richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4008 Commits
29 Branches
81 Tags
146 MiB
Tree: 5f117fb65e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5f117fb65e'
${ noResults }
kubespray/docs/calico.md

203 lines
6.2 KiB
Raw Normal View History

add documentation
8 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
add documentation
8 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
add documentation
8 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
Calico: fix peering with routers for new version In new `calicoctl` version nodes peering with routers is broken. We need to use predictable node names for calico-node and the same names in calico `bgpPeer` resources and CNI.
8 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
add documentation
8 years ago
Support new version of 'calicoctl' (>=v1.0.0) Since version 'v1.0.0-beta' calicoctl is written in Go and its API differs from old Python based utility. Added support of both old and new version of the utility.
8 years ago
add documentation
8 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
Add ability to define network backend for Calico. This patch introduce `calico_network_backend` global variable, which allow to describe alternative network backend. Default behavior is unchanged.
8 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
add documentation
8 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
add documentation
8 years ago
Change GCE sysctls placement and docs Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of the /etc/sysctl.d/11-gce-network-security.conf. It is recreated by GCE, f.e. if gcloud CLI invokes some security related changes, thus losing customizations we want to be persistent. Update cloud providers firewall requirements in calico docs. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Calico: Ability to define global peers (#3493)
6 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
calico upgrade to v3 (#3086) * calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
6 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
rename almost all mentions of kargo
7 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
rename almost all mentions of kargo
7 years ago
Add calico/routereflector support Add BGP route reflectors support in order to optimize BGP topology for deployments with Calico network plugin. Also bump version of calico/ctl for some bug fixes.
8 years ago
Allow connections from pods to local endpoints By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. It could lead to a situation when service has one alive endpoint, but pods which run on the same node can not access it. Changed the action to RETURN.
7 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
Allow connections from pods to local endpoints By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. It could lead to a situation when service has one alive endpoint, but pods which run on the same node can not access it. Changed the action to RETURN.
7 years ago
Make Felix healthhost configurable
6 years ago
Change GCE sysctls placement and docs Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of the /etc/sysctl.d/11-gce-network-security.conf. It is recreated by GCE, f.e. if gcloud CLI invokes some security related changes, thus losing customizations we want to be persistent. Update cloud providers firewall requirements in calico docs. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add calico variable that enables ignoring Kernel's RPF Setting (#1493)
7 years ago
Document how to allow ipip traffic with calico on OpenStack
6 years ago
  1. Calico
  2. ===========
  4. ---
  5. **N.B. Version 2.6.5 upgrade to 3.1.1 is upgrading etcd store to etcdv3**
  6. If you create automated backups of etcdv2 please switch for creating etcdv3 backups, as kubernetes and calico now uses etcdv3
  7. After migration you can check `/tmp/calico_upgrade/` directory for converted items to etcdv3.
  8. **PLEASE TEST upgrade before upgrading production cluster.**
  9. ---
  11. Check if the calico-node container is running
  13. ```
  14. docker ps | grep calico
  15. ```
  17. The **calicoctl** command allows to check the status of the network workloads.
  18. * Check the status of Calico nodes
  20. ```
  21. calicoctl node status
  22. ```
  24. or for versions prior to *v1.0.0*:
  26. ```
  27. calicoctl status
  28. ```
  30. * Show the configured network subnet for containers
  32. ```
  33. calicoctl get ippool -o wide
  34. ```
  36. or for versions prior to *v1.0.0*:
  38. ```
  39. calicoctl pool show
  40. ```
  42. * Show the workloads (ip addresses of containers and their located)
  44. ```
  45. calicoctl get workloadEndpoint -o wide
  46. ```
  48. and
  50. ```
  51. calicoctl get hostEndpoint -o wide
  52. ```
  54. or for versions prior *v1.0.0*:
  56. ```
  57. calicoctl endpoint show --detail
  58. ```
  60. ##### Optional : Define network backend
  62. In some cases you may want to define Calico network backend. Allowed values are 'bird', 'gobgp' or 'none'. Bird is a default value.
  64. To re-define you need to edit the inventory and add a group variable `calico_network_backend`
  66. ```
  67. calico_network_backend: none
  68. ```
  70. ##### Optional : BGP Peering with border routers
  72. In some cases you may want to route the pods subnet and so NAT is not needed on the nodes.
  73. For instance if you have a cluster spread on different locations and you want your pods to talk each other no matter where they are located.
  74. The following variables need to be set:
  75. `peer_with_router` to enable the peering with the datacenter's border router (default value: false).
  76. you'll need to edit the inventory and add a hostvar `local_as` by node.
