richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2466 Commits
29 Branches
81 Tags
149 MiB
Tree: bd1f0bcfd7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bd1f0bcfd7'
${ noResults }
kubespray/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2

68 lines
2.4 KiB
Raw Normal View History

update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Address standalone kubelet config case Also place in global vars and do not repeat the kube_*_config_dir and kube_namespace vars for better code maintainability and UX. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
Enable scheduling of critical pods and network plugins on master Added toleration to DNS, netchecker, fluentd, canal, and calico policy. Also small fixes to make yamllint pass.
7 years ago
Add RBAC support for canal (#1604) Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
update calico to 2.6.2 (#1874) Move RS to deployment so no need to take care of the revision history limits : - Delete the old RS - Make Calico manifest a deployment - move deployments to apps/v1beta2 API since Kubernetes 1.8
7 years ago
Download images as dependencies of roles Pre download all required container images as roles' deps. Drop unused flannel-server-helper images pre download. Improve pods creation post-install test pre downloaded busybox. Improve logs collection script with kubectl describe, fix sudo/etcd/weave commands. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Allow pre-downloaded images to be used effectively According to http://kubernetes.io/docs/user-guide/images/ : By default, the kubelet will try to pull each image from the specified registry. However, if the imagePullPolicy property of the container is set to IfNotPresent or Never, then a local\ image is used (preferentially or exclusively, respectively). Use IfNotPresent value to allow images prepared by the download role dependencies to be effectively used by kubelet without pull errors resulting apps to stay blocked in PullBackOff/Error state even when there are images on the localhost exist. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Move set_facts to kubespray-defaults defaults These facts can be generated in defaults with a performance boost. Also cleaned up duplicate etcd var names.
7 years ago
Add etcd TLS support
8 years ago
Fix cert paths for flannel/calico policy apps Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add etcd TLS support
8 years ago
Fix cert paths for flannel/calico policy apps Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add etcd TLS support
8 years ago
Fix cert paths for flannel/calico policy apps Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Move calico-policy-controller into separate role By default Calico CNI does not create any network access policies or profiles if 'policy' is enabled in CNI config. And without any policies/profiles network access to/from PODs is blocked. K8s related policies are created by calico-policy-controller in such case. So we need to start it as soon as possible, before any real workloads. This patch also fixes kube-api port in calico-policy-controller yaml template. Closes #1132
7 years ago
Add possibility to enable network policy via Calico network controller The requirements for network policy feature are described here [1]. In order to enable it, appropriate configuration must be provided to the CNI plug in and Calico policy controller must be set up. Beside that corresponding extensions needed to be enabled in k8s API. Now to turn on the feature user can define `enable_network_policy` customization variable for Ansible. [1] http://kubernetes.io/docs/user-guide/networkpolicies/
8 years ago
Fix policy controller 'etcd_cert_dir' variable is missing from 'kubernetes-apps/ansible' role which breaks Calico policy controller deployment. Also fixing calico-policy-controller.yml.
8 years ago
Fix cert paths for flannel/calico policy apps Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Fix policy controller 'etcd_cert_dir' variable is missing from 'kubernetes-apps/ansible' role which breaks Calico policy controller deployment. Also fixing calico-policy-controller.yml.
8 years ago
Fix cert paths for flannel/calico policy apps Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Fix policy controller 'etcd_cert_dir' variable is missing from 'kubernetes-apps/ansible' role which breaks Calico policy controller deployment. Also fixing calico-policy-controller.yml.
8 years ago
  1. apiVersion: apps/v1beta2
  2. kind: Deployment
  3. metadata:
  4. name: calico-kube-controllers
  5. namespace: {{ system_namespace }}
  6. labels:
  7. k8s-app: calico-kube-controllers
  8. kubernetes.io/cluster-service: "true"
  9. spec:
  10. replicas: 1
  11. selector:
  12. matchLabels:
  13. kubernetes.io/cluster-service: "true"
  14. k8s-app: calico-kube-controllers
  15. template:
  16. metadata:
  17. name: calico-kube-controllers
  18. namespace: {{ system_namespace }}
  19. labels:
  20. kubernetes.io/cluster-service: "true"
  21. k8s-app: calico-kube-controllers
  22. spec:
  23. hostNetwork: true
  24. {% if rbac_enabled %}
  25. serviceAccountName: calico-kube-controllers
  26. {% endif %}
  27. tolerations:
  28. - effect: NoSchedule
  29. operator: Exists
  30. containers:
  31. - name: calico-kube-controllers
  32. image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
  33. imagePullPolicy: {{ k8s_image_pull_policy }}
  34. resources:
  35. limits:
  36. cpu: {{ calico_policy_controller_cpu_limit }}
  37. memory: {{ calico_policy_controller_memory_limit }}
  38. requests:
  39. cpu: {{ calico_policy_controller_cpu_requests }}
  40. memory: {{ calico_policy_controller_memory_requests }}
  41. env:
  42. - name: ETCD_ENDPOINTS
  43. value: "{{ etcd_access_addresses }}"
  44. - name: ETCD_CA_CERT_FILE
  45. value: "{{ calico_cert_dir }}/ca_cert.crt"
  46. - name: ETCD_CERT_FILE
  47. value: "{{ calico_cert_dir }}/cert.crt"
  48. - name: ETCD_KEY_FILE
  49. value: "{{ calico_cert_dir }}/key.pem"
  50. # Location of the Kubernetes API - this shouldn't need to be
  51. # changed so long as it is used in conjunction with
  52. # CONFIGURE_ETC_HOSTS="true".
  53. - name: K8S_API
  54. value: "https://kubernetes.default"
  55. # Configure /etc/hosts within the container to resolve
  56. # the kubernetes.default Service to the correct clusterIP
  57. # using the environment provided by the kubelet.
  58. # This removes the need for KubeDNS to resolve the Service.
  59. - name: CONFIGURE_ETC_HOSTS
  60. value: "true"
  61. volumeMounts:
  62. - mountPath: {{ calico_cert_dir }}
  63. name: etcd-certs
  64. readOnly: true
  65. volumes:
  66. - hostPath:
  67. path: {{ calico_cert_dir }}
  68. name: etcd-certs