--- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: calico-node namespace: kube-system labels: k8s-app: calico-node spec: selector: matchLabels: k8s-app: calico-node template: metadata: labels: k8s-app: calico-node annotations: # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12) kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" {% if calico_felix_prometheusmetricsenabled %} prometheus.io/scrape: 'true' prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}" {% endif %} spec: {% if kube_version is version('v1.11.1', '>=') %} priorityClassName: system-node-critical {% endif %} hostNetwork: true serviceAccountName: calico-node tolerations: - operator: Exists # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12) - key: CriticalAddonsOnly operator: "Exists" # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }} env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: configMapKeyRef: name: calico-config key: etcd_endpoints # Choose the backend to use. - name: CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name: calico-config key: calico_backend # Cluster type to identify the deployment type - name: CLUSTER_TYPE valueFrom: configMapKeyRef: name: calico-config key: cluster_type # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath: spec.nodeName # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "{{ calico_endpoint_to_host_action|default('RETURN') }}" - name: FELIX_HEALTHHOST value: "{{ calico_healthhost }}" # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used, # this is not required in later versions https://github.com/projectcalico/calico/issues/2179 {% if calico_version is version('v3.2.1', '<') %} - name: FELIX_IPTABLESLOCKTIMEOUTSECS value: "10" {% endif %} # should be set in etcd before deployment # # Configure the IP Pool from which Pod IPs will be chosen. # - name: CALICO_IPV4POOL_CIDR # value: "192.168.0.0/16" - name: CALICO_IPV4POOL_IPIP value: "{{ calico_ipv4pool_ipip }}" # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: "{{ calico_loglevel }}" # Set MTU for tunnel device used if ipip is enabled {% if calico_mtu is defined %} - name: FELIX_IPINIPMTU value: "{{ calico_mtu }}" {% endif %} - name: FELIX_PROMETHEUSMETRICSENABLED value: "{{ calico_felix_prometheusmetricsenabled }}" - name: FELIX_PROMETHEUSMETRICSPORT value: "{{ calico_felix_prometheusmetricsport }}" - name: FELIX_PROMETHEUSGOMETRICSENABLED value: "{{ calico_felix_prometheusgometricsenabled }}" - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED value: "{{ calico_felix_prometheusprocessmetricsenabled }}" # Location of the CA certificate for etcd. - name: ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_ca # Location of the client key for etcd. - name: ETCD_KEY_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_key # Location of the client certificate for etcd. - name: ETCD_CERT_FILE valueFrom: configMapKeyRef: name: calico-config key: etcd_cert {% if calico_ip_auto_method is defined %} - name: IP_AUTODETECTION_METHOD value: "{{ calico_ip_auto_method }}" - name: IP value: "autodetect" {% else %} - name: IP valueFrom: fieldRef: fieldPath: status.hostIP {% endif %} - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: FELIX_HEALTHENABLED value: "true" - name: FELIX_IGNORELOOSERPF value: "{{ calico_node_ignorelooserpf }}" securityContext: privileged: true resources: limits: cpu: {{ calico_node_cpu_limit }} memory: {{ calico_node_memory_limit }} requests: cpu: {{ calico_node_cpu_requests }} memory: {{ calico_node_memory_requests }} livenessProbe: httpGet: host: 127.0.0.1 path: /liveness port: 9099 periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: httpGet: host: 127.0.0.1 path: /readiness port: 9099 periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - mountPath: /calico-secrets name: etcd-certs - name: xtables-lock mountPath: /run/xtables.lock readOnly: false volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Mount in the etcd TLS secrets. - name: etcd-certs hostPath: path: "{{ calico_cert_dir }}" # Mount the global iptables lock file, used by calico/node - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate updateStrategy: rollingUpdate: maxUnavailable: {{ serial | default('20%') }} type: RollingUpdate