|
|
@ -0,0 +1,842 @@ |
|
|
|
--- |
|
|
|
# Source: calico/templates/calico-config.yaml |
|
|
|
# This ConfigMap is used to configure a self-hosted Calico installation. |
|
|
|
kind: ConfigMap |
|
|
|
apiVersion: v1 |
|
|
|
metadata: |
|
|
|
name: calico-config |
|
|
|
namespace: kube-system |
|
|
|
data: |
|
|
|
# Typha is disabled. |
|
|
|
typha_service_name: "none" |
|
|
|
# Configure the backend to use. |
|
|
|
calico_backend: "bird" |
|
|
|
# Configure the MTU to use for workload interfaces and the |
|
|
|
# tunnels. For IPIP, set to your network MTU - 20; for VXLAN |
|
|
|
# set to your network MTU - 50. |
|
|
|
veth_mtu: "1440" |
|
|
|
|
|
|
|
# The CNI network configuration to install on each node. The special |
|
|
|
# values in this config will be automatically populated. |
|
|
|
cni_network_config: |- |
|
|
|
{ |
|
|
|
"name": "k8s-pod-network", |
|
|
|
"cniVersion": "0.3.1", |
|
|
|
"plugins": [ |
|
|
|
{ |
|
|
|
"type": "calico", |
|
|
|
"log_level": "info", |
|
|
|
"datastore_type": "kubernetes", |
|
|
|
"nodename": "__KUBERNETES_NODE_NAME__", |
|
|
|
"mtu": __CNI_MTU__, |
|
|
|
"ipam": { |
|
|
|
"type": "calico-ipam" |
|
|
|
}, |
|
|
|
"policy": { |
|
|
|
"type": "k8s" |
|
|
|
}, |
|
|
|
"kubernetes": { |
|
|
|
"kubeconfig": "__KUBECONFIG_FILEPATH__" |
|
|
|
} |
|
|
|
}, |
|
|
|
{ |
|
|
|
"type": "portmap", |
|
|
|
"snat": true, |
|
|
|
"capabilities": {"portMappings": true} |
|
|
|
}, |
|
|
|
{ |
|
|
|
"type": "bandwidth", |
|
|
|
"capabilities": {"bandwidth": true} |
|
|
|
} |
|
|
|
] |
|
|
|
} |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/kdd-crds.yaml |
|
|
|
|
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: bgpconfigurations.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: BGPConfiguration |
|
|
|
plural: bgpconfigurations |
|
|
|
singular: bgpconfiguration |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: bgppeers.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: BGPPeer |
|
|
|
plural: bgppeers |
|
|
|
singular: bgppeer |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: blockaffinities.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: BlockAffinity |
|
|
|
plural: blockaffinities |
|
|
|
singular: blockaffinity |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: clusterinformations.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: ClusterInformation |
|
|
|
plural: clusterinformations |
|
|
|
singular: clusterinformation |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: felixconfigurations.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: FelixConfiguration |
|
|
|
plural: felixconfigurations |
|
|
|
singular: felixconfiguration |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: globalnetworkpolicies.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: GlobalNetworkPolicy |
|
|
|
plural: globalnetworkpolicies |
|
|
|
singular: globalnetworkpolicy |
|
|
|
shortNames: |
|
|
|
- gnp |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: globalnetworksets.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: GlobalNetworkSet |
|
|
|
plural: globalnetworksets |
|
|
|
singular: globalnetworkset |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: hostendpoints.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: HostEndpoint |
|
|
|
plural: hostendpoints |
|
|
|
singular: hostendpoint |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: ipamblocks.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: IPAMBlock |
|
|
|
plural: ipamblocks |
|
|
|
singular: ipamblock |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: ipamconfigs.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: IPAMConfig |
