Browse Source
Drop canal network_plugin (#10100)
Drop canal network_plugin (#10100)
According to the canal github[1] the repo is not maintained over 5 years. In addition, the README says ``` Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. ``` So it is difficult to support canal by Kubespray at this situation. [1]: https://github.com/projectcalico/canalpull/9983/head
Kenichi Omichi
1 year ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 20 additions and 5132 deletions
Split View
Diff Options
-
3README.md
-
1docs/ansible.md
-
10inventory/sample/group_vars/k8s_cluster/k8s-net-canal.yml
-
14roles/download/defaults/main.yml
-
2roles/etcd/tasks/check_certs.yml
-
8roles/etcd/tasks/gen_certs_script.yml
-
6roles/etcd/tasks/main.yml
-
11roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
-
5roles/kubernetes-apps/network_plugin/meta/main.yml
-
1roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
-
9roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
-
2roles/kubernetes-apps/policy_controller/meta/main.yml
-
2roles/kubernetes/kubeadm/tasks/main.yml
-
2roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
-
3roles/kubernetes/preinstall/tasks/0050-create_directories.yml
-
33roles/network_plugin/canal/defaults/main.yml
-
14roles/network_plugin/canal/handlers/main.yml
-
103roles/network_plugin/canal/tasks/main.yml
-
6roles/network_plugin/canal/templates/calicoctl.sh.j2
-
98roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2
-
79roles/network_plugin/canal/templates/canal-config.yaml.j2
-
83roles/network_plugin/canal/templates/canal-cr-calico-kube-controllers.yml.j2
-
133roles/network_plugin/canal/templates/canal-cr-calico-node.yml.j2
-
23roles/network_plugin/canal/templates/canal-cr-flannel.yml.j2
-
30roles/network_plugin/canal/templates/canal-cr.yml.j2
-
27roles/network_plugin/canal/templates/canal-crb-calico.yml.j2
-
12roles/network_plugin/canal/templates/canal-crb-canal.yml.j2
-
14roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2
-
3929roles/network_plugin/canal/templates/canal-crd-calico.yml.j2
-
12roles/network_plugin/canal/templates/canal-node-sa.yml.j2
-
418roles/network_plugin/canal/templates/canal-node.yaml.j2
-
18roles/network_plugin/canal/templates/canal-secret-calico-etcd.yml.j2
-
34roles/network_plugin/canal/templates/cni-canal.conflist.j2
-
2roles/network_plugin/macvlan/handlers/main.yml
-
5roles/network_plugin/meta/main.yml
@ -1,10 +0,0 @@ |
|||
# see roles/network_plugin/canal/defaults/main.yml |
|||
|
|||
# The interface used by canal for host <-> host communication. |
|||
# If left blank, then the interface is choosing using the node's |
|||
# default route. |
|||
# canal_iface: "" |
|||
|
|||
# Whether or not to masquerade traffic to destinations not within |
|||
# the pod network. |
|||
# canal_masquerade: "true" |
|||
@ -1,11 +0,0 @@ |
|||
--- |
|||
- name: Canal | Start Resources |
|||
kube: |
|||
name: "{{ item.item.name }}" |
|||
namespace: "kube-system" |
|||
kubectl: "{{ bin_dir }}/kubectl" |
|||
resource: "{{ item.item.type }}" |
|||
filename: "{{ kube_config_dir }}/{{ item.item.file }}" |
|||
state: "latest" |
|||
with_items: "{{ canal_manifests.results }}" |
|||
when: inventory_hostname == groups['kube_control_plane'][0] and not item is skipped |
|||
@ -1,33 +0,0 @@ |
|||
--- |
|||
# The interface used by canal for host <-> host communication. |
|||
# If left blank, then the interface is choosing using the node's |
|||
# default route. |
|||
canal_iface: "" |
|||
|
|||
# Whether or not to masquerade traffic to destinations not within |
|||
# the pod network. |
|||
canal_masquerade: "true" |
|||
|
