afbabebfd5
Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21). With this feature, SA tokens are regenerated every hour. As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization. Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
379 lines
14 KiB
Django/Jinja
379 lines
14 KiB
Django/Jinja
---
|
|
# This manifest installs the calico/node container, as well
|
|
# as the Calico CNI plugins and network config on
|
|
# each master and worker node in a Kubernetes cluster.
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: calico-node
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: calico-node
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: calico-node
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: calico-node
|
|
annotations:
|
|
{% if calico_datastore == "etcd" %}
|
|
kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
|
|
{% endif %}
|
|
{% if calico_felix_prometheusmetricsenabled %}
|
|
prometheus.io/scrape: 'true'
|
|
prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}"
|
|
{% endif %}
|
|
spec:
|
|
priorityClassName: system-node-critical
|
|
hostNetwork: true
|
|
serviceAccountName: calico-node
|
|
tolerations:
|
|
- operator: Exists
|
|
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
|
|
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
|
|
terminationGracePeriodSeconds: 0
|
|
initContainers:
|
|
{% if calico_datastore == "kdd" %}
|
|
# This container performs upgrade from host-local IPAM to calico-ipam.
|
|
# It can be deleted if this is a fresh installation, or if you have already
|
|
# upgraded to use calico-ipam.
|
|
- name: upgrade-ipam
|
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
|
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
|
env:
|
|
- name: KUBERNETES_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: CALICO_NETWORKING_BACKEND
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: calico_backend
|
|
volumeMounts:
|
|
- mountPath: /var/lib/cni/networks
|
|
name: host-local-net-dir
|
|
- mountPath: /host/opt/cni/bin
|
|
name: cni-bin-dir
|
|
securityContext:
|
|
privileged: true
|
|
{% endif %}
|
|
# This container installs the Calico CNI binaries
|
|
# and CNI network config file on each node.
|
|
- name: install-cni
|
|
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
|
|
command: ["/opt/cni/bin/install"]
|
|
env:
|
|
# Name of the CNI config file to create.
|
|
- name: CNI_CONF_NAME
|
|
value: "10-calico.conflist"
|
|
# Install CNI binaries
|
|
- name: UPDATE_CNI_BINARIES
|
|
value: "true"
|
|
# The CNI network config to install on each node.
|
|
- name: CNI_NETWORK_CONFIG_FILE
|
|
value: "/host/etc/cni/net.d/calico.conflist.template"
|
|
# Prevents the container from sleeping forever.
|
|
- name: SLEEP
|
|
value: "false"
|
|
{% if calico_datastore == "kdd" %}
|
|
# Set the hostname based on the k8s node name.
|
|
- name: KUBERNETES_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
{% endif %}
|
|
volumeMounts:
|
|
- mountPath: /host/etc/cni/net.d
|
|
name: cni-net-dir
|
|
- mountPath: /host/opt/cni/bin
|
|
name: cni-bin-dir
|
|
securityContext:
|
|
privileged: true
|
|
containers:
|
|
# Runs calico/node container on each Kubernetes node. This
|
|
# container programs network policy and routes on each
|
|
# host.
|
|
- name: calico-node
|
|
image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
|
|
env:
|
|
# The location of the Calico etcd cluster.
|
|
{% if calico_datastore == "etcd" %}
|
|
- name: ETCD_ENDPOINTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_endpoints
|
|
# Location of the CA certificate for etcd.
|
|
- name: ETCD_CA_CERT_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_ca
|
|
# Location of the client key for etcd.
|
|
- name: ETCD_KEY_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_key
|
|
# Location of the client certificate for etcd.
|
|
- name: ETCD_CERT_FILE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: etcd_cert
|
|
{% elif calico_datastore == "kdd" %}
|
|
# Use Kubernetes API as the backing datastore.
|
|
- name: DATASTORE_TYPE
|
|
value: "kubernetes"
