C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[kube-ovn]: update kube-ovn version and sync some feature (#8790)

Browse source 
* [kube-ovn]: some feature

kube-ovn vlan mode
ipv6/ipv4 dual stack
...

* remove unused env

* fix readinessprobe
This commit is contained in:
Samuel Liu 2022-05-12 12:35:15 +08:00 committed by GitHub
parent b9e5b0cb53
commit f26f544ff6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 407 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
View file

@ -62,7 +62,7 @@ credentials_dir: "{{ inventory_dir }}/credentials"
# kube_webhook_authorization_url: https://... # kube_webhook_authorization_url: https://...
# kube_webhook_authorization_url_skip_tls_verify: false # kube_webhook_authorization_url_skip_tls_verify: false
# Choose network plugin (cilium, calico, weave or flannel. Use cni for generic cni plugin) # Choose network plugin (cilium, calico, kube-ovn, weave or flannel. Use cni for generic cni plugin)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico

57
inventory/sample/group_vars/k8s_cluster/k8s-net-kube-ovn.yml Normal file
View file

@ -0,0 +1,57 @@
---
# geneve or vlan
kube_ovn_network_type: geneve
# geneve, vxlan or stt. ATTENTION: some networkpolicy cannot take effect when using vxlan and stt need custom compile ovs kernel module
kube_ovn_tunnel_type: geneve
## The nic to support container network can be a nic name or a group of regex separated by comma e.g: 'enp6s0f0,eth.*', if empty will use the nic that the default route use.
# kube_ovn_iface: eth1
## The MTU used by pod iface in overlay networks (default iface MTU - 100)
# kube_ovn_mtu: 1333
## Enable hw-offload, disable traffic mirror and set the iface to the physical port. Make sure that there is an IP address bind to the physical port.
kube_ovn_hw_offload: false
# traffic mirror
kube_ovn_traffic_mirror: false
# kube_ovn_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112
# kube_ovn_default_interface_name: eth0
kube_ovn_external_address: 8.8.8.8
kube_ovn_external_address_ipv6: 2400:3200::1
kube_ovn_external_dns: alauda.cn
# kube_ovn_default_gateway: 10.233.64.1,fd85:ee78:d8a6:8607::1:0
kube_ovn_default_gateway_check: true
kube_ovn_default_logical_gateway: false
# kube_ovn_default_exclude_ips: 10.16.0.1
kube_ovn_node_switch_cidr: 100.64.0.0/16
kube_ovn_node_switch_cidr_ipv6: fd00:100:64::/64
## vlan config, set default interface name and vlan id
# kube_ovn_default_interface_name: eth0
kube_ovn_default_vlan_id: 100
kube_ovn_vlan_name: product
## pod nic type, support: veth-pair or internal-port
kube_ovn_pod_nic_type: veth_pair
## Enable load balancer
kube_ovn_enable_lb: true
## Enable network policy support
kube_ovn_enable_np: true
## Enable external vpc support
kube_ovn_enable_external_vpc: true
## Enable checksum
kube_ovn_encap_checksum: true
## enable ssl
kube_ovn_enable_ssl: false
## dpdk
kube_ovn_dpdk_enabled: false

9
roles/download/defaults/main.yml
View file

@ -111,7 +111,8 @@ cni_version: "v1.0.1"
weave_version: 2.8.1 weave_version: 2.8.1
pod_infra_version: "3.3" pod_infra_version: "3.3"
cilium_version: "v1.11.3" cilium_version: "v1.11.3"
kube_ovn_version: "v1.8.1" kube_ovn_version: "v1.9.2"
kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}"
kube_router_version: "v1.4.0" kube_router_version: "v1.4.0"
multus_version: "v3.8" multus_version: "v3.8"
helm_version: "v3.8.2" helm_version: "v3.8.2"
@ -918,8 +919,10 @@ cilium_hubble_ui_backend_image_repo: "{{ quay_image_repo }}/cilium/hubble-ui-bac
cilium_hubble_ui_backend_image_tag: "v0.7.3" cilium_hubble_ui_backend_image_tag: "v0.7.3"
cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy" cilium_hubble_envoy_image_repo: "{{ docker_image_repo }}/envoyproxy/envoy"
cilium_hubble_envoy_image_tag: "v1.14.5" cilium_hubble_envoy_image_tag: "v1.14.5"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn" kube_ovn_dpdk_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn"
kube_ovn_container_image_tag: "{{ kube_ovn_version }}" kube_ovn_dpdk_container_image_tag: "{{ kube_ovn_version }}"
kube_ovn_container_image_repo: "{{ docker_image_repo }}/kubeovn/kube-ovn-dpdk"
kube_ovn_container_image_tag: "{{ kube_ovn_dpdk_version }}"
kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router" kube_router_image_repo: "{{ docker_image_repo }}/cloudnativelabs/kube-router"
kube_router_image_tag: "{{ kube_router_version }}" kube_router_image_tag: "{{ kube_router_version }}"
multus_image_repo: "{{ github_image_repo }}/k8snetworkplumbingwg/multus-cni" multus_image_repo: "{{ github_image_repo }}/k8snetworkplumbingwg/multus-cni"

