richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6466 Commits
33 Branches
82 Tags
153 MiB
Tree: 593359ec77
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '593359ec77'
${ noResults }
kubespray/roles/network_plugin/calico/templates/calico-node.yml.j2

462 lines
17 KiB
Raw Normal View History

Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support for k8s v1.16.0-beta.2 (#5148) Cleaned up deprecated APIs: apps/v1beta1 apps/v1beta2 extensions/v1beta1 for ds,deploy,rs Add workaround for deploying helm using incompatible deployment manifest. Change-Id: I78b36741348f47a999df3841ee63cf4e6f377830
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
kubeadm support (#1631) * kubeadm support * move k8s master to a subtask * disable k8s secrets when using kubeadm * fix etcd cert serial var * move simple auth users to master role * make a kubeadm-specific env file for kubelet * add non-ha CI job * change ci boolean vars to json format * fixup * Update create-gce.yml * Update create-gce.yml * Update create-gce.yml
7 years ago
allow non existing etcd group (#6797) When using kubeadm managed etcd, configuring an etcd group can now be skipped.
4 years ago
calico-node: add prometheus annotations (#3645) add prometheus annotations to calico-node if calico_felix_prometheusmetricsenabled is enabled. This will allow a kubernetes_sd to automaticly find the pods and start scraping.
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add nodeSelctor for other services and node labels before CNI setup (#7613)
3 years ago
Adding pod priority for all the components. (#3361) * Changes to assign pod priority to kube components. * Removed the boolean flag pod_priority_assignment * Created new priorityclass k8s-cluster-critical * Created new priorityclass k8s-cluster-critical * Fixed the trailing spaces * Fixed the trailing spaces * Added kube version check while creating Priority Class k8s-cluster-critical * Moved k8s-cluster-critical.yml * Moved k8s-cluster-critical.yml to kube_config_dir
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Support all taints in network plugins manifests (#6208) flannel, ovn and multus network plugins did not support all taint keys. This update changes the tolerations to support them all. According to the documentation: ``` There are two special cases: An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything. An empty effect matches all effects with key key. ``` Usage of the empty `key` and `effect` ensures the network plugin daemonset will be deployed on every nodes (ex: in case of custom taints, or NoExecute effect)
4 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
7 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
add calico-node selinux (#6359)
4 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Drop calico 3.15 (#7545) * calico: drop support for version 3.15 * drop check for calico version >= 3.3, we are at 3.16 minimum now * we moved to calico 3.16+ so we can default to /opt/cni/bin/install
3 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
add calico-node selinux (#6359)
4 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
[calico] add calico apiserver (#8690) * [calico] add calico apiserver * fix yamllint * remove addext argument * Configure API server with the CA bundle * add check kdd
2 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Added ability to set calico vxlan vni and port. defaults to calico's … (#6678) * Added ability to set calico vxlan vni and port. defaults to calico's documented defaults. * Check if calico_network_backend is defined prior to checking value * Removed calico hidden defaults for vxlan port and vni * Fixed FELIX_VXLANVNI typo
4 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
Added ability to set calico vxlan vni and port. defaults to calico's … (#6678) * Added ability to set calico vxlan vni and port. defaults to calico's documented defaults. * Check if calico_network_backend is defined prior to checking value * Removed calico hidden defaults for vxlan port and vni * Fixed FELIX_VXLANVNI typo
4 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Update Calico and Canal - Updating to use calico-node v2.6.7 - A few updates to their manifests too
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Make Felix healthhost configurable
6 years ago
[Calico] Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode (#4173) * Define FELIX_KUBENODEPORTRANGES when kube-proxy in ipvs mode * ensure kube_apiserver_node_port_range is defined
6 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Make calico iptables lock timeout configurable (#5658) Adds `calico_iptables_lock_timeout_secs` variable to calico DS yaml.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
fix for calico with kdd datastore (#4922) * fix for calico with kdd datastore * remove AS number from daemonset * revert changes to canal * additionnal fixes for kdd datastore in calico
5 years ago
calico CALICO_IPV4POOL_IPIP overriding variable (#3507)
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Changes to support Dual Stack networking
