richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4355 Commits
29 Branches
81 Tags
150 MiB
Tree: 4a10dca7d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4a10dca7d4'
${ noResults }
kubespray/roles/network_plugin/canal/templates/canal-node.yaml.j2

290 lines
9.9 KiB
Raw Normal View History

Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Fix ansible syntax to avoid ansible deprecation warnings (#3512) * failed * version_compare * succeeded * skipped * success * version_compare becomes version since ansible 2.5 * ansible minimal version updated in doc and spec * last version_compare
6 years ago
Adding pod priority for all the components. (#3361) * Changes to assign pod priority to kube components. * Removed the boolean flag pod_priority_assignment * Created new priorityclass k8s-cluster-critical * Created new priorityclass k8s-cluster-critical * Fixed the trailing spaces * Fixed the trailing spaces * Added kube version check while creating Priority Class k8s-cluster-critical * Moved k8s-cluster-critical.yml * Moved k8s-cluster-critical.yml to kube_config_dir
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
Enable scheduling of critical pods and network plugins on master Added toleration to DNS, netchecker, fluentd, canal, and calico policy. Also small fixes to make yamllint pass.
7 years ago
All CNIs: support ANY toleration. (#3391) Before, Nodes tainted with NoExecute policy did not have calico/weave Pod. Network pod should run on all nodes whatever happens on a specific node. Also always set the Pods to be critical. Also remove deprecated scheduler.alpha.kubernetes.io/tolerations annotations.
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
canal should mount xtables.lock to share the lock with other processes like kube-proxy
6 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Allow pre-downloaded images to be used effectively According to http://kubernetes.io/docs/user-guide/images/ : By default, the kubelet will try to pull each image from the specified registry. However, if the imagePullPolicy property of the container is set to IfNotPresent or Never, then a local\ image is used (preferentially or exclusively, respectively). Use IfNotPresent value to allow images prepared by the download role dependencies to be effectively used by kubelet without pull errors resulting apps to stay blocked in PullBackOff/Error state even when there are images on the localhost exist. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add ConfigMap for basic configuration options Container settings moved from deamonset yaml to a separate configmap.
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add ConfigMap for basic configuration options Container settings moved from deamonset yaml to a separate configmap.
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add ConfigMap for basic configuration options Container settings moved from deamonset yaml to a separate configmap.
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add ConfigMap for basic configuration options Container settings moved from deamonset yaml to a separate configmap.
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
Fix mountflags and kubelet config Add missing --require-kubeconfig to the if..else stanza. Make sure certs dirs mounted in RO. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
canal should mount xtables.lock to share the lock with other processes like kube-proxy
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Allow pre-downloaded images to be used effectively According to http://kubernetes.io/docs/user-guide/images/ : By default, the kubelet will try to pull each image from the specified registry. However, if the imagePullPolicy property of the container is set to IfNotPresent or Never, then a local\ image is used (preferentially or exclusively, respectively). Use IfNotPresent value to allow images prepared by the download role dependencies to be effectively used by kubelet without pull errors resulting apps to stay blocked in PullBackOff/Error state even when there are images on the localhost exist. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Add ConfigMap for basic configuration options Container settings moved from deamonset yaml to a separate configmap.
8 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Update Calico to 2.4.1 release. - Switched Calico images to be pulled from quay.io - Updated Canal too
7 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
5 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Add host information for canal readiness probe (#4548)
5 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Update probe timeouts, delays etc. (#4612) * Fix merge conflict * Add check delay * Add more liveness and readiness options to metrics-server
5 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Add host information for canal readiness probe (#4548)
5 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
5 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
6 years ago
Adding support for canal network plugin This patch provides support for Canal network plugin installation as a self-hosted app, see the following link for details: https://github.com/tigera/canal/tree/master/k8s-install
8 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Fix etcd ssl for canal - Move CNI configuration from `kubernetes/node` role to `network_plugin/canal` - Create SSL dir for Canal and symlink etcd SSL files - Add needed options to `canal-config` configmap - Run flannel and calico-node containers with proper configuration
8 years ago
Fix mountflags and kubelet config Add missing --require-kubeconfig to the if..else stanza. Make sure certs dirs mounted in RO. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
5 years ago
Fix upgrade for canal and apiserver cert Fixes #1573
7 years ago
fix apply for netchecker upgrade (#1659) * fix apply for netchecker upgrade and graceful upgrade * Speed up daemonset upgrades. Make check wait for ds upgrades.
7 years ago
Fix upgrade for canal and apiserver cert Fixes #1573
7 years ago
  1. ---
  2. kind: DaemonSet
  3. apiVersion: extensions/v1beta1
  4. metadata:
  5. name: canal-node
  6. namespace: kube-system
  7. labels:
  8. k8s-app: canal-node
  9. spec:
  10. selector:
  11. matchLabels:
  12. k8s-app: canal-node
  13. template:
  14. metadata:
  15. labels:
  16. k8s-app: canal-node
  17. spec:
  18. {% if kube_version is version('v1.11.1', '>=') %}
  19. priorityClassName: system-node-critical
  20. {% endif %}
  21. hostNetwork: true
  22. serviceAccountName: canal
  23. tolerations:
  24. - operator: Exists
  25. # Mark pod as critical for rescheduling (Will have no effect starting with kubernetes 1.12)
  26. - key: CriticalAddonsOnly
  27. operator: "Exists"
  28. volumes:
  29. # Used by calico/node.