|
|
{% if typha_enabled %}
|
|
# Typha support: controlled by the ConfigMap.
|
|
- name: FELIX_TYPHAK8SSERVICENAME
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: typha_service_name
|
|
{% if typha_secure %}
|
|
- name: FELIX_TYPHACN
|
|
value: typha-server
|
|
- name: FELIX_TYPHACAFILE
|
|
value: /etc/typha-ca/ca.crt
|
|
- name: FELIX_TYPHACERTFILE
|
|
value: /etc/typha-client/typha-client.crt
|
|
- name: FELIX_TYPHAKEYFILE
|
|
value: /etc/typha-client/typha-client.key
|
|
{% endif %}
|
|
{% endif %}
|
|
# Wait for the datastore.
|
|
- name: WAIT_FOR_DATASTORE
|
|
value: "true"
|
|
{% endif %}
|
|
{% if calico_network_backend is defined and calico_network_backend == 'vxlan' %}
|
|
- name: FELIX_VXLANVNI
|
|
value: "{{ calico_vxlan_vni }}"
|
|
- name: FELIX_VXLANPORT
|
|
value: "{{ calico_vxlan_port }}"
|
|
{% endif %}
|
|
# Choose the backend to use.
|
|
- name: CALICO_NETWORKING_BACKEND
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: calico_backend
|
|
# Cluster type to identify the deployment type
|
|
- name: CLUSTER_TYPE
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: calico-config
|
|
key: cluster_type
|
|
# Set noderef for node controller.
|
|
- name: CALICO_K8S_NODE_REF
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
# Disable file logging so `kubectl logs` works.
|
|
- name: CALICO_DISABLE_FILE_LOGGING
|
|
value: "true"
|
|
# Set Felix endpoint to host default action to ACCEPT.
|
|
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
|
value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
|
|
- name: FELIX_HEALTHHOST
|
|
value: "{{ calico_healthhost }}"
|
|
{% if kube_proxy_mode == 'ipvs' and kube_apiserver_node_port_range is defined %}
|
|
- name: FELIX_KUBENODEPORTRANGES
|
|
value: "{{ kube_apiserver_node_port_range.split('-')[0] }}:{{ kube_apiserver_node_port_range.split('-')[1] }}"
|
|
{% endif %}
|
|
- name: FELIX_IPTABLESBACKEND
|
|
value: "{{ calico_iptables_backend }}"
|
|
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
|
|
value: "{{ calico_iptables_lock_timeout_secs }}"
|
|
# should be set in etcd before deployment
|
|
# # Configure the IP Pool from which Pod IPs will be chosen.
|
|
# - name: CALICO_IPV4POOL_CIDR
|
|
# value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
|
|
{% if calico_veth_mtu is defined %}
|
|
# Set MTU for the Wireguard tunnel device.
|
|
- name: FELIX_WIREGUARDMTU
|
|
value: "{{ calico_veth_mtu }}"
|
|
{% endif %}
|
|
- name: CALICO_IPV4POOL_IPIP
|
|
value: "{{ calico_ipv4pool_ipip }}"
|
|
- name: FELIX_IPV6SUPPORT
|
|
value: "{{ enable_dual_stack_networks | default(false) }}"
|
|
# Set Felix logging to "info"
|
|
- name: FELIX_LOGSEVERITYSCREEN
|
|
value: "{{ calico_loglevel }}"
|
|
# Set Calico startup logging to "error"
|
|
- name: CALICO_STARTUP_LOGLEVEL
|
|
value: "{{ calico_node_startup_loglevel }}"
|
|
# Enable or disable usage report
|
|
- name: FELIX_USAGEREPORTINGENABLED
|
|
value: "{{ calico_usage_reporting }}"
|
|
# Set MTU for tunnel device used if ipip is enabled
|
|
{% if calico_mtu is defined %}
|
|
- name: FELIX_IPINIPMTU
|
|
value: "{{ calico_veth_mtu | default(calico_mtu) }}"
|
|
{% endif %}
|
|
- name: FELIX_CHAININSERTMODE
|
|
value: "{{ calico_felix_chaininsertmode }}"
|
|
- name: FELIX_PROMETHEUSMETRICSENABLED
|
|
value: "{{ calico_felix_prometheusmetricsenabled }}"
|
|
- name: FELIX_PROMETHEUSMETRICSPORT
|
|
value: "{{ calico_felix_prometheusmetricsport }}"
|
|
- name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
value: "{{ calico_felix_prometheusgometricsenabled }}"
|
|
- name: FELIX_PROMETHEUSPROCESSMETRICSENABLED
|
|
value: "{{ calico_felix_prometheusprocessmetricsenabled }}"
|
|
{% if calico_ip_auto_method is defined %}
|
|
- name: IP_AUTODETECTION_METHOD
|
|
value: "{{ calico_ip_auto_method }}"
|
|