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Make Calico Felix log level configurable (#3781)
6 years ago
Fixes issue #7528 - allow configuring CALICO_STARTUP_LOGLEVEL via a new variable: calico_node_startup_loglevel (#7530) Signed-off-by: Brendan Holmes <5072156+holmesb@users.noreply.github.com>
3 years ago
Add option to enable usage reports to calico servers (#6030)
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Update the calico_veth_mtu setting to affect IP-in-IP users (#6419) * Update calico_veth_mtu to FELIX_IPINIP variable calico_veth_mtu is specified in the configuration, but since it only works for wireguard, modify it to work for IP-in-IP users. * Update template with more cleaner expression
4 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Support configuring the Calico iptables insert mode (#5473) * Support configuring the insert mode Defaults to the upstream default https://docs.projectcalico.org/v3.9/reference/felix/configuration so nothing should change for existing deployments. This allows coexistence with other firewall management technologies. * Add a note to the sample config
5 years ago
Adding calico/node env vars for prometheus configuration
7 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Update calico-node.yml.j2
7 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: fix node ip subnet detection (#7065) We are currently setting the IP variable to hostIP, Before https://github.com/projectcalico/node/pull/593 (not yet released) Calico interpret that as hostIP/32 Using 'can-reach' we get the future behavior This fixes vxlan and IPIP CrossSubnet modes Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
4 years ago
add support for Calico IP6_AUTODETECTION_METHOD (#8541)
3 years ago
Changes to support Dual Stack networking
4 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Deviceroutesourceaddress (#6508) * add FELIX_DEVICEROUTESOURCEADDRESS calico option * add calico_use_default_route_src_ipaddr option add calico_use_default_route_src_ipaddr option to use FELIX_DEVICEROUTESOURCEADDRESS calico option * Update k8s-net-calico.yml
4 years ago
optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD can be set to one of first-found can-reach interface
7 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Make calico_node_ignorelooserpf have an effect (#1945)
7 years ago
Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586) Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21). With this feature, SA tokens are regenerated every hour. As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization. Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
3 years ago
Felix configuration via extraenvs of calico node (#6433)
4 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
Calico: update to 3.11.1, allow to configure calico_iptables_backend (#5514) I've tested this update by deploying a containerd / etcd cluster on top CentOS7, MetalLB + NGINX Ingress. Upgrade using upgrade-cluster.yml Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: increase calico node probe timeouts and allow tunning (#7981)
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434) * [calico] make vxlan encapsulation the default * don't enable ipip encapsulation by default * set calico_network_backend by default to vxlan * update sample inventory and documentation * [CI] pin default calico parameters for upgrade tests to ensure proper upgrade * [CI] improve netchecker connectivity testing * [CI] show logs for tests * [calico] tweak task name * [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh * [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check * service proxy mode still fails connectivity tests so keeping it manual mode * [kube-router] account for containerd use-case
2 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
disable bird-check flag for probes of calico-node pods when calico_network_backend is not 'bird'. (#6217)
4 years ago
[PR-Calico]Support calico 3.4.0 (#4102) * Suport calico 3.4.0 Signed-off-by: wangxf1987 <xiaofeix.wang@gmail.com> * Remove symlink + cni conflist template when 3.3.0+, handle Canal, addition of install-cni: sidecar(3.3.0) or initontainer(3.4.0), KUBECONFIG_FILEPATH, calico_cert_dir, advertise cluster ips * scheduler.alpha.kubernetes.io/critical-pod deprecated since 1.12
6 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Calico: increase calico node probe timeouts and allow tunning (#7981)
3 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586) Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21). With this feature, SA tokens are regenerated every hour. As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization. Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
3 years ago
Calico: add dependencies for 3.21.x (#8250)
3 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Use install_cni init container for cni copy for calico/canal (#4416)
5 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
Add support calico kubernetes datastore and typha. (#4498) * Add support calico kubernetes datastore and typha. * Add typha_enabled to kubespray-defaults.