|
|
|
plural: ipamconfigs |
|
|
|
singular: ipamconfig |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: ipamhandles.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: IPAMHandle |
|
|
|
plural: ipamhandles |
|
|
|
singular: ipamhandle |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: ippools.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: IPPool |
|
|
|
plural: ippools |
|
|
|
singular: ippool |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: kubecontrollersconfigurations.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Cluster |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: KubeControllersConfiguration |
|
|
|
plural: kubecontrollersconfigurations |
|
|
|
singular: kubecontrollersconfiguration |
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: networkpolicies.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Namespaced |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: NetworkPolicy |
|
|
|
plural: networkpolicies |
|
|
|
singular: networkpolicy |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1 |
|
|
|
kind: CustomResourceDefinition |
|
|
|
metadata: |
|
|
|
name: networksets.crd.projectcalico.org |
|
|
|
spec: |
|
|
|
scope: Namespaced |
|
|
|
group: crd.projectcalico.org |
|
|
|
version: v1 |
|
|
|
names: |
|
|
|
kind: NetworkSet |
|
|
|
plural: networksets |
|
|
|
singular: networkset |
|
|
|
|
|
|
|
--- |
|
|
|
--- |
|
|
|
# Source: calico/templates/rbac.yaml |
|
|
|
|
|
|
|
# Include a clusterrole for the kube-controllers component, |
|
|
|
# and bind it to the calico-kube-controllers serviceaccount. |
|
|
|
kind: ClusterRole |
|
|
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
|
|
metadata: |
|
|
|
name: calico-kube-controllers |
|
|
|
rules: |
|
|
|
# Nodes are watched to monitor for deletions. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- nodes |
|
|
|
verbs: |
|
|
|
- watch |
|
|
|
- list |
|
|
|
- get |
|
|
|
# Pods are queried to check for existence. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- pods |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
# IPAM resources are manipulated when nodes are deleted. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- ippools |
|
|
|
verbs: |
|
|
|
- list |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- blockaffinities |
|
|
|
- ipamblocks |
|
|
|
- ipamhandles |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- list |
|
|
|
- create |
|
|
|
- update |
|
|
|
- delete |
|
|
|
# kube-controllers manages hostendpoints. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- hostendpoints |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- list |
|
|
|
- create |
|
|
|
- update |
|
|
|
- delete |
|
|
|
# Needs access to update clusterinformations. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- clusterinformations |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- create |
|
|
|
- update |
|
|
|
# KubeControllersConfiguration is where it gets its config |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- kubecontrollersconfigurations |
|
|
|
verbs: |
|
|
|
# read its own config |
|
|
|
- get |
|
|
|
# create a default if none exists |
|
|
|
- create |
|
|
|
# update status |
|
|
|
- update |
|
|
|
# watch for changes |
|
|
|
- watch |
|
|
|
--- |
|
|
|
kind: ClusterRoleBinding |
|
|
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
|
|
metadata: |
|
|
|
name: calico-kube-controllers |
|
|
|
roleRef: |
|
|
|
apiGroup: rbac.authorization.k8s.io |
|
|
|
kind: ClusterRole |
|
|
|
name: calico-kube-controllers |
|
|
|
subjects: |
|
|
|
- kind: ServiceAccount |
|
|
|
name: calico-kube-controllers |
|