  30. - name: lib-modules
  31. hostPath:
  32. path: /lib/modules
  33. - name: var-lib-calico
  34. hostPath:
  35. path: /var/lib/calico
  36. - name: var-run-calico
  37. hostPath:
  38. path: /var/run/calico
  39. # Used to install CNI.
  40. - name: cni-bin-dir
  41. hostPath:
  42. path: /opt/cni/bin
  43. - name: cni-net-dir
  44. hostPath:
  45. path: /etc/cni/net.d
  46. # Used by flannel daemon.
  47. - name: run-flannel
  48. hostPath:
  49. path: /run/flannel
  50. - name: resolv
  51. hostPath:
  52. path: /etc/resolv.conf
  53. - name: "canal-certs"
  54. hostPath:
  55. path: "{{ canal_cert_dir }}"
  56. - name: xtables-lock
  57. hostPath:
  58. path: /run/xtables.lock
  59. type: FileOrCreate
  60. {% if calico_version is version('v3.4.0', '>=') %}
  61. initContainers:
  62. # This container installs the Calico CNI binaries
  63. # and CNI network config file on each node.
  64. - name: install-cni
  65. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  66. command: ["/install-cni.sh"]
  67. env:
  68. # Name of the CNI config file to create.
  69. - name: CNI_CONF_NAME
  70. value: "10-canal.conflist"
  71. # Install CNI binaries
  72. - name: UPDATE_CNI_BINARIES
  73. value: "true"
  74. # The CNI network config to install on each node.
  75. - name: CNI_NETWORK_CONFIG_FILE
  76. value: "/host/etc/cni/net.d/canal.conflist.template"
  77. # Prevents the container from sleeping forever.
  78. - name: SLEEP
  79. value: "false"
  80. volumeMounts:
  81. - mountPath: /host/etc/cni/net.d
  82. name: cni-net-dir
  83. - mountPath: /host/opt/cni/bin
  84. name: cni-bin-dir
  85. {% endif %}
  86. containers:
  87. {% if calico_version is version('v3.3.0', '>=') and calico_version is version('v3.4.0', '<') %}
  88. - name: install-cni
  89. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  90. command: ["/install-cni.sh"]
  91. env:
  92. # Name of the CNI config file to create.
  93. - name: CNI_CONF_NAME
  94. value: "10-canal.conflist"
  95. # Install CNI binaries
  96. - name: UPDATE_CNI_BINARIES
  97. value: "true"
  98. # The CNI network config to install on each node.
  99. - name: CNI_NETWORK_CONFIG_FILE
  100. value: "/host/etc/cni/net.d/canal.conflist.template"
  101. volumeMounts:
  102. - mountPath: /host/etc/cni/net.d
  103. name: cni-net-dir
  104. - mountPath: /host/opt/cni/bin
  105. name: cni-bin-dir
  106. {% endif %}
  107. # Runs the flannel daemon to enable vxlan networking between
  108. # container hosts.
  109. - name: flannel
  110. image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
  111. imagePullPolicy: {{ k8s_image_pull_policy }}
  112. resources:
  113. limits:
  114. cpu: {{ flannel_cpu_limit }}
  115. memory: {{ flannel_memory_limit }}
  116. requests:
  117. cpu: {{ flannel_cpu_requests }}
  118. memory: {{ flannel_memory_requests }}
  119. env:
  120. # Cluster name
  121. - name: CLUSTER_NAME
  122. valueFrom:
  123. configMapKeyRef:
  124. name: canal-config
  125. key: cluster_name
  126. # The location of the etcd cluster.
  127. - name: FLANNELD_ETCD_ENDPOINTS
  128. valueFrom:
  129. configMapKeyRef:
  130. name: canal-config
  131. key: etcd_endpoints
  132. # The interface flannel should run on.
  133. - name: FLANNELD_IFACE
  134. valueFrom:
  135. configMapKeyRef:
  136. name: canal-config
  137. key: flanneld_iface
  138. # Perform masquerade on traffic leaving the pod cidr.
  139. - name: FLANNELD_IP_MASQ
  140. valueFrom:
  141. configMapKeyRef:
  142. name: canal-config
  143. key: masquerade
  144. # Set etcd-prefix
  145. - name: DOCKER_OPT_ETCD_PREFIX
  146. value: "-etcd-prefix=/$(CLUSTER_NAME)/network"
  147. # Write the subnet.env file to the mounted directory.