2
roles/kubespray-defaults/defaults/main.yaml
View file

@ -166,7 +166,7 @@ kube_external_ca_mode: false
# Cluster Loglevel configuration # Cluster Loglevel configuration
kube_log_level: 2 kube_log_level: 2
# Choose network plugin (cilium, calico, weave or flannel) # Choose network plugin (cilium, calico, kube-ovn, weave or flannel. Use cni for generic cni plugin)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico
kube_network_plugin_multus: false kube_network_plugin_multus: false

65
roles/network_plugin/kube-ovn/defaults/main.yml
View file

@ -23,7 +23,66 @@ kube_ovn_monitor_memory_request: 200Mi
kube_ovn_monitor_cpu_request: 200m kube_ovn_monitor_cpu_request: 200m
kube_ovn_monitor_memory_limit: 200Mi kube_ovn_monitor_memory_limit: 200Mi
kube_ovn_monitor_cpu_limit: 200m kube_ovn_monitor_cpu_limit: 200m
kube_ovn_dpdk_node_cpu_request: 1000m
kube_ovn_dpdk_node_memory_request: 2Gi
kube_ovn_dpdk_node_cpu_limit: 1000m
kube_ovn_dpdk_node_memory_limit: 2Gi
traffic_mirror: true kube_ovn_central_replics: 1
encap_checksum: false kube_ovn_controller_replics: 1
enable_ssl: false
# geneve or vlan
kube_ovn_network_type: geneve
# geneve, vxlan or stt. ATTENTION: some networkpolicy cannot take effect when using vxlan and stt need custom compile ovs kernel module
kube_ovn_tunnel_type: geneve
## The nic to support container network can be a nic name or a group of regex separated by comma e.g: 'enp6s0f0,eth.*', if empty will use the nic that the default route use.
# kube_ovn_iface: eth1
## The MTU used by pod iface in overlay networks (default iface MTU - 100)
# kube_ovn_mtu: 1333
## Enable hw-offload, disable traffic mirror and set the iface to the physical port. Make sure that there is an IP address bind to the physical port.
kube_ovn_hw_offload: false
# traffic mirror
kube_ovn_traffic_mirror: false
# kube_ovn_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112
# kube_ovn_default_interface_name: eth0
kube_ovn_external_address: 8.8.8.8
kube_ovn_external_address_ipv6: 2400:3200::1
kube_ovn_external_dns: alauda.cn
# kube_ovn_default_gateway: 10.233.64.1,fd85:ee78:d8a6:8607::1:0
kube_ovn_default_gateway_check: true
kube_ovn_default_logical_gateway: false
# kube_ovn_default_exclude_ips: 10.16.0.1
kube_ovn_node_switch_cidr: 100.64.0.0/16
kube_ovn_node_switch_cidr_ipv6: fd00:100:64::/64
## vlan config, set default interface name and vlan id
# kube_ovn_default_interface_name: eth0
kube_ovn_default_vlan_id: 100
kube_ovn_vlan_name: product
## pod nic type, support: veth-pair or internal-port
kube_ovn_pod_nic_type: veth_pair
## Enable load balancer
kube_ovn_enable_lb: true
## Enable network policy support
kube_ovn_enable_np: true
## Enable external vpc support
kube_ovn_enable_external_vpc: true
## Enable checksum
kube_ovn_encap_checksum: true
## enable ssl
kube_ovn_enable_ssl: false
## dpdk
kube_ovn_dpdk_enabled: false

