richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1000 Commits
33 Branches
82 Tags
153 MiB
Tree: 59a097b255
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '59a097b255'
${ noResults }
kubespray/roles/kubernetes-apps/ansible/templates/calico-policy-controller.ym...

55 lines
1.9 KiB
Raw Normal View History

Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Add advanced net check for DNS K8s app * Add an option to deploy K8s app to test e2e network connectivity and cluster DNS resolve via Kubedns for nethost/simple pods (defaults to false). * Parametrize existing k8s apps templates with kube_namespace and kube_config_dir instead of hardcode. * For CoreOS, ensure nameservers from inventory to be put in the first place to allow hostnet pods connectivity via short names or FQDN and hostnet agents to pass as well, if netchecker deployed. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Download images as dependencies of roles Pre download all required container images as roles' deps. Drop unused flannel-server-helper images pre download. Improve pods creation post-install test pre downloaded busybox. Improve logs collection script with kubectl describe, fix sudo/etcd/weave commands. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Allow pre-downloaded images to be used effectively According to http://kubernetes.io/docs/user-guide/images/ : By default, the kubelet will try to pull each image from the specified registry. However, if the imagePullPolicy property of the container is set to IfNotPresent or Never, then a local\ image is used (preferentially or exclusively, respectively). Use IfNotPresent value to allow images prepared by the download role dependencies to be effectively used by kubelet without pull errors resulting apps to stay blocked in PullBackOff/Error state even when there are images on the localhost exist. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Remove etcd-proxy from all nodes and use etcd multiaccess
8 years ago
Add etcd TLS support
8 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Fix policy controller 'etcd_cert_dir' variable is missing from 'kubernetes-apps/ansible' role which breaks Calico policy controller deployment. Also fixing calico-policy-controller.yml.
8 years ago
  1. apiVersion: extensions/v1beta1
  2. kind: ReplicaSet
  3. metadata:
  4. name: calico-policy-controller
  5. namespace: {{ kube_namespace }}
  6. labels:
  7. k8s-app: calico-policy
  8. kubernetes.io/cluster-service: "true"
  9. spec:
  10. replicas: 1
  11. selector:
  12. matchLabels:
  13. kubernetes.io/cluster-service: "true"
  14. k8s-app: calico-policy
  15. template:
  16. metadata:
  17. name: calico-policy-controller
  18. namespace: kube-system
  19. labels:
  20. kubernetes.io/cluster-service: "true"
  21. k8s-app: calico-policy
  22. spec:
  23. hostNetwork: true
  24. containers:
  25. - name: calico-policy-controller
  26. image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
  27. imagePullPolicy: {{ k8s_image_pull_policy }}
  28. env:
  29. - name: ETCD_ENDPOINTS
  30. value: "{{ etcd_access_endpoint }}"
  31. - name: ETCD_CA_CERT_FILE
  32. value: "{{ etcd_cert_dir }}/ca.pem"
  33. - name: ETCD_CERT_FILE
  34. value: "{{ etcd_cert_dir }}/node.pem"
  35. - name: ETCD_KEY_FILE
  36. value: "{{ etcd_cert_dir }}/node-key.pem"
  37. # Location of the Kubernetes API - this shouldn't need to be
  38. # changed so long as it is used in conjunction with
  39. # CONFIGURE_ETC_HOSTS="true".
  40. - name: K8S_API
  41. value: "https://kubernetes.default:443"
  42. # Configure /etc/hosts within the container to resolve
  43. # the kubernetes.default Service to the correct clusterIP
  44. # using the environment provided by the kubelet.
  45. # This removes the need for KubeDNS to resolve the Service.
  46. - name: CONFIGURE_ETC_HOSTS
  47. value: "true"
  48. volumeMounts:
  49. - mountPath: {{ etcd_cert_dir }}
  50. name: etcd-certs
  51. readOnly: true
  52. volumes:
  53. - hostPath:
  54. path: {{ etcd_cert_dir }}
  55. name: etcd-certs