|||
# Etcd SSL dirs |
|||
canal_cert_dir: /etc/canal/certs |
|||
|
|||
# Canal Network Policy directory |
|||
canal_policy_dir: /etc/kubernetes/policy |
|||
|
|||
# Limits for apps |
|||
calico_node_memory_limit: 500M |
|||
calico_node_cpu_limit: 200m |
|||
calico_node_memory_requests: 64M |
|||
calico_node_cpu_requests: 50m |
|||
flannel_memory_limit: 500M |
|||
flannel_cpu_limit: 200m |
|||
flannel_memory_requests: 64M |
|||
flannel_cpu_requests: 50m |
|||
|
|||
# etcd cert filenames |
|||
kube_etcd_cacert_file: ca.pem |
|||
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem |
|||
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem |
|||
|
|||
# Set log path for calico CNI plugin. Set to false to disable logging to disk. |
|||
calico_cni_log_file_path: /var/log/calico/cni/cni.log |
|||
@ -1,14 +0,0 @@ |
|||
--- |
|||
- name: reset_canal_cni |
|||
command: /bin/true |
|||
notify: |
|||
- delete 10-canal.conflist |
|||
- delete canal-node containers |
|||
|
|||
- name: delete 10-canal.conflist |
|||
file: |
|||
path: /etc/canal/10-canal.conflist |
|||
state: absent |
|||
|
|||
- name: delete canal-node containers |
|||
shell: "docker ps -af name=k8s_POD_canal-node* -q | xargs --no-run-if-empty docker rm -f" |
|||
@ -1,103 +0,0 @@ |
|||
--- |
|||
- name: Canal | Write Canal cni config |
|||
template: |
|||
src: "cni-canal.conflist.j2" |
|||
dest: "/etc/cni/net.d/canal.conflist.template" |
|||
mode: 0644 |
|||
owner: "{{ kube_owner }}" |
|||
register: canal_conflist |
|||
notify: reset_canal_cni |
|||
|
|||
- name: Canal | Create canal certs directory |
|||
file: |
|||
dest: "{{ canal_cert_dir }}" |
|||
state: directory |
|||
mode: 0750 |
|||
owner: root |
|||
group: root |
|||
|
|||
- name: Canal | Link etcd certificates for canal-node |
|||
file: |
|||
src: "{{ etcd_cert_dir }}/{{ item.s }}" |
|||
dest: "{{ canal_cert_dir }}/{{ item.d }}" |
|||
state: hard |
|||
mode: 0640 |
|||
force: yes |
|||
with_items: |
|||
- {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"} |
|||
- {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"} |
|||
- {s: "{{ kube_etcd_key_file }}", d: "key.pem"} |
|||
|
|||
- name: Slurp etcd cacert file |
|||
slurp: |
|||
src: "{{ canal_cert_dir }}/ca_cert.crt" |
|||
register: etcd_ca_cert_file |
|||
failed_when: false |
|||
|
|||
- name: Slurp etcd cert file |
|||
slurp: |
|||
src: "{{ canal_cert_dir }}/cert.crt" |
|||
register: etcd_cert_file |
|||
failed_when: false |
|||
|
|||
- name: Slurp etcd key file |
|||
slurp: |
|||
src: "{{ canal_cert_dir }}/key.pem" |
|||
register: etcd_key_file |
|||
failed_when: false |
|||
|
|||
# Flannel need etcd v2 API |
|||
- name: Canal | Set Flannel etcd configuration |
|||
command: |- |
|||
{{ bin_dir }}/etcdctl set /coreos.com/network/config \ |
|||
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }' |
|||
register: output |
|||
retries: 4 |
|||
until: output.rc == 0 |
|||
delay: "{{ retry_stagger | random + 3 }}" |
|||
delegate_to: "{{ groups['etcd'][0] }}" |
|||
changed_when: false |
|||
run_once: true |
|||
environment: |
|||
ETCDCTL_API: 2 |
|||
ETCDCTL_CA_FILE: "{{ kube_cert_dir + '/etcd/ca.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/ca.pem' }}" |
|||
ETCDCTL_CERT_FILE: "{{ kube_cert_dir + '/etcd/server.crt' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '.pem' }}" |
|||
ETCDCTL_KEY_FILE: "{{ kube_cert_dir + '/etcd/server.key' if etcd_deployment_type == 'kubeadm' else etcd_cert_dir + '/admin-' + groups['etcd'][0] + '-key.pem' }}" |
|||
ETCDCTL_ENDPOINTS: "{{ etcd_access_addresses }}" |
|||
|
|||
- name: Canal | Create canal node manifests |
|||