- name: IP
|
|
value: "autodetect"
|
|
{% else %}
|
|
- name: NODEIP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
- name: IP_AUTODETECTION_METHOD
|
|
value: "can-reach=$(NODEIP)"
|
|
- name: IP
|
|
value: "autodetect"
|
|
{% endif %}
|
|
{% if enable_dual_stack_networks %}
|
|
- name: IP6
|
|
value: autodetect
|
|
{% endif %}
|
|
{% if calico_use_default_route_src_ipaddr|default(false) %}
|
|
- name: FELIX_DEVICEROUTESOURCEADDRESS
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
{% endif %}
|
|
- name: NODENAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: FELIX_HEALTHENABLED
|
|
value: "true"
|
|
- name: FELIX_IGNORELOOSERPF
|
|
value: "{{ calico_node_ignorelooserpf }}"
|
|
- name: CALICO_MANAGE_CNI
|
|
value: "true"
|
|
{% if calico_node_extra_envs is defined %}
|
|
{% for key in calico_node_extra_envs %}
|
|
- name: {{ key }}
|
|
value: "{{ calico_node_extra_envs[key] }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
securityContext:
|
|
privileged: true
|
|
resources:
|
|
limits:
|
|
cpu: {{ calico_node_cpu_limit }}
|
|
memory: {{ calico_node_memory_limit }}
|
|
requests:
|
|
cpu: {{ calico_node_cpu_requests }}
|
|
memory: {{ calico_node_memory_requests }}
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- /bin/calico-node
|
|
- -felix-live
|
|
{% if calico_network_backend|default("bird") == "bird" %}
|
|
- -bird-live
|
|
{% endif %}
|
|
initialDelaySeconds: 5
|
|
failureThreshold: 6
|
|
readinessProbe:
|
|
failureThreshold: 6
|
|
exec:
|
|
command:
|
|
- /bin/calico-node
|
|
{% if calico_network_backend|default("bird") == "bird" %}
|
|
- -bird-ready
|
|
{% endif %}
|
|
- -felix-ready
|
|
volumeMounts:
|
|
- mountPath: /lib/modules
|
|
name: lib-modules
|
|
readOnly: true
|
|
- mountPath: /var/run/calico
|
|
name: var-run-calico
|
|
- mountPath: /var/lib/calico
|
|
name: var-lib-calico
|
|
readOnly: false
|
|
{% if calico_datastore == "etcd" %}
|
|
- mountPath: /calico-secrets
|
|
name: etcd-certs
|
|
{% endif %}
|
|
- name: xtables-lock
|
|
mountPath: /run/xtables.lock
|
|
readOnly: false
|
|
- mountPath: /host/etc/cni/net.d
|
|
name: cni-net-dir
|
|
{% if typha_secure %}
|
|
- name: typha-client
|
|
mountPath: /etc/typha-client
|
|
readOnly: true
|
|
- name: typha-cacert
|
|
subPath: ca.crt
|
|
mountPath: /etc/typha-ca/ca.crt
|
|
readOnly: true
|
|
{% endif %}
|
|
|
|
volumes:
|
|
# Used by calico/node.
|
|
- name: lib-modules
|
|
hostPath:
|
|
path: /lib/modules
|
|
- name: var-run-calico
|
|
hostPath:
|
|
path: /var/run/calico
|
|
- name: var-lib-calico
|
|
hostPath:
|
|
path: /var/lib/calico
|
|
# Used to install CNI.
|
|
- name: cni-net-dir
|
|
hostPath:
|
|
path: /etc/cni/net.d
|
|
- name: cni-bin-dir
|
|
hostPath:
|
|
path: /opt/cni/bin
|
|
{% if calico_datastore == "etcd" %}
|
|
# Mount in the etcd TLS secrets.
|
|
- name: etcd-certs
|
|
hostPath:
|
|
path: "{{ calico_cert_dir }}"
|
|
{% endif %}
|
|
# Mount the global iptables lock file, used by calico/node
|
|
- name: xtables-lock
|
|
hostPath:
|
|
path: /run/xtables.lock
|
|
type: FileOrCreate
|
|
{% if calico_datastore == "kdd" %}
|
|
# Mount in the directory for host-local IPAM allocations. This is
|
|
# used when upgrading from host-local to calico-ipam, and can be removed
|
|
# if not using the upgrade-ipam init container.
|
|
- name: host-local-net-dir
|
|
hostPath:
|
|
path: /var/lib/cni/networks
|
|
{% endif %}
|
|
{% if typha_enabled and typha_secure %}
|
|
- name: typha-client
|
|
secret:
|
|
secretName: typha-client
|
|
items:
|
|
- key: tls.crt
|
|
path: typha-client.crt
|
|
- key: tls.key
|
|
path: typha-client.key
|
|
- name: typha-cacert
|
|
hostPath:
|
|
path: "/etc/kubernetes/ssl/"
|
|
{% endif %}
|
|
updateStrategy:
|
|
rollingUpdate:
|
|
maxUnavailable: {{ serial | default('20%') }}
|
|
type: RollingUpdate
|