|
|
namespace: kube-system |
|
|
|
--- |
|
|
|
# Include a clusterrole for the calico-node DaemonSet, |
|
|
|
# and bind it to the calico-node serviceaccount. |
|
|
|
kind: ClusterRole |
|
|
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
|
|
metadata: |
|
|
|
name: calico-node |
|
|
|
rules: |
|
|
|
# The CNI plugin needs to get pods, nodes, and namespaces. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- pods |
|
|
|
- nodes |
|
|
|
- namespaces |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- endpoints |
|
|
|
- services |
|
|
|
verbs: |
|
|
|
# Used to discover service IPs for advertisement. |
|
|
|
- watch |
|
|
|
- list |
|
|
|
# Used to discover Typhas. |
|
|
|
- get |
|
|
|
# Pod CIDR auto-detection on kubeadm needs access to config maps. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- configmaps |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- nodes/status |
|
|
|
verbs: |
|
|
|
# Needed for clearing NodeNetworkUnavailable flag. |
|
|
|
- patch |
|
|
|
# Calico stores some configuration information in node annotations. |
|
|
|
- update |
|
|
|
# Watch for changes to Kubernetes NetworkPolicies. |
|
|
|
- apiGroups: ["networking.k8s.io"] |
|
|
|
resources: |
|
|
|
- networkpolicies |
|
|
|
verbs: |
|
|
|
- watch |
|
|
|
- list |
|
|
|
# Used by Calico for policy information. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- pods |
|
|
|
- namespaces |
|
|
|
- serviceaccounts |
|
|
|
verbs: |
|
|
|
- list |
|
|
|
- watch |
|
|
|
# The CNI plugin patches pods/status. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- pods/status |
|
|
|
verbs: |
|
|
|
- patch |
|
|
|
# Calico monitors various CRDs for config. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- globalfelixconfigs |
|
|
|
- felixconfigurations |
|
|
|
- bgppeers |
|
|
|
- globalbgpconfigs |
|
|
|
- bgpconfigurations |
|
|
|
- ippools |
|
|
|
- ipamblocks |
|
|
|
- globalnetworkpolicies |
|
|
|
- globalnetworksets |
|
|
|
- networkpolicies |
|
|
|
- networksets |
|
|
|
- clusterinformations |
|
|
|
- hostendpoints |
|
|
|
- blockaffinities |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- list |
|
|
|
- watch |
|
|
|
# Calico must create and update some CRDs on startup. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- ippools |
|
|
|
- felixconfigurations |
|
|
|
- clusterinformations |
|
|
|
verbs: |
|
|
|
- create |
|
|
|
- update |
|
|
|
# Calico stores some configuration information on the node. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- nodes |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- list |
|
|
|
- watch |
|
|
|
# These permissions are only requried for upgrade from v2.6, and can |
|
|
|
# be removed after upgrade or on fresh installations. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- bgpconfigurations |
|
|
|
- bgppeers |
|
|
|
verbs: |
|
|
|
- create |
|
|
|
- update |
|
|
|
# These permissions are required for Calico CNI to perform IPAM allocations. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- blockaffinities |
|
|
|
- ipamblocks |
|
|
|
- ipamhandles |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
- list |
|
|
|
- create |
|
|
|
- update |
|
|
|
- delete |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- ipamconfigs |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
# Block affinities must also be watchable by confd for route aggregation. |
|
|
|
- apiGroups: ["crd.projectcalico.org"] |
|
|
|
resources: |
|
|
|
- blockaffinities |
|
|
|
verbs: |
|
|
|
- watch |
|
|
|
# The Calico IPAM migration needs to get daemonsets. These permissions can be |
|
|
|
# removed if not upgrading from an installation using host-local IPAM. |
|