template: |
|||
src: "{{ item.file }}.j2" |
|||
dest: "{{ kube_config_dir }}/{{ item.file }}" |
|||
mode: 0644 |
|||
with_items: |
|||
- {name: canal-calico-etcd-secret, file: canal-secret-calico-etcd.yml, type: secret} |
|||
- {name: canal-config, file: canal-config.yaml, type: cm} |
|||
- {name: canal-node, file: canal-node.yaml, type: ds} |
|||
- {name: canal-kube-controllers, file: canal-calico-kube-controllers.yml, type: deployment} |
|||
- {name: canal-cr, file: canal-cr.yml, type: clusterrole} |
|||
- {name: canal, file: canal-node-sa.yml, type: sa} |
|||
- {name: calico-cr, file: canal-cr-calico-node.yml, type: clusterrole} |
|||
- {name: calico-kube-cr, file: canal-cr-calico-kube-controllers.yml, type: clusterrole} |
|||
- {name: calico-crd, file: canal-crd-calico.yml, type: crd} |
|||
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole} |
|||
- {name: canal, file: canal-crb-canal.yml, type: clusterrolebinding} |
|||
- {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding} |
|||
- {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding} |
|||
register: canal_manifests |
|||
when: |
|||
- inventory_hostname in groups['kube_control_plane'] |
|||
|
|||
- name: Canal | Install calicoctl wrapper script |
|||
template: |
|||
src: calicoctl.sh.j2 |
|||
dest: "{{ bin_dir }}/calicoctl.sh" |
|||
mode: 0755 |
|||
owner: root |
|||
group: root |
|||
|
|||
- name: Canal | Create network policy directory |
|||
file: |
|||
path: "{{ canal_policy_dir }}" |
|||
state: directory |
|||
mode: 0755 |
|||
@ -1,6 +0,0 @@ |
|||
#!/bin/bash |
|||
ETCD_ENDPOINTS={{ etcd_access_addresses }} \ |
|||
ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \ |
|||
ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \ |
|||
ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \ |
|||
{{ bin_dir }}/calicoctl "$@" |
|||
@ -1,98 +0,0 @@ |
|||
--- |
|||
# Source: calico/templates/calico-kube-controllers.yaml |
|||
# See https://github.com/projectcalico/kube-controllers |
|||
apiVersion: apps/v1 |
|||
kind: Deployment |
|||
metadata: |
|||
name: calico-kube-controllers |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: calico-kube-controllers |
|||
spec: |
|||
# The controllers can only have a single active instance. |
|||
replicas: 1 |
|||
selector: |
|||
matchLabels: |
|||
k8s-app: calico-kube-controllers |
|||
strategy: |
|||
type: Recreate |
|||
template: |
|||
metadata: |
|||
name: calico-kube-controllers |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: calico-kube-controllers |
|||
spec: |
|||
nodeSelector: |
|||
kubernetes.io/os: linux |
|||
tolerations: |
|||
# Mark the pod as a critical add-on for rescheduling. |
|||
- key: CriticalAddonsOnly |
|||
operator: Exists |
|||
- key: node-role.kubernetes.io/master |
|||
effect: NoSchedule |
|||
- key: node-role.kubernetes.io/control-plane |
|||
effect: NoSchedule |
|||
serviceAccountName: calico-kube-controllers |
|||
priorityClassName: system-cluster-critical |
|||
# The controllers must run in the host network namespace so that |
|||
# it isn't governed by policy that would prevent it from working. |
|||
hostNetwork: true |
|||
containers: |
|||
- name: calico-kube-controllers |
|||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
env: |
|||
# The location of the etcd cluster. |
|||
- name: ETCD_ENDPOINTS |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_endpoints |
|||
# Location of the CA certificate for etcd. |
|||
- name: ETCD_CA_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: ETCD_KEY_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: ETCD_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_cert |