  148. - name: FLANNELD_SUBNET_FILE
  149. value: "/run/flannel/subnet.env"
  150. # Etcd SSL vars
  151. - name: ETCD_CA_CERT_FILE
  152. valueFrom:
  153. configMapKeyRef:
  154. name: canal-config
  155. key: etcd_cafile
  156. - name: ETCD_CERT_FILE
  157. valueFrom:
  158. configMapKeyRef:
  159. name: canal-config
  160. key: etcd_certfile
  161. - name: ETCD_KEY_FILE
  162. valueFrom:
  163. configMapKeyRef:
  164. name: canal-config
  165. key: etcd_keyfile
  166. command:
  167. - "/bin/sh"
  168. - "-c"
  169. - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
  170. ports:
  171. - hostPort: 10253
  172. containerPort: 10253
  173. securityContext:
  174. privileged: true
  175. volumeMounts:
  176. - name: "resolv"
  177. mountPath: "/etc/resolv.conf"
  178. - name: "run-flannel"
  179. mountPath: "/run/flannel"
  180. - name: "canal-certs"
  181. mountPath: "{{ canal_cert_dir }}"
  182. readOnly: true
  183. - name: xtables-lock
  184. mountPath: /run/xtables.lock
  185. readOnly: false
  186. # Runs calico/node container on each Kubernetes node. This
  187. # container programs network policy and local routes on each
  188. # host.
  189. - name: calico-node
  190. image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}"
  191. imagePullPolicy: {{ k8s_image_pull_policy }}
  192. resources:
  193. limits:
  194. cpu: {{ calico_node_cpu_limit }}
  195. memory: {{ calico_node_memory_limit }}
  196. requests:
  197. cpu: {{ calico_node_cpu_requests }}
  198. memory: {{ calico_node_memory_requests }}
  199. env:
  200. # The location of the etcd cluster.
  201. - name: ETCD_ENDPOINTS
  202. valueFrom:
  203. configMapKeyRef:
  204. name: canal-config
  205. key: etcd_endpoints
  206. # Disable Calico BGP. Calico is simply enforcing policy.
  207. - name: CALICO_NETWORKING_BACKEND
  208. value: "none"
  209. # Cluster type to identify the deployment type
  210. - name: CLUSTER_TYPE
  211. value: "kubespray,canal"
  212. # Disable file logging so `kubectl logs` works.
  213. - name: CALICO_DISABLE_FILE_LOGGING
  214. value: "true"
  215. # Set noderef for node controller.
  216. - name: CALICO_K8S_NODE_REF
  217. valueFrom:
  218. fieldRef:
  219. fieldPath: spec.nodeName
  220. - name: FELIX_HEALTHENABLED
  221. value: "true"
  222. # Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
  223. # this is not required in later versions https://github.com/projectcalico/calico/issues/2179
  224. {% if calico_version is version('v3.2.1', '<') %}
  225. - name: FELIX_IPTABLESLOCKTIMEOUTSECS
  226. value: "10"
  227. {% endif %}
  228. # Etcd SSL vars
  229. - name: ETCD_CA_CERT_FILE
  230. valueFrom:
  231. configMapKeyRef:
  232. name: canal-config
  233. key: etcd_cafile
  234. - name: ETCD_CERT_FILE
  235. valueFrom:
  236. configMapKeyRef:
  237. name: canal-config
  238. key: etcd_certfile
  239. - name: ETCD_KEY_FILE
  240. valueFrom:
  241. configMapKeyRef:
  242. name: canal-config
  243. key: etcd_keyfile
  244. - name: NODENAME
  245. valueFrom:
  246. fieldRef:
  247. fieldPath: spec.nodeName
  248. securityContext:
  249. privileged: true
  250. livenessProbe:
  251. httpGet:
  252. host: 127.0.0.1
  253. path: /liveness
  254. port: 9099
  255. periodSeconds: 10
  256. initialDelaySeconds: 5
  257. failureThreshold: 6
  258. readinessProbe:
  259. {% if calico_version is version('v3.3.0', '<')%}
  260. httpGet:
  261. host: 127.0.0.1
  262. path: /readiness
  263. port: 9099
  264. {% else %}
  265. exec:
  266. command:
  267. - /bin/calico-node
  268. - -felix-ready
  269. {% endif %}
  270. periodSeconds: 10
  271. volumeMounts:
  272. - mountPath: /lib/modules
  273. name: lib-modules
  274. readOnly: true
  275. - mountPath: /var/run/calico
  276. name: var-run-calico
  277. readOnly: false
  278. - mountPath: /var/lib/calico
  279. name: var-lib-calico
  280. readOnly: false
  281. - name: "canal-certs"
  282. mountPath: "{{ canal_cert_dir }}"
  283. readOnly: true
  284. - name: xtables-lock
  285. mountPath: /run/xtables.lock
  286. readOnly: false
  287. updateStrategy:
  288. rollingUpdate:
  289. maxUnavailable: {{ serial | default('20%') }}
  290. type: RollingUpdate