|
|
- apiGroups: ["apps"] |
|
|
|
resources: |
|
|
|
- daemonsets |
|
|
|
verbs: |
|
|
|
- get |
|
|
|
|
|
|
|
--- |
|
|
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
|
|
kind: ClusterRoleBinding |
|
|
|
metadata: |
|
|
|
name: calico-node |
|
|
|
roleRef: |
|
|
|
apiGroup: rbac.authorization.k8s.io |
|
|
|
kind: ClusterRole |
|
|
|
name: calico-node |
|
|
|
subjects: |
|
|
|
- kind: ServiceAccount |
|
|
|
name: calico-node |
|
|
|
namespace: kube-system |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/calico-node.yaml |
|
|
|
# This manifest installs the calico-node container, as well |
|
|
|
# as the CNI plugins and network config on |
|
|
|
# each master and worker node in a Kubernetes cluster. |
|
|
|
kind: DaemonSet |
|
|
|
apiVersion: apps/v1 |
|
|
|
metadata: |
|
|
|
name: calico-node |
|
|
|
namespace: kube-system |
|
|
|
labels: |
|
|
|
k8s-app: calico-node |
|
|
|
spec: |
|
|
|
selector: |
|
|
|
matchLabels: |
|
|
|
k8s-app: calico-node |
|
|
|
updateStrategy: |
|
|
|
type: RollingUpdate |
|
|
|
rollingUpdate: |
|
|
|
maxUnavailable: 1 |
|
|
|
template: |
|
|
|
metadata: |
|
|
|
labels: |
|
|
|
k8s-app: calico-node |
|
|
|
annotations: |
|
|
|
# This, along with the CriticalAddonsOnly toleration below, |
|
|
|
# marks the pod as a critical add-on, ensuring it gets |
|
|
|
# priority scheduling and that its resources are reserved |
|
|
|
# if it ever gets evicted. |
|
|
|
scheduler.alpha.kubernetes.io/critical-pod: '' |
|
|
|
spec: |
|
|
|
nodeSelector: |
|
|
|
kubernetes.io/os: linux |
|
|
|
hostNetwork: true |
|
|
|
tolerations: |
|
|
|
# Make sure calico-node gets scheduled on all nodes. |
|
|
|
- effect: NoSchedule |
|
|
|
operator: Exists |
|
|
|
# Mark the pod as a critical add-on for rescheduling. |
|
|
|
- key: CriticalAddonsOnly |
|
|
|
operator: Exists |
|
|
|
- effect: NoExecute |
|
|
|
operator: Exists |
|
|
|
serviceAccountName: calico-node |
|
|
|
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force |
|
|
|
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. |
|
|
|
terminationGracePeriodSeconds: 0 |
|
|
|
priorityClassName: system-node-critical |
|
|
|
initContainers: |
|
|
|
# This container performs upgrade from host-local IPAM to calico-ipam. |
|
|
|
# It can be deleted if this is a fresh installation, or if you have already |
|
|
|
# upgraded to use calico-ipam. |
|
|
|
- name: upgrade-ipam |
|
|
|
image: calico/cni:v3.14.2 |
|
|
|
command: ["/opt/cni/bin/calico-ipam", "-upgrade"] |
|
|
|
env: |
|
|
|
- name: KUBERNETES_NODE_NAME |
|
|
|
valueFrom: |
|
|
|
fieldRef: |
|
|
|
fieldPath: spec.nodeName |
|
|
|
- name: CALICO_NETWORKING_BACKEND |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: calico_backend |
|
|
|
volumeMounts: |
|
|
|
- mountPath: /var/lib/cni/networks |
|
|
|
name: host-local-net-dir |
|
|
|
- mountPath: /host/opt/cni/bin |
|
|
|
name: cni-bin-dir |
|
|
|
securityContext: |
|
|
|
privileged: true |
|
|
|
# This container installs the CNI binaries |
|
|
|
# and CNI network config file on each node. |
|
|
|
- name: install-cni |
|
|
|
image: calico/cni:v3.14.2 |
|
|
|
command: ["/install-cni.sh"] |
|
|
|
env: |
|
|
|
# Name of the CNI config file to create. |
|
|
|
- name: CNI_CONF_NAME |
|
|
|
value: "10-calico.conflist" |
|
|
|
# The CNI network config to install on each node. |
|
|
|
- name: CNI_NETWORK_CONFIG |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: cni_network_config |
|
|
|
# Set the hostname based on the k8s node name. |
|
|
|
- name: KUBERNETES_NODE_NAME |
|
|
|
valueFrom: |
|
|
|
fieldRef: |
|
|
|
fieldPath: spec.nodeName |
|
|
|
# CNI MTU Config variable |
|