5 years ago
Mount host's xtable lock and enable calico lokcing for <v3.2.1
6 years ago
Calico upgrade path validation and old version cleanup (#6733) * calico: add constant calico_min_version_required and verify current deployed version against it. * calico: remove upgrade support with data migration The tool was used pre v3.0.0 and is no longer needed. * calico: remove old version support from tasks * calico: remove old ver support from policy ctrl * calico: remove old ver support from node * canal: remove old ver support * remove unused calicoctl download checksums calico_min_version_required is the oldest version that can be installed Older versions can be removed.
4 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add .editorconfig file (#6307)
4 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Add calico 3.7.3 support (#4953) * Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
5 years ago
Calico enable support for eBPF (#7618) * Calico: align manifests with upstream * allow enabling typha prometheus metrics * Calico: enable eBPF support * manage the kubernetes-services-endpoint configmap * Calico: document the use of eBPF dataplane * Calico: improve checks before deployment * enforce disabling kube-proxy when using eBPF dataplane * ensure calico_version is supported
3 years ago
Move calico to daemonset (#1605) * Drop legacy calico logic * add calico as a daemonset
7 years ago
fix apply for netchecker upgrade (#1659) * fix apply for netchecker upgrade and graceful upgrade * Speed up daemonset upgrades. Make check wait for ds upgrades.
7 years ago
All CNIs: support ANY toleration. (#3391) Before, Nodes tainted with NoExecute policy did not have calico/weave Pod. Network pod should run on all nodes whatever happens on a specific node. Also always set the Pods to be critical. Also remove deprecated scheduler.alpha.kubernetes.io/tolerations annotations.
6 years ago
  1. ---
  2. # This manifest installs the calico/node container, as well
  3. # as the Calico CNI plugins and network config on
  4. # each master and worker node in a Kubernetes cluster.
  5. kind: DaemonSet
  6. apiVersion: apps/v1
  7. metadata:
  8. name: calico-node
  9. namespace: kube-system
  10. labels:
  11. k8s-app: calico-node
  12. spec:
  13. selector:
  14. matchLabels:
  15. k8s-app: calico-node
  16. template:
  17. metadata:
  18. labels:
  19. k8s-app: calico-node
  20. annotations:
  21. {% if calico_datastore == "etcd" %}
  22. kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
  23. {% endif %}
  24. {% if calico_felix_prometheusmetricsenabled %}
  25. prometheus.io/scrape: 'true'
  26. prometheus.io/port: "{{ calico_felix_prometheusmetricsport }}"
  27. {% endif %}
  28. spec:
  29. nodeSelector:
  30. {{ calico_ds_nodeselector }}
  31. priorityClassName: system-node-critical
  32. hostNetwork: true
  33. serviceAccountName: calico-node
  34. tolerations:
  35. - operator: Exists
  36. # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
  37. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
  38. terminationGracePeriodSeconds: 0
  39. initContainers:
  40. {% if calico_datastore == "kdd" %}
  41. # This container performs upgrade from host-local IPAM to calico-ipam.
  42. # It can be deleted if this is a fresh installation, or if you have already
  43. # upgraded to use calico-ipam.
  44. - name: upgrade-ipam
  45. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  46. imagePullPolicy: {{ k8s_image_pull_policy }}
  47. command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
  48. envFrom:
  49. - configMapRef:
  50. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  51. name: kubernetes-services-endpoint
  52. optional: true
  53. env:
  54. - name: KUBERNETES_NODE_NAME
  55. valueFrom:
  56. fieldRef:
  57. fieldPath: spec.nodeName
  58. - name: CALICO_NETWORKING_BACKEND
  59. valueFrom:
  60. configMapKeyRef:
  61. name: calico-config
  62. key: calico_backend
  63. volumeMounts:
  64. - mountPath: /var/lib/cni/networks
  65. name: host-local-net-dir
  66. - mountPath: /host/opt/cni/bin
  67. name: cni-bin-dir
  68. securityContext:
  69. privileged: true
  70. {% endif %}
  71. # This container installs the Calico CNI binaries
  72. # and CNI network config file on each node.