117
roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2
View file

@ -61,6 +61,8 @@ spec:
type: string type: string
containerID: containerID:
type: string type: string
podType:
type: string
scope: Cluster scope: Cluster
names: names:
plural: ips plural: ips
@ -138,6 +140,10 @@ spec:
type: number type: number
activateGateway: activateGateway:
type: string type: string
dhcpV4OptionsUUID:
type: string
dhcpV6OptionsUUID:
type: string
conditions: conditions:
type: array type: array
items: items:
@ -164,6 +170,10 @@ spec:
type: boolean type: boolean
protocol: protocol:
type: string type: string
enum:
- IPv4
- IPv6
- Dual
cidrBlock: cidrBlock:
type: string type: string
namespaces: namespaces:
@ -178,6 +188,10 @@ spec:
type: array type: array
items: items:
type: string type: string
vips:
type: array
items:
type: string
gatewayType: gatewayType:
type: string type: string
allowSubnets: allowSubnets:
@ -208,10 +222,48 @@ spec:
type: boolean type: boolean
vlan: vlan:
type: string type: string
logicalGateway:
type: boolean
disableGatewayCheck: disableGatewayCheck:
type: boolean type: boolean
disableInterConnection: disableInterConnection:
type: boolean type: boolean
enableDHCP:
type: boolean
dhcpV4Options:
type: string
dhcpV6Options:
type: string
enableIPv6RA:
type: boolean
ipv6RAConfigs:
type: string
htbqos:
type: string
acls:
type: array
items:
type: object
properties:
direction:
type: string
enum:
- from-lport
- to-lport
priority:
type: integer
minimum: 0
maximum: 32767
match:
type: string
action:
type: string
enum:
- allow-related
- allow-stateless
- allow
- drop
- reject
scope: Cluster scope: Cluster
names: names:
plural: subnets plural: subnets
@ -230,6 +282,8 @@ spec:
- name: v1 - name: v1
served: true served: true
storage: true storage: true
subresources:
status: {}
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -283,6 +337,8 @@ spec:
- name: v1 - name: v1
served: true served: true
storage: true storage: true
subresources:
status: {}
schema: schema:
openAPIV3Schema: openAPIV3Schema:
type: object type: object
@ -407,6 +463,28 @@ spec:
type: string type: string
type: object type: object
type: array type: array
policyRoutes:
items:
properties:
priority:
type: integer
action:
type: string
match:
type: string
nextHopIP:
type: string
type: object
type: array
vpcPeerings:
items:
properties:
remoteVpc:
type: string
localConnectIP:
type: string
type: object
type: array
type: object type: object
status: status:
properties: properties:
@ -439,6 +517,10 @@ spec:
items: items:
type: string type: string
type: array type: array
vpcPeerings:
items:
type: string
type: array
tcpLoadBalancer: tcpLoadBalancer:
type: string type: string
tcpSessionLoadBalancer: tcpSessionLoadBalancer:
@ -545,6 +627,10 @@ spec:
type: string type: string
vpc: vpc:
type: string type: string
selector:
type: array
items:
type: string
subresources: subresources:
status: {} status: {}
conversion: conversion:
@ -642,3 +728,34 @@ spec:
status: {} status: {}
conversion: conversion:
strategy: None strategy: None
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: htbqoses.kubeovn.io
spec:
group: kubeovn.io
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- name: PRIORITY
type: string
jsonPath: .spec.priority
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
priority:
type: string # Value in range 0 to 4,294,967,295.
scope: Cluster
names:
plural: htbqoses
singular: htbqos
kind: HtbQos
shortNames:
- htbqos

