k8s.io/v1beta1
-    kind: ClusterRoleBinding
+    kind: RoleBinding
     metadata:
       name: weave-net
       labels:
         name: weave-net
+      namespace: {{ system_namespace }}
     roleRef:
-      kind: ClusterRole
+      kind: Role
       name: weave-net
       apiGroup: rbac.authorization.k8s.io
     subjects:
       - kind: ServiceAccount
         name: weave-net
-        namespace: kube-system
+        namespace: {{ system_namespace }}
   - apiVersion: extensions/v1beta1
     kind: DaemonSet
     metadata:
       name: weave-net
       labels:
         name: weave-net
-        version: {{ weave_version }}
+        version: v{{ weave_version }}
       namespace: {{ system_namespace }}
     spec:
+      minReadySeconds: 5
       template:
         metadata:
           labels:
@@ -122,7 +132,7 @@ items:
                 - name: WEAVE_PASSWORD
                   value: {{ weave_password }}
               image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }}
-              imagePullPolicy: Always
+              imagePullPolicy: {{ k8s_image_pull_policy }}
               livenessProbe:
                 httpGet:
                   host: 127.0.0.1
@@ -149,19 +159,28 @@ items:
                   mountPath: /lib/modules
                 - name: xtables-lock
                   mountPath: /run/xtables.lock
-                  readOnly: false
             - name: weave-npc
+              args: []
+              env:
+                - name: HOSTNAME
+                  valueFrom:
+                    fieldRef:
+                      apiVersion: v1
+                      fieldPath: spec.nodeName
               image: {{ weave_npc_image_repo }}:{{ weave_npc_image_tag }}
-              imagePullPolicy: Always
+              imagePullPolicy: {{ k8s_image_pull_policy }}
               resources:
                 requests:
                   cpu: {{ weave_cpu_requests }}
                   memory: {{ weave_memory_requests }}
                 limits:
-                  cpu: {{ weave_cpu_limit }}
+                  cpu: {{ weave_cpu_limits }}
-                  memory: {{ weave_memory_limit }}
+                  memory: {{ weave_memory_limits }}
               securityContext:
                 privileged: true
+              volumeMounts:
+                - name: xtables-lock
+                  mountPath: /run/xtables.lock
           hostNetwork: true
           hostPID: true
           restartPolicy: Always

tests/files/gce_centos-weave-kubeadm.yml

@@ -7,7 +7,7 @@ startup_script: ""
 
 # Deployment settings
 kube_network_plugin: weave
-weave_cpu_limit: "100m"
+weave_cpu_limits: "100m"
 weave_cpu_requests: "100m"
 kubeadm_enabled: true
 deploy_netchecker: true

tests/files/gce_coreos-alpha-weave-ha.yml

@@ -7,7 +7,7 @@ startup_script: 'systemctl disable locksmithd && systemctl stop locksmithd'
 
 # Deployment settings
 kube_network_plugin: weave
-weave_cpu_limit: "100m"
+weave_cpu_limits: "100m"
 weave_cpu_requests: "100m"
 bootstrap_os: coreos
 resolvconf_mode: host_resolvconf # this is required as long as the coreos stable channel uses docker < 1.12

tests/files/gce_rhel7-weave.yml

@@ -5,7 +5,7 @@ mode: default
 
 # Deployment settings
 kube_network_plugin: weave
-weave_cpu_limit: "100m"
+weave_cpu_limits: "100m"
 weave_cpu_requests: "100m"
 deploy_netchecker: true
 kubedns_min_replicas: 1

tests/files/gce_ubuntu-weave-sep.yml

@@ -6,7 +6,7 @@ mode: separate
 # Deployment settings
 bootstrap_os: ubuntu
 kube_network_plugin: weave
-weave_cpu_limit: "100m"
+weave_cpu_limits: "100m"
 weave_cpu_requests: "100m"
 deploy_netchecker: true
 kubedns_min_replicas: 1