|
|
- name: CNI_MTU |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: veth_mtu |
|
|
|
# Prevents the container from sleeping forever. |
|
|
|
- name: SLEEP |
|
|
|
value: "false" |
|
|
|
volumeMounts: |
|
|
|
- mountPath: /host/opt/cni/bin |
|
|
|
name: cni-bin-dir |
|
|
|
- mountPath: /host/etc/cni/net.d |
|
|
|
name: cni-net-dir |
|
|
|
securityContext: |
|
|
|
privileged: true |
|
|
|
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes |
|
|
|
# to communicate with Felix over the Policy Sync API. |
|
|
|
- name: flexvol-driver |
|
|
|
image: calico/pod2daemon-flexvol:v3.14.2 |
|
|
|
volumeMounts: |
|
|
|
- name: flexvol-driver-host |
|
|
|
mountPath: /host/driver |
|
|
|
securityContext: |
|
|
|
privileged: true |
|
|
|
containers: |
|
|
|
# Runs calico-node container on each Kubernetes node. This |
|
|
|
# container programs network policy and routes on each |
|
|
|
# host. |
|
|
|
- name: calico-node |
|
|
|
image: calico/node:v3.14.2 |
|
|
|
env: |
|
|
|
# Use Kubernetes API as the backing datastore. |
|
|
|
- name: DATASTORE_TYPE |
|
|
|
value: "kubernetes" |
|
|
|
# Wait for the datastore. |
|
|
|
- name: WAIT_FOR_DATASTORE |
|
|
|
value: "true" |
|
|
|
# Set based on the k8s node name. |
|
|
|
- name: NODENAME |
|
|
|
valueFrom: |
|
|
|
fieldRef: |
|
|
|
fieldPath: spec.nodeName |
|
|
|
# Choose the backend to use. |
|
|
|
- name: CALICO_NETWORKING_BACKEND |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: calico_backend |
|
|
|
# Cluster type to identify the deployment type |
|
|
|
- name: CLUSTER_TYPE |
|
|
|
value: "k8s,bgp" |
|
|
|
# Auto-detect the BGP IP address. |
|
|
|
- name: IP |
|
|
|
value: "autodetect" |
|
|
|
# Enable IPIP |
|
|
|
- name: CALICO_IPV4POOL_IPIP |
|
|
|
value: "Always" |
|
|
|
# Enable or Disable VXLAN on the default IP pool. |
|
|
|
- name: CALICO_IPV4POOL_VXLAN |
|
|
|
value: "Never" |
|
|
|
# Set MTU for tunnel device used if ipip is enabled |
|
|
|
- name: FELIX_IPINIPMTU |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: veth_mtu |
|
|
|
# Set MTU for the VXLAN tunnel device. |
|
|
|
- name: FELIX_VXLANMTU |
|
|
|
valueFrom: |
|
|
|
configMapKeyRef: |
|
|
|
name: calico-config |
|
|
|
key: veth_mtu |
|
|
|
# The default IPv4 pool to create on startup if none exists. Pod IPs will be |
|
|
|
# chosen from this range. Changing this value after installation will have |
|
|
|
# no effect. This should fall within `--cluster-cidr`. |
|
|
|
- name: CALICO_IPV4POOL_CIDR |
|
|
|
value: "10.244.0.0/16" |
|
|
|
# Disable file logging so `kubectl logs` works. |
|
|
|
- name: CALICO_DISABLE_FILE_LOGGING |
|
|
|
value: "true" |
|
|
|
# Set Felix endpoint to host default action to ACCEPT. |
|
|
|
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION |
|
|
|
value: "ACCEPT" |
|
|
|
# Disable IPv6 on Kubernetes. |
|
|
|
- name: FELIX_IPV6SUPPORT |
|
|
|
value: "false" |
|
|
|
# Set Felix logging to "info" |
|
|
|
- name: FELIX_LOGSEVERITYSCREEN |
|
|
|
value: "info" |
|
|
|
- name: FELIX_HEALTHENABLED |
|
|
|
value: "true" |
|
|
|
securityContext: |
|
|
|
privileged: true |
|
|
|
resources: |
|
|
|
requests: |
|
|
|
cpu: 250m |
|
|
|
livenessProbe: |
|
|
|
exec: |
|
|
|
command: |
|
|
|
- /bin/calico-node |
|
|
|
- -felix-live |
|
|
|
- -bird-live |
|
|
|
periodSeconds: 10 |
|
|
|
initialDelaySeconds: 10 |
|
|
|
failureThreshold: 6 |
|
|
|
readinessProbe: |
|
|
|
exec: |
|
|
|
command: |
|
|
|
- /bin/calico-node |
|
|
|
- -felix-ready |
|
|
|
- -bird-ready |
|
|
|
periodSeconds: 10 |
|
|
|
volumeMounts: |
|
|
|
- mountPath: /lib/modules |
|
|
|
name: lib-modules |
|
|
|
readOnly: true |
|
|
|
- mountPath: /run/xtables.lock |
