richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #3984 from dannyk81/calico_xtables_lock 

[calico/canal] mount host's xtables lock and enable calico locking for <v3.2.1
pull/3949/head
Chad Swenson 6 years ago
committed by GitHub
parent
0697ab4b4f 257019d424
commit
5a7ac7e5c1
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      roles/network_plugin/calico/templates/calico-node.yml.j2
  2. 9
      roles/network_plugin/canal/templates/canal-node.yaml.j2

14
roles/network_plugin/calico/templates/calico-node.yml.j2
View File

@ -76,6 +76,12 @@ spec:
value: "{{ calico_endpoint_to_host_action|default('RETURN') }}" value: "{{ calico_endpoint_to_host_action|default('RETURN') }}"
- name: FELIX_HEALTHHOST - name: FELIX_HEALTHHOST
value: "{{ calico_healthhost }}" value: "{{ calico_healthhost }}"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# should be set in etcd before deployment # should be set in etcd before deployment
# # Configure the IP Pool from which Pod IPs will be chosen. # # Configure the IP Pool from which Pod IPs will be chosen.
# - name: CALICO_IPV4POOL_CIDR # - name: CALICO_IPV4POOL_CIDR
@ -170,6 +176,9 @@ spec:
readOnly: false readOnly: false
- mountPath: /calico-secrets - mountPath: /calico-secrets
name: etcd-certs name: etcd-certs
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
volumes: volumes:
# Used by calico/node. # Used by calico/node.
- name: lib-modules - name: lib-modules
@ -192,6 +201,11 @@ spec:
- name: etcd-certs - name: etcd-certs
hostPath: hostPath:
path: "{{ calico_cert_dir }}" path: "{{ calico_cert_dir }}"
# Mount the global iptables lock file, used by calico/node
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
maxUnavailable: {{ serial | default('20%') }} maxUnavailable: {{ serial | default('20%') }}

9
roles/network_plugin/canal/templates/canal-node.yaml.j2
View File

@ -173,6 +173,12 @@ spec:
fieldPath: spec.nodeName fieldPath: spec.nodeName
- name: FELIX_HEALTHENABLED - name: FELIX_HEALTHENABLED
value: "true" value: "true"
# Prior to v3.2.1 iptables didn't acquire the lock, so Calico's own implementation of the lock should be used,
# this is not required in later versions https://github.com/projectcalico/calico/issues/2179
{% if calico_version is version('v3.2.1', '<') %}
- name: FELIX_IPTABLESLOCKTIMEOUTSECS
value: "10"
{% endif %}
# Etcd SSL vars # Etcd SSL vars
- name: ETCD_CA_CERT_FILE - name: ETCD_CA_CERT_FILE
valueFrom: valueFrom:
@ -220,6 +226,9 @@ spec:
- name: "canal-certs" - name: "canal-certs"
mountPath: "{{ canal_cert_dir }}" mountPath: "{{ canal_cert_dir }}"
readOnly: true readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
updateStrategy: updateStrategy:
rollingUpdate: rollingUpdate:
maxUnavailable: {{ serial | default('20%') }} maxUnavailable: {{ serial | default('20%') }}

Write Preview
Loading…
Cancel
Save