|||
# Choose which controllers to run. |
|||
- name: ENABLED_CONTROLLERS |
|||
value: policy,namespace,serviceaccount,workloadendpoint,node |
|||
volumeMounts: |
|||
# Mount in the etcd TLS secrets. |
|||
- mountPath: /calico-secrets |
|||
name: etcd-certs |
|||
livenessProbe: |
|||
exec: |
|||
command: |
|||
- /usr/bin/check-status |
|||
- -l |
|||
periodSeconds: 10 |
|||
initialDelaySeconds: 10 |
|||
failureThreshold: 6 |
|||
timeoutSeconds: 10 |
|||
readinessProbe: |
|||
exec: |
|||
command: |
|||
- /usr/bin/check-status |
|||
- -r |
|||
periodSeconds: 10 |
|||
volumes: |
|||
# Mount in the etcd TLS secrets with mode 400. |
|||
# See https://kubernetes.io/docs/concepts/configuration/secret/ |
|||
- name: etcd-certs |
|||
secret: |
|||
secretName: calico-etcd-secrets |
|||
defaultMode: 0440 |
|||
@ -1,79 +0,0 @@ |
|||
# This ConfigMap can be used to configure a self-hosted Canal installation. |
|||
# See `canal.yaml` for an example of a Canal deployment which uses |
|||
# the config in this ConfigMap. |
|||
kind: ConfigMap |
|||
apiVersion: v1 |
|||
metadata: |
|||
name: canal-config |
|||
namespace: kube-system |
|||
data: |
|||
# Configure this with the location of your etcd cluster. |
|||
etcd_endpoints: "{{ etcd_access_addresses }}" |
|||
# If you're using TLS enabled etcd uncomment the following. |
|||
# You must also populate the Secret below with these files. |
|||
etcd_ca: "/calico-secrets/etcd-ca" |
|||
etcd_cert: "/calico-secrets/etcd-cert" |
|||
etcd_key: "/calico-secrets/etcd-key" |
|||
|
|||
# Typha is disabled. |
|||
typha_service_name: "none" |
|||
|
|||
# The interface used by canal for host <-> host communication. |
|||
# If left blank, then the interface is chosen using the node's |
|||
# default route. |
|||
canal_iface: "{{ canal_iface }}" |
|||
|
|||
# Whether or not to masquerade traffic to destinations not within |
|||
# the pod network. |
|||
masquerade: "{{ canal_masquerade }}" |
|||
|
|||
# Configure the MTU to use for workload interfaces and tunnels. |
|||
# By default, MTU is auto-detected, and explicitly setting this field should not be required. |
|||
# You can override auto-detection by providing a non-zero value. |
|||
veth_mtu: "0" |
|||
|
|||
# The CNI network configuration to install on each node. The special |
|||
# values in this config will be automatically populated. |
|||
cni_network_config: |- |
|||
{ |
|||
"name": "canal", |
|||
"cniVersion": "0.3.1", |
|||
"plugins": [ |
|||
{ |
|||
"type": "flannel", |
|||
"delegate": { |
|||
"type": "calico", |
|||
"include_default_routes": true, |
|||
"etcd_endpoints": "__ETCD_ENDPOINTS__", |
|||
"etcd_key_file": "__ETCD_KEY_FILE__", |
|||
"etcd_cert_file": "__ETCD_CERT_FILE__", |
|||
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", |
|||
"log_level": "info", |
|||
{% if calico_cni_log_file_path %} |
|||
"log_file_path": "{{ calico_cni_log_file_path }}", |
|||
{% endif %} |
|||
"policy": { |
|||
"type": "k8s", |
|||
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", |
|||
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" |
|||
}, |
|||
"kubernetes": { |
|||
"kubeconfig": "__KUBECONFIG_FILEPATH__" |
|||
} |
|||
} |
|||
}, |
|||
{ |
|||
"type": "portmap", |
|||
"capabilities": {"portMappings": true}, |
|||
"snat": true |
|||
} |
|||
] |
|||
} |
|||
# Flannel network configuration. Mounted into the flannel container. |
|||
net-conf.json: | |
|||
{ |
|||
"Network": "{{ kube_pods_subnet }}", |
|||
"Backend": { |
|||
"Type": "vxlan" |
|||
} |
|||
} |
|||
@ -1,83 +0,0 @@ |
|||
# Source: calico/templates/calico-kube-controllers