--- kind: DaemonSet apiVersion: apps/v1 metadata: name: canal-node namespace: kube-system labels: k8s-app: canal-node spec: selector: matchLabels: k8s-app: canal-node template: metadata: labels: k8s-app: canal-node spec: priorityClassName: system-node-critical hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: canal tolerations: - operator: Exists volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-lib-calico hostPath: path: /var/lib/calico - name: var-run-calico hostPath: path: /var/run/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Used by flannel daemon. - name: run-flannel hostPath: path: /run/flannel - name: resolv hostPath: path: /etc/resolv.conf - name: "canal-certs" hostPath: path: "{{ canal_cert_dir }}" - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate {% if calico_version is version('v3.4.0', '>=') %} initContainers: # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} command: ["/install-cni.sh"] env: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-canal.conflist" # Install CNI binaries - name: UPDATE_CNI_BINARIES value: "true" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG_FILE value: "/host/etc/cni/net.d/canal.conflist.template" # Prevents the container from sleeping forever. - name: SLEEP value: "false" volumeMounts: - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /host/opt/cni/bin name: cni-bin-dir {% endif %} containers: {% if calico_version is version('v3.3.0', '>=') and calico_version is version('v3.4.0', '<') %} - name: install-cni image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} command: ["/install-cni.sh"] env: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-canal.conflist" # Install CNI binaries - name: UPDATE_CNI_BINARIES value: "true" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG_FILE value: "/host/etc/cni/net.d/canal.conflist.template" volumeMounts: - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /host/opt/cni/bin name: cni-bin-dir {% endif %} # Runs the flannel daemon to enable vxlan networking between # container hosts. - name: flannel image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ flannel_cpu_limit }} memory: {{ flannel_memory_limit }} requests: cpu: {{ flannel_cpu_requests }} memory: {{ flannel_memory_requests }} env: # Cluster name - name: CLUSTER_NAME valueFrom: configMapKeyRef: name: canal-config key: cluster_name # The location of the etcd cluster. - name: FLANNELD_ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: canal-config key: etcd_endpoints # The interface flannel should run on. - name: FLANNELD_IFACE valueFrom: configMapKeyRef: name: canal-config key: flanneld_iface # Perform masquerade on traffic leaving the pod cidr. - name: FLANNELD_IP_MASQ valueFrom: configMapKeyRef: name: canal-config key: masquerade # Set etcd-prefix - name: DOCKER_OPT_ETCD_PREFIX value: "-etcd-prefix=/$(CLUSTER_NAME)/network" # Write the subnet.env file to the mounted directory. - name: FLANNELD_SUBNET_FILE value: "/run/flannel/subnet.env" # Etcd SSL vars - name: ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_cafile - name: ETCD_CERT_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_certfile - name: ETCD_KEY_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_keyfile command: - "/bin/sh" - "-c" - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)" ports: - hostPort: 10253 containerPort: 10253 securityContext: privileged: true volumeMounts: - name: "resolv" mountPath: "/etc/resolv.conf" - name: "run-flannel" mountPath: "/run/flannel" - name: "canal-certs" mountPath: "{{ canal_cert_dir }}" readOnly: true - name: xtables-lock mountPath: /run/xtables.lock readOnly: false # Runs calico/node container on each Kubernetes node. This # container programs network policy and local routes on each # host. - name: calico-node image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}" imagePullPolicy: {{ k8s_image_pull_policy }} resources: limits: cpu: {{ calico_node_cpu_limit }} memory: {{ calico_node_memory_limit }} requests: cpu: {{ calico_node_cpu_requests }} memory: {{ calico_node_memory_requests }} env: # The location of the etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: canal-config key: etcd_endpoints # Disable Calico BGP. Calico is simply enforcing policy. - name: CALICO_NETWORKING_BACKEND value: "none" # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "kubespray,canal" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath: spec.nodeName - name: FELIX_HEALTHENABLED value: "true" # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used, # this is not required in later versions https://github.com/projectcalico/calico/issues/2179 {% if calico_version is version('v3.2.1', '<') %} - name: FELIX_IPTABLESLOCKTIMEOUTSECS value: "10" {% endif %} # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" # Etcd SSL vars - name: ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_cafile - name: ETCD_CERT_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_certfile - name: ETCD_KEY_FILE valueFrom: configMapKeyRef: name: canal-config key: etcd_keyfile - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName securityContext: privileged: true livenessProbe: httpGet: host: 127.0.0.1 path: /liveness port: 9099 periodSeconds: 10 initialDelaySeconds: 5 failureThreshold: 6 readinessProbe: {% if calico_version is version('v3.3.0', '<')%} httpGet: host: 127.0.0.1 path: /readiness port: 9099 {% else %} exec: command: - /bin/calico-node - -felix-ready {% endif %} periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - name: "canal-certs" mountPath: "{{ canal_cert_dir }}" readOnly: true - name: xtables-lock mountPath: /run/xtables.lock readOnly: false updateStrategy: rollingUpdate: maxUnavailable: {{ serial | default('20%') }} type: RollingUpdate