|
|
|
name: xtables-lock |
|
|
|
readOnly: false |
|
|
|
- mountPath: /var/run/calico |
|
|
|
name: var-run-calico |
|
|
|
readOnly: false |
|
|
|
- mountPath: /var/lib/calico |
|
|
|
name: var-lib-calico |
|
|
|
readOnly: false |
|
|
|
- name: policysync |
|
|
|
mountPath: /var/run/nodeagent |
|
|
|
volumes: |
|
|
|
# Used by calico-node. |
|
|
|
- name: lib-modules |
|
|
|
hostPath: |
|
|
|
path: /lib/modules |
|
|
|
- name: var-run-calico |
|
|
|
hostPath: |
|
|
|
path: /var/run/calico |
|
|
|
- name: var-lib-calico |
|
|
|
hostPath: |
|
|
|
path: /var/lib/calico |
|
|
|
- name: xtables-lock |
|
|
|
hostPath: |
|
|
|
path: /run/xtables.lock |
|
|
|
type: FileOrCreate |
|
|
|
# Used to install CNI. |
|
|
|
- name: cni-bin-dir |
|
|
|
hostPath: |
|
|
|
path: /opt/cni/bin |
|
|
|
- name: cni-net-dir |
|
|
|
hostPath: |
|
|
|
path: /etc/cni/net.d |
|
|
|
# Mount in the directory for host-local IPAM allocations. This is |
|
|
|
# used when upgrading from host-local to calico-ipam, and can be removed |
|
|
|
# if not using the upgrade-ipam init container. |
|
|
|
- name: host-local-net-dir |
|
|
|
hostPath: |
|
|
|
path: /var/lib/cni/networks |
|
|
|
# Used to create per-pod Unix Domain Sockets |
|
|
|
- name: policysync |
|
|
|
hostPath: |
|
|
|
type: DirectoryOrCreate |
|
|
|
path: /var/run/nodeagent |
|
|
|
# Used to install Flex Volume Driver |
|
|
|
- name: flexvol-driver-host |
|
|
|
hostPath: |
|
|
|
type: DirectoryOrCreate |
|
|
|
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds |
|
|
|
--- |
|
|
|
|
|
|
|
apiVersion: v1 |
|
|
|
kind: ServiceAccount |
|
|
|
metadata: |
|
|
|
name: calico-node |
|
|
|
namespace: kube-system |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/calico-kube-controllers.yaml |
|
|
|
# See https://github.com/projectcalico/kube-controllers |
|
|
|
apiVersion: apps/v1 |
|
|
|
kind: Deployment |
|
|
|
metadata: |
|
|
|
name: calico-kube-controllers |
|
|
|
namespace: kube-system |
|
|
|
labels: |
|
|
|
k8s-app: calico-kube-controllers |
|
|
|
spec: |
|
|
|
# The controllers can only have a single active instance. |
|
|
|
replicas: 1 |
|
|
|
selector: |
|
|
|
matchLabels: |
|
|
|
k8s-app: calico-kube-controllers |
|
|
|
strategy: |
|
|
|
type: Recreate |
|
|
|
template: |
|
|
|
metadata: |
|
|
|
name: calico-kube-controllers |
|
|
|
namespace: kube-system |
|
|
|
labels: |
|
|
|
k8s-app: calico-kube-controllers |
|
|
|
annotations: |
|
|
|
scheduler.alpha.kubernetes.io/critical-pod: '' |
|
|
|
spec: |
|
|
|
nodeSelector: |
|
|
|
kubernetes.io/os: linux |
|
|
|
tolerations: |
|
|
|
# Mark the pod as a critical add-on for rescheduling. |
|
|
|
- key: CriticalAddonsOnly |
|
|
|
operator: Exists |
|
|
|
- key: node-role.kubernetes.io/master |
|
|
|
effect: NoSchedule |
|
|
|
serviceAccountName: calico-kube-controllers |
|
|
|
priorityClassName: system-cluster-critical |
|
|
|
containers: |
|
|
|
- name: calico-kube-controllers |
|
|
|
image: calico/kube-controllers:v3.14.2 |
|
|
|
env: |
|
|
|
# Choose which controllers to run. |
|
|
|
- name: ENABLED_CONTROLLERS |
|
|
|
value: node |
|
|
|
- name: DATASTORE_TYPE |
|
|
|
value: kubernetes |
|
|
|
readinessProbe: |
|
|
|
exec: |
|
|
|
command: |
|
|
|
- /usr/bin/check-status |
|
|
|
- -r |
|
|
|
|
|
|
|
--- |
|
|
|
|
|
|
|
apiVersion: v1 |
|
|
|
kind: ServiceAccount |
|
|
|
metadata: |
|
|
|
name: calico-kube-controllers |
|
|
|
namespace: kube-system |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/calico-etcd-secrets.yaml |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/calico-typha.yaml |
|
|
|
|
|
|
|
--- |
|
|
|
# Source: calico/templates/configure-canal.yaml |
|
|
|
|
|
|
|
|