109
roles/network_plugin/kube-ovn/templates/cni-kube-ovn.yml.j2
View file

@ -8,7 +8,7 @@ metadata:
kubernetes.io/description: | kubernetes.io/description: |
kube-ovn controller kube-ovn controller
spec: spec:
replicas: 1 replicas: {{ kube_ovn_controller_replics }}
selector: selector:
matchLabels: matchLabels:
app: kube-ovn-controller app: kube-ovn-controller
@ -43,14 +43,26 @@ spec:
command: command:
- /kube-ovn/start-controller.sh - /kube-ovn/start-controller.sh
args: args:
- --default-cidr={{ kube_pods_subnet }} - --default-cidr={{ kube_pods_subnet }}{% if enable_dual_stack_networks %},{{ kube_ovn_pool_cidr_ipv6 | default(kube_pods_subnet_ipv6) }}{% endif %}{{''}}
- --pod-nic-type=veth-pair - --default-gateway={% if kube_ovn_default_gateway is defined %}{{ kube_ovn_default_gateway }}{% endif %}{{''}}
- --enable-lb=true - --default-gateway-check={{ kube_ovn_default_gateway_check|string }}
- --enable-np=true - --default-logical-gateway={{ kube_ovn_default_logical_gateway|string }}
- --enable-external-vpc=true - --default-exclude-ips={% if kube_ovn_default_exclude_ips is defined %}{{ kube_ovn_default_exclude_ips }}{% endif %}{{''}}
- --node-switch-cidr={{ kube_ovn_node_switch_cidr }}{% if enable_dual_stack_networks %},{{ kube_ovn_node_switch_cidr_ipv6 }}{% endif %}{{''}}
- --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{''}}
- --network-type={{ kube_ovn_network_type }}
- --default-interface-name={{ kube_ovn_default_interface_name|default('') }}
- --default-vlan-id={{ kube_ovn_default_vlan_id }}
- --pod-nic-type={{ kube_ovn_pod_nic_type }}
- --enable-lb={{ kube_ovn_enable_lb|string }}
- --enable-np={{ kube_ovn_enable_np|string }}
- --enable-external-vpc={{ kube_ovn_enable_external_vpc|string }}
- --logtostderr=false
- --alsologtostderr=true
- --log_file=/var/log/kube-ovn/kube-ovn-controller.log
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_NAME - name: POD_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -66,20 +78,20 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /var/run/tls - mountPath: /var/run/tls
name: kube-ovn-tls name: kube-ovn-tls
readinessProbe: readinessProbe:
exec: exec:
command: command:
- bash - /kube-ovn/kube-ovn-controller-healthcheck
- /kube-ovn/kube-ovn-controller-healthcheck.sh
periodSeconds: 3 periodSeconds: 3
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
exec: exec:
command: command:
- bash - /kube-ovn/kube-ovn-controller-healthcheck
- /kube-ovn/kube-ovn-controller-healthcheck.sh
initialDelaySeconds: 300 initialDelaySeconds: 300
periodSeconds: 7 periodSeconds: 7
failureThreshold: 5 failureThreshold: 5
@ -97,10 +109,14 @@ spec:
- name: localtime - name: localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
- name: kube-ovn-tls - name: kube-ovn-tls
secret: secret:
optional: true optional: true
secretName: kube-ovn-tls secretName: kube-ovn-tls
--- ---
kind: DaemonSet kind: DaemonSet
apiVersion: apps/v1 apiVersion: apps/v1
@ -146,15 +162,24 @@ spec:
- bash - bash
- /kube-ovn/start-cniserver.sh - /kube-ovn/start-cniserver.sh
args: args:
- --enable-mirror={{ traffic_mirror | lower }} - --enable-mirror={{ kube_ovn_traffic_mirror | lower }}
- --encap-checksum={{ encap_checksum | lower }} - --encap-checksum={{ kube_ovn_encap_checksum | lower }}
- --service-cluster-ip-range={{ kube_service_addresses }} - --service-cluster-ip-range={{ kube_service_addresses }}{% if enable_dual_stack_networks %},{{ kube_service_addresses_ipv6 }}{% endif %}{{''}}
- --iface={{ kube_ovn_iface|default('') }}
- --network-type={{ kube_ovn_network_type }}
- --default-interface-name={{ kube_ovn_default_interface_name|default('') }}
{% if kube_ovn_mtu is defined %}
- --mtu={{ kube_ovn_mtu }}
{% endif %}
- --logtostderr=false
- --alsologtostderr=true
- --log_file=/var/log/kube-ovn/kube-ovn-cni.log
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: true privileged: true
env: env:
- name: ENABLE_SSL - name: kube_ovn_enable_ssl
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -175,6 +200,8 @@ spec:
- mountPath: /var/run/netns - mountPath: /var/run/netns
name: host-ns name: host-ns
mountPropagation: HostToContainer mountPropagation: HostToContainer
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
readinessProbe: readinessProbe:
@ -186,6 +213,7 @@ spec:
- 127.0.0.1 - 127.0.0.1
- "10665" - "10665"
periodSeconds: 3 periodSeconds: 3
timeoutSeconds: 5
livenessProbe: livenessProbe:
exec: exec:
command: command:
@ -197,6 +225,7 @@ spec:
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 7 periodSeconds: 7
failureThreshold: 5 failureThreshold: 5
timeoutSeconds: 5
resources: resources:
requests: requests:
cpu: {{ kube_ovn_cni_server_cpu_request }} cpu: {{ kube_ovn_cni_server_cpu_request }}
@ -225,6 +254,9 @@ spec:
- name: host-ns - name: host-ns
hostPath: hostPath:
path: /var/run/netns path: /var/run/netns
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
- name: localtime - name: localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
@ -251,21 +283,26 @@ spec:
component: network component: network
type: infra type: infra
spec: spec:
tolerations:
- operator: Exists
serviceAccountName: ovn serviceAccountName: ovn
hostPID: true hostPID: true
containers: containers:
- name: pinger - name: pinger
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/kube-ovn-pinger", "--external-address=114.114.114.114"] command:
- /kube-ovn/kube-ovn-pinger
args:
- --external-address={{ kube_ovn_external_address }}{% if enable_dual_stack_networks %},{{ kube_ovn_external_address_ipv6 }}{% endif %}{{''}}
- --external-dns={{ kube_ovn_external_dns }}
- --logtostderr=false
- --alsologtostderr=true
- --log_file=/var/log/kube-ovn/kube-ovn-pinger.log
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: false privileged: false
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -301,6 +338,8 @@ spec:
name: host-log-ovs name: host-log-ovs
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
- mountPath: /var/run/tls - mountPath: /var/run/tls
@ -333,6 +372,9 @@ spec:
- name: host-log-ovs - name: host-log-ovs
hostPath: hostPath:
path: /var/log/openvswitch path: /var/log/openvswitch
- name: kube-ovn-log
hostPath:
path: /var/log/kube-ovn
- name: host-log-ovn - name: host-log-ovn
hostPath: hostPath:
path: /var/log/ovn path: /var/log/ovn
@ -356,7 +398,7 @@ spec:
replicas: 1 replicas: 1
strategy: strategy:
rollingUpdate: rollingUpdate:
maxSurge: 0 maxSurge: 1
maxUnavailable: 1 maxUnavailable: 1
type: RollingUpdate type: RollingUpdate
selector: selector:
@ -380,6 +422,7 @@ spec:
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: ovn serviceAccountName: ovn
hostNetwork: true
containers: containers:
- name: kube-ovn-monitor - name: kube-ovn-monitor
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}
@ -390,7 +433,7 @@ spec:
privileged: false privileged: false
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: KUBE_NODE_NAME - name: KUBE_NODE_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -407,9 +450,6 @@ spec:
name: host-run-ovs name: host-run-ovs
- mountPath: /var/run/ovn - mountPath: /var/run/ovn
name: host-run-ovn name: host-run-ovn
- mountPath: /sys
name: host-sys
readOnly: true
- mountPath: /etc/openvswitch - mountPath: /etc/openvswitch
name: host-config-openvswitch name: host-config-openvswitch
- mountPath: /etc/ovn - mountPath: /etc/ovn
@ -427,13 +467,13 @@ spec:
command: command:
- cat - cat
- /var/run/ovn/ovnnb_db.pid - /var/run/ovn/ovnnb_db.pid
periodSeconds: 3 periodSeconds: 10
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
exec: exec:
command: command:
- cat - cat
- /var/run/ovn/ovn-nbctl.pid - /var/run/ovn/ovnnb_db.pid
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
failureThreshold: 5 failureThreshold: 5
@ -448,9 +488,6 @@ spec:
- name: host-run-ovn - name: host-run-ovn
hostPath: hostPath:
path: /run/ovn path: /run/ovn
- name: host-sys
hostPath:
path: /sys
- name: host-config-openvswitch - name: host-config-openvswitch
hostPath: hostPath:
path: /etc/origin/openvswitch path: /etc/origin/openvswitch
@ -483,6 +520,9 @@ spec:
- name: metrics - name: metrics
port: 10661 port: 10661
type: ClusterIP type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: kube-ovn-monitor app: kube-ovn-monitor
sessionAffinity: None sessionAffinity: None
@ -495,6 +535,9 @@ metadata:
labels: labels:
app: kube-ovn-pinger app: kube-ovn-pinger
spec: spec:
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: kube-ovn-pinger app: kube-ovn-pinger
ports: ports:
@ -509,6 +552,9 @@ metadata:
labels: labels:
app: kube-ovn-controller app: kube-ovn-controller
spec: spec:
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: kube-ovn-controller app: kube-ovn-controller
ports: ports:
@ -523,6 +569,9 @@ metadata:
labels: labels:
app: kube-ovn-cni app: kube-ovn-cni
spec: spec:
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: kube-ovn-cni app: kube-ovn-cni
ports: ports:

134
roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2
View file

@ -1,40 +1,10 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: kube-ovn
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: ovn-config name: ovn-config
namespace: kube-system namespace: kube-system
data: data:
defaultNetworkType: geneve defaultNetworkType: '{{ kube_ovn_network_type }}'
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -49,29 +19,27 @@ metadata:
rbac.authorization.k8s.io/system-only: "true" rbac.authorization.k8s.io/system-only: "true"
name: system:ovn name: system:ovn
rules: rules:
- apiGroups: - apiGroups: ['policy']
- policy resources: ['podsecuritypolicies']
resources: verbs: ['use']
- podsecuritypolicies
verbs:
- use
resourceNames: resourceNames:
- kube-ovn - kube-ovn
- apiGroups: - apiGroups:
- "kubeovn.io" - "kubeovn.io"
resources: resources:
- subnets
- subnets/status
- vpcs - vpcs
- vpcs/status - vpcs/status
- vpc-nat-gateways - vpc-nat-gateways
- subnets
- subnets/status
- ips - ips
- vlans - vlans
- vlans/status
- provider-networks - provider-networks
- provider-networks/status - provider-networks/status
- networks
- security-groups - security-groups
- security-groups/status - security-groups/status
- htbqoses
verbs: verbs:
- "*" - "*"
- apiGroups: - apiGroups:
@ -111,6 +79,7 @@ rules:
- statefulsets - statefulsets
- daemonsets - daemonsets
- deployments - deployments
- deployments/scale
verbs: verbs:
- create - create
- delete - delete
@ -127,6 +96,24 @@ rules:
- create - create
- patch - patch
- update - update
- apiGroups:
- "k8s.cni.cncf.io"
resources:
- network-attachment-definitions
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- "kubevirt.io"
resources:
- virtualmachines
- virtualmachineinstances
verbs:
- get
- list
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -153,6 +140,9 @@ spec:
port: 6641 port: 6641
targetPort: 6641 targetPort: 6641
type: ClusterIP type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: ovn-central app: ovn-central
ovn-nb-leader: "true" ovn-nb-leader: "true"
@ -170,6 +160,9 @@ spec:
port: 6642 port: 6642
targetPort: 6642 targetPort: 6642
type: ClusterIP type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: ovn-central app: ovn-central
ovn-sb-leader: "true" ovn-sb-leader: "true"
@ -187,6 +180,9 @@ spec:
port: 6643 port: 6643
targetPort: 6643 targetPort: 6643
type: ClusterIP type: ClusterIP
{% if enable_dual_stack_networks %}
ipFamilyPolicy: PreferDualStack
{% endif %}
selector: selector:
app: ovn-central app: ovn-central
ovn-northd-leader: "true" ovn-northd-leader: "true"
@ -201,7 +197,7 @@ metadata:
kubernetes.io/description: | kubernetes.io/description: |
OVN components: northd, nb and sb. OVN components: northd, nb and sb.
spec: spec:
replicas: 1 replicas: {{ kube_ovn_central_replics }}
strategy: strategy:
rollingUpdate: rollingUpdate:
maxSurge: 0 maxSurge: 0
@ -218,7 +214,7 @@ spec:
type: infra type: infra
spec: spec:
tolerations: tolerations:
- operator: Exists - operator: Exists
affinity: affinity:
podAntiAffinity: podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
@ -239,7 +235,7 @@ spec:
add: ["SYS_NICE"] add: ["SYS_NICE"]
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -284,7 +280,7 @@ spec:
command: command:
- bash - bash
- /kube-ovn/ovn-is-leader.sh - /kube-ovn/ovn-is-leader.sh
periodSeconds: 3 periodSeconds: 15
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
exec: exec:
@ -292,7 +288,7 @@ spec:
- bash - bash
- /kube-ovn/ovn-healthcheck.sh - /kube-ovn/ovn-healthcheck.sh
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 7 periodSeconds: 15
failureThreshold: 5 failureThreshold: 5