  78. ```
  79. node1 ansible_ssh_host=95.54.0.12 local_as=xxxxxx
  80. ```
  82. ##### Optional : Defining BGP peers
  84. Peers can be defined using the `peers` variable (see docs/calico_peer_example examples).
  85. In order to define global peers, the `peers` variable can be defined in group_vars with the "scope" attribute of each global peer set to "global".
  86. In order to define peers on a per node basis, the `peers` variable must be defined in hostvars.
  87. NB: Ansible's `hash_behaviour` is by default set to "replace", thus defining both global and per node peers would end up with having only per node peers. If having both global and per node peers defined was meant to happen, global peers would have to be defined in hostvars for each host (as well as per node peers)
  89. ##### Optional : Define global AS number
  91. Optional parameter `global_as_num` defines Calico global AS number (`/calico/bgp/v1/global/as_num` etcd key).
  92. It defaults to "64512".
  94. ##### Optional : BGP Peering with route reflectors
  96. At large scale you may want to disable full node-to-node mesh in order to
  97. optimize your BGP topology and improve `calico-node` containers' start times.
  99. To do so you can deploy BGP route reflectors and peer `calico-node` with them as
  100. recommended here:
  102. * https://hub.docker.com/r/calico/routereflector/
  103. * https://docs.projectcalico.org/v3.1/reference/private-cloud/l3-interconnect-fabric
  105. You need to edit your inventory and add:
  107. * `calico-rr` group with nodes in it. At the moment it's incompatible with
  108. `kube-node` due to BGP port conflict with `calico-node` container. So you
  109. should not have nodes in both `calico-rr` and `kube-node` groups.
  110. * `cluster_id` by route reflector node/group (see details
  111. [here](https://hub.docker.com/r/calico/routereflector/))
  113. Here's an example of Kubespray inventory with route reflectors:
  115. ```
  116. [all]
  117. rr0 ansible_ssh_host=10.210.1.10 ip=10.210.1.10
  118. rr1 ansible_ssh_host=10.210.1.11 ip=10.210.1.11
  119. node2 ansible_ssh_host=10.210.1.12 ip=10.210.1.12
  120. node3 ansible_ssh_host=10.210.1.13 ip=10.210.1.13
  121. node4 ansible_ssh_host=10.210.1.14 ip=10.210.1.14
  122. node5 ansible_ssh_host=10.210.1.15 ip=10.210.1.15
  124. [kube-master]
  125. node2
  126. node3
  128. [etcd]
  129. node2
  130. node3
  131. node4
  133. [kube-node]
  134. node2
  135. node3
  136. node4
  137. node5
  139. [k8s-cluster:children]
  140. kube-node
  141. kube-master
  143. [calico-rr]
  144. rr0
  145. rr1
  147. [rack0]
  148. rr0
  149. rr1
  150. node2
  151. node3
  152. node4
  153. node5
  155. [rack0:vars]
  156. cluster_id="1.0.0.1"
  157. ```
  159. The inventory above will deploy the following topology assuming that calico's
  160. `global_as_num` is set to `65400`:
  162. ![Image](figures/kubespray-calico-rr.png?raw=true)
  164. ##### Optional : Define default endpoint to host action
  166. By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. When using it in kubernetes the action has to be changed to RETURN (default in kubespray) or ACCEPT (see https://github.com/projectcalico/felix/issues/660 and https://github.com/projectcalico/calicoctl/issues/1389). Otherwise all network packets from pods (with hostNetwork=False) to services endpoints (with hostNetwork=True) within the same node are dropped.
  169. To re-define default action please set the following variable in your inventory:
  170. ```
  171. calico_endpoint_to_host_action: "ACCEPT"
  172. ```
  174. ##### Optional : Define address on which Felix will respond to health requests
  176. Since Calico 3.2.0, HealthCheck default behavior changed from listening on all interfaces to just listening on localhost.
  178. To re-define health host please set the following variable in your inventory:
  179. ```
  180. calico_healthhost: "0.0.0.0"
  181. ```
  183. Cloud providers configuration
  184. =============================
  186. Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined.
  188. ##### Optional : Ignore kernel's RPF check setting
  190. By default the felix agent(calico-node) will abort if the Kernel RPF setting is not 'strict'. If you want Calico to ignore the Kernel setting:
  192. ```
  193. calico_node_ignorelooserpf: true
  194. ```
  196. Note that in OpenStack you must allow `ipip` traffic in your security groups,
  197. otherwise you will experience timeouts.
  198. To do this you must add a rule which allows it, for example:
  200. ```
  201. neutron security-group-rule-create --protocol 4 --direction egress k8s-a0tp4t
  202. neutron security-group-rule-create --protocol 4 --direction igress k8s-a0tp4t
  203. ```