  73. - name: install-cni
  74. image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
  75. imagePullPolicy: {{ k8s_image_pull_policy }}
  76. command: ["/opt/cni/bin/install"]
  77. envFrom:
  78. - configMapRef:
  79. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  80. name: kubernetes-services-endpoint
  81. optional: true
  82. env:
  83. # Name of the CNI config file to create.
  84. - name: CNI_CONF_NAME
  85. value: "10-calico.conflist"
  86. # Install CNI binaries
  87. - name: UPDATE_CNI_BINARIES
  88. value: "true"
  89. # The CNI network config to install on each node.
  90. - name: CNI_NETWORK_CONFIG_FILE
  91. value: "/host/etc/cni/net.d/calico.conflist.template"
  92. # Prevents the container from sleeping forever.
  93. - name: SLEEP
  94. value: "false"
  95. {% if calico_datastore == "kdd" %}
  96. # Set the hostname based on the k8s node name.
  97. - name: KUBERNETES_NODE_NAME
  98. valueFrom:
  99. fieldRef:
  100. fieldPath: spec.nodeName
  101. {% endif %}
  102. volumeMounts:
  103. - mountPath: /host/etc/cni/net.d
  104. name: cni-net-dir
  105. - mountPath: /host/opt/cni/bin
  106. name: cni-bin-dir
  107. securityContext:
  108. privileged: true
  109. # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
  110. # to communicate with Felix over the Policy Sync API.
  111. - name: flexvol-driver
  112. image: {{ calico_flexvol_image_repo }}:{{ calico_flexvol_image_tag }}
  113. imagePullPolicy: {{ k8s_image_pull_policy }}
  114. volumeMounts:
  115. - name: flexvol-driver-host
  116. mountPath: /host/driver
  117. securityContext:
  118. privileged: true
  119. containers:
  120. # Runs calico/node container on each Kubernetes node. This
  121. # container programs network policy and routes on each
  122. # host.
  123. - name: calico-node
  124. image: {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
  125. imagePullPolicy: {{ k8s_image_pull_policy }}
  126. envFrom:
  127. - configMapRef:
  128. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  129. name: kubernetes-services-endpoint
  130. optional: true
  131. env:
  132. # The location of the Calico etcd cluster.
  133. {% if calico_datastore == "etcd" %}
  134. - name: ETCD_ENDPOINTS
  135. valueFrom:
  136. configMapKeyRef:
  137. name: calico-config
  138. key: etcd_endpoints
  139. # Location of the CA certificate for etcd.
  140. - name: ETCD_CA_CERT_FILE
  141. valueFrom:
  142. configMapKeyRef:
  143. name: calico-config
  144. key: etcd_ca
  145. # Location of the client key for etcd.
  146. - name: ETCD_KEY_FILE
  147. valueFrom:
  148. configMapKeyRef:
  149. name: calico-config
  150. key: etcd_key
  151. # Location of the client certificate for etcd.
  152. - name: ETCD_CERT_FILE
  153. valueFrom:
  154. configMapKeyRef:
  155. name: calico-config
  156. key: etcd_cert
  157. {% elif calico_datastore == "kdd" %}
  158. # Use Kubernetes API as the backing datastore.
  159. - name: DATASTORE_TYPE
  160. value: "kubernetes"
  161. {% if typha_enabled %}
  162. # Typha support: controlled by the ConfigMap.
  163. - name: FELIX_TYPHAK8SSERVICENAME
  164. valueFrom:
  165. configMapKeyRef:
  166. name: calico-config
  167. key: typha_service_name
  168. {% if typha_secure %}
  169. - name: FELIX_TYPHACN
  170. value: typha-server
  171. - name: FELIX_TYPHACAFILE
  172. value: /etc/typha-ca/ca.crt
  173. - name: FELIX_TYPHACERTFILE
  174. value: /etc/typha-client/typha-client.crt
  175. - name: FELIX_TYPHAKEYFILE
  176. value: /etc/typha-client/typha-client.key
  177. {% endif %}
  178. {% endif %}
  179. # Wait for the datastore.
  180. - name: WAIT_FOR_DATASTORE
  181. value: "true"
  182. {% endif %}
  183. {% if calico_network_backend == 'vxlan' %}
  184. - name: FELIX_VXLANVNI
  185. value: "{{ calico_vxlan_vni }}"
  186. - name: FELIX_VXLANPORT
  187. value: "{{ calico_vxlan_port }}"
  188. {% endif %}
  189. # Choose the backend to use.
  190. - name: CALICO_NETWORKING_BACKEND
  191. valueFrom:
  192. configMapKeyRef:
  193. name: calico-config
  194. key: calico_backend
  195. # Cluster type to identify the deployment type
  196. - name: CLUSTER_TYPE
  197. valueFrom:
  198. configMapKeyRef:
  199. name: calico-config
  200. key: cluster_type
  201. # Set noderef for node controller.
  202. - name: CALICO_K8S_NODE_REF
  203. valueFrom:
  204. fieldRef:
  205. fieldPath: spec.nodeName
  206. # Disable file logging so `kubectl logs` works.
  207. - name: CALICO_DISABLE_FILE_LOGGING
  208. value: "true"
  209. # Set Felix endpoint to host default action to ACCEPT.
  210. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
  211. value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
  212. - name: FELIX_HEALTHHOST
  213. value: "{{ calico_healthhost }}"
  214. {% if kube_proxy_mode == 'ipvs' and kube_apiserver_node_port_range is defined %}
  215. - name: FELIX_KUBENODEPORTRANGES
  216. value: "{{ kube_apiserver_node_port_range.split('-')[0] }}:{{ kube_apiserver_node_port_range.split('-')[1] }}"
  217. {% endif %}
  218. - name: FELIX_IPTABLESBACKEND
  219. value: "{{ calico_iptables_backend }}"
  220. - name: FELIX_IPTABLESLOCKTIMEOUTSECS
  221. value: "{{ calico_iptables_lock_timeout_secs }}"
  222. # should be set in etcd before deployment
  223. # # Configure the IP Pool from which Pod IPs will be chosen.
  224. # - name: CALICO_IPV4POOL_CIDR
  225. # value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
  226. - name: CALICO_IPV4POOL_IPIP
  227. value: "{{ calico_ipv4pool_ipip }}"
  228. - name: FELIX_IPV6SUPPORT
  229. value: "{{ enable_dual_stack_networks | default(false) }}"
  230. # Set Felix logging to "info"
  231. - name: FELIX_LOGSEVERITYSCREEN
  232. value: "{{ calico_loglevel }}"
  233. # Set Calico startup logging to "error"
  234. - name: CALICO_STARTUP_LOGLEVEL
  235. value: "{{ calico_node_startup_loglevel }}"
  236. # Enable or disable usage report
  237. - name: FELIX_USAGEREPORTINGENABLED
  238. value: "{{ calico_usage_reporting }}"
  239. # Set MTU for tunnel device used if ipip is enabled
  240. {% if calico_mtu is defined %}
  241. # Set MTU for tunnel device used if ipip is enabled
  242. - name: FELIX_IPINIPMTU
  243. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  244. # Set MTU for the VXLAN tunnel device.
  245. - name: FELIX_VXLANMTU
  246. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  247. # Set MTU for the Wireguard tunnel device.
  248. - name: FELIX_WIREGUARDMTU
  249. value: "{{ calico_veth_mtu | default(calico_mtu) }}"
  250. {% endif %}
  251. - name: FELIX_CHAININSERTMODE
  252. value: "{{ calico_felix_chaininsertmode }}"
  253. - name: FELIX_PROMETHEUSMETRICSENABLED
  254. value: "{{ calico_felix_prometheusmetricsenabled }}"
  255. - name: FELIX_PROMETHEUSMETRICSPORT
  256. value: "{{ calico_felix_prometheusmetricsport }}"
  257. - name: FELIX_PROMETHEUSGOMETRICSENABLED
  258. value: "{{ calico_felix_prometheusgometricsenabled }}"
  259. - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED
  260. value: "{{ calico_felix_prometheusprocessmetricsenabled }}"
  261. {% if calico_ip_auto_method is defined %}
  262. - name: IP_AUTODETECTION_METHOD
  263. value: "{{ calico_ip_auto_method }}"
  264. {% else %}
  265. - name: NODEIP
  266. valueFrom:
  267. fieldRef:
  268. fieldPath: status.hostIP
  269. - name: IP_AUTODETECTION_METHOD
  270. value: "can-reach=$(NODEIP)"
  271. {% endif %}
  272. - name: IP
  273. value: "autodetect"
  274. {% if calico_ip6_auto_method is defined and enable_dual_stack_networks %}
  275. - name: IP6_AUTODETECTION_METHOD
  276. value: "{{ calico_ip6_auto_method }}"
  277. {% endif %}
  278. {% if enable_dual_stack_networks %}
  279. - name: IP6
  280. value: autodetect
  281. {% endif %}
  282. {% if calico_use_default_route_src_ipaddr|default(false) %}
  283. - name: FELIX_DEVICEROUTESOURCEADDRESS
  284. valueFrom:
  285. fieldRef:
  286. fieldPath: status.hostIP
  287. {% endif %}
  288. - name: NODENAME
  289. valueFrom:
  290. fieldRef:
  291. fieldPath: spec.nodeName
  292. - name: FELIX_HEALTHENABLED
  293. value: "true"
  294. - name: FELIX_IGNORELOOSERPF
  295. value: "{{ calico_node_ignorelooserpf }}"
  296. - name: CALICO_MANAGE_CNI
  297. value: "true"
  298. {% if calico_node_extra_envs is defined %}
  299. {% for key in calico_node_extra_envs %}
  300. - name: {{ key }}
  301. value: "{{ calico_node_extra_envs[key] }}"
  302. {% endfor %}
  303. {% endif %}
  304. securityContext:
  305. privileged: true
  306. resources:
  307. limits:
  308. cpu: {{ calico_node_cpu_limit }}
  309. memory: {{ calico_node_memory_limit }}
  310. requests:
  311. cpu: {{ calico_node_cpu_requests }}
  312. memory: {{ calico_node_memory_requests }}
  313. {% if calico_version is version('v3.21.0', '>=') %}
  314. lifecycle:
  315. preStop:
  316. exec:
  317. command:
  318. - /bin/calico-node
  319. - -shutdown
  320. {% endif %}
  321. livenessProbe:
  322. exec:
  323. command:
  324. - /bin/calico-node
  325. - -felix-live
  326. {% if calico_network_backend == "bird" %}
  327. - -bird-live
  328. {% endif %}
  329. periodSeconds: 10
  330. initialDelaySeconds: 10
  331. timeoutSeconds: {{ calico_node_livenessprobe_timeout | default(10) }}
  332. failureThreshold: 6
  333. readinessProbe:
  334. exec:
  335. command:
  336. - /bin/calico-node
  337. {% if calico_network_backend == "bird" %}
  338. - -bird-ready
  339. {% endif %}
  340. - -felix-ready
  341. periodSeconds: 10
  342. timeoutSeconds: {{ calico_node_readinessprobe_timeout | default(10) }}
  343. failureThreshold: 6
  344. volumeMounts:
  345. - mountPath: /lib/modules
  346. name: lib-modules
  347. readOnly: true
  348. - mountPath: /var/run/calico
  349. name: var-run-calico
  350. readOnly: false
  351. - mountPath: /var/lib/calico
  352. name: var-lib-calico
  353. readOnly: false
  354. {% if calico_datastore == "etcd" %}
  355. - mountPath: /calico-secrets
  356. name: etcd-certs
  357. readOnly: true
  358. {% endif %}
  359. - name: xtables-lock
  360. mountPath: /run/xtables.lock
  361. readOnly: false
  362. # For maintaining CNI plugin API credentials.
  363. - mountPath: /host/etc/cni/net.d
  364. name: cni-net-dir
  365. readOnly: false
  366. {% if typha_secure %}
  367. - name: typha-client
  368. mountPath: /etc/typha-client
  369. readOnly: true
  370. - name: typha-cacert
  371. subPath: ca.crt
  372. mountPath: /etc/typha-ca/ca.crt
  373. readOnly: true
  374. {% endif %}
  375. - name: policysync
  376. mountPath: /var/run/nodeagent
  377. {% if calico_bpf_enabled %}
  378. # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
  379. # parent directory.
  380. - name: sysfs
  381. mountPath: /sys/fs/
  382. # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
  383. # If the host is known to mount that filesystem already then Bidirectional can be omitted.
  384. mountPropagation: Bidirectional
  385. {% endif %}
  386. - name: cni-log-dir
  387. mountPath: /var/log/calico/cni
  388. readOnly: true
  389. volumes:
  390. # Used by calico/node.
  391. - name: lib-modules
  392. hostPath:
  393. path: /lib/modules
  394. - name: var-run-calico
  395. hostPath:
  396. path: /var/run/calico
  397. - name: var-lib-calico
  398. hostPath:
  399. path: /var/lib/calico
  400. # Used to install CNI.
  401. - name: cni-net-dir
  402. hostPath:
  403. path: /etc/cni/net.d
  404. - name: cni-bin-dir
  405. hostPath:
  406. path: /opt/cni/bin
  407. {% if calico_datastore == "etcd" %}
  408. # Mount in the etcd TLS secrets.
  409. - name: etcd-certs
  410. hostPath:
  411. path: "{{ calico_cert_dir }}"
  412. {% endif %}
  413. # Mount the global iptables lock file, used by calico/node
  414. - name: xtables-lock
  415. hostPath:
  416. path: /run/xtables.lock
  417. type: FileOrCreate
  418. {% if calico_datastore == "kdd" %}
  419. # Mount in the directory for host-local IPAM allocations. This is
  420. # used when upgrading from host-local to calico-ipam, and can be removed
  421. # if not using the upgrade-ipam init container.
  422. - name: host-local-net-dir
  423. hostPath:
  424. path: /var/lib/cni/networks
  425. {% endif %}
  426. {% if typha_enabled and typha_secure %}
  427. - name: typha-client
  428. secret:
  429. secretName: typha-client
  430. items:
  431. - key: tls.crt
  432. path: typha-client.crt
  433. - key: tls.key
  434. path: typha-client.key
  435. - name: typha-cacert
  436. hostPath:
  437. path: "/etc/kubernetes/ssl/"
  438. {% endif %}
  439. {% if calico_bpf_enabled %}
  440. - name: sysfs
  441. hostPath:
  442. path: /sys/fs/
  443. type: DirectoryOrCreate
  444. {% endif %}
  445. # Used to access CNI logs.
  446. - name: cni-log-dir
  447. hostPath:
  448. path: /var/log/calico/cni
  449. # Used to create per-pod Unix Domain Sockets
  450. - name: policysync
  451. hostPath:
  452. type: DirectoryOrCreate
  453. path: /var/run/nodeagent
  454. # Used to install Flex Volume Driver
  455. - name: flexvol-driver-host
  456. hostPath:
  457. type: DirectoryOrCreate
  458. path: "{{ kubelet_flexvolumes_plugins_dir | default('/usr/libexec/kubernetes/kubelet-plugins/volume/exec') }}/nodeagent~uds"
  459. updateStrategy:
  460. rollingUpdate:
  461. maxUnavailable: {{ serial | default('20%') }}
  462. type: RollingUpdate