timeoutSeconds: 45 timeoutSeconds: 45
nodeSelector: nodeSelector:
@ -350,28 +346,33 @@ spec:
type: infra type: infra
spec: spec:
tolerations: tolerations:
- operator: Exists - operator: Exists
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: ovn serviceAccountName: ovn
hostNetwork: true hostNetwork: true
hostPID: true hostPID: true
containers: containers:
- name: openvswitch - name: openvswitch
image: {{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }} image: {% if kube_ovn_dpdk_enabled %}{{ kube_ovn_dpdk_container_image_repo }}:{{ kube_ovn_dpdk_container_image_tag }}{% else %}{{ kube_ovn_container_image_repo }}:{{ kube_ovn_container_image_tag }}{% endif %}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
command: ["/kube-ovn/start-ovs.sh"] command: [{% if kube_ovn_dpdk_enabled %}"/kube-ovn/start-ovs-dpdk.sh"{% else %}"/kube-ovn/start-ovs.sh"{% endif %}]
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
privileged: true privileged: true
env: env:
- name: ENABLE_SSL - name: ENABLE_SSL
value: "{{ enable_ssl | lower }}" value: "{{ kube_ovn_enable_ssl | lower }}"
- name: POD_IP - name: POD_IP
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: status.podIP fieldPath: status.podIP
{% if not kube_ovn_dpdk_enabled %}
- name: HW_OFFLOAD - name: HW_OFFLOAD
value: "false" value: "{{ kube_ovn_hw_offload }}"
- name: TUNNEL_TYPE
value: "{{ kube_ovn_tunnel_type }}"
{% endif %}
- name: KUBE_NODE_NAME - name: KUBE_NODE_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@ -397,6 +398,12 @@ spec:
name: host-log-ovs name: host-log-ovs
- mountPath: /var/log/ovn - mountPath: /var/log/ovn
name: host-log-ovn name: host-log-ovn
{% if kube_ovn_dpdk_enabled %}
- mountPath: /opt/ovs-config
name: host-config-ovs
- mountPath: /dev/hugepages
name: hugepage
{% endif %}
- mountPath: /etc/localtime - mountPath: /etc/localtime
name: localtime name: localtime
- mountPath: /var/run/tls - mountPath: /var/run/tls
@ -405,25 +412,43 @@ spec:
exec: exec:
command: command:
- bash - bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh - /kube-ovn/ovs-healthcheck.sh
{% endif %}
periodSeconds: 5 periodSeconds: 5
timeoutSeconds: 45 timeoutSeconds: 45
livenessProbe: livenessProbe:
exec: exec:
command: command:
- bash - bash
{% if kube_ovn_dpdk_enabled %}
- /kube-ovn/ovs-dpdk-healthcheck.sh
{% else %}
- /kube-ovn/ovs-healthcheck.sh - /kube-ovn/ovs-healthcheck.sh
{% endif %}
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 5 periodSeconds: 5
failureThreshold: 5 failureThreshold: 5
timeoutSeconds: 45 timeoutSeconds: 45
resources: resources:
{% if kube_ovn_dpdk_enabled %}
requests:
cpu: {{ kube_ovn_dpdk_node_cpu_request }}
memory: {{ kube_ovn_dpdk_node_memory_request }}
limits:
cpu: {{ kube_ovn_dpdk_node_cpu_limit }}
memory: {{ kube_ovn_dpdk_node_memory_limit }}
hugepages-1Gi: 1Gi
{% else %}
requests: requests:
cpu: {{ kube_ovn_node_cpu_request }} cpu: {{ kube_ovn_node_cpu_request }}
memory: {{ kube_ovn_node_memory_request }} memory: {{ kube_ovn_node_memory_request }}
limits: limits:
cpu: {{ kube_ovn_node_cpu_limit }} cpu: {{ kube_ovn_node_cpu_limit }}
memory: {{ kube_ovn_node_memory_limit }} memory: {{ kube_ovn_node_memory_limit }}
{% endif %}
nodeSelector: nodeSelector:
kubernetes.io/os: "linux" kubernetes.io/os: "linux"
volumes: volumes:
@ -454,6 +479,15 @@ spec:
- name: host-log-ovn - name: host-log-ovn
hostPath: hostPath:
path: /var/log/ovn path: /var/log/ovn
{% if kube_ovn_dpdk_enabled %}
- name: host-config-ovs
hostPath:
path: /opt/ovs-config
type: DirectoryOrCreate
- name: hugepage
emptyDir:
medium: HugePages
{% endif %}
- name: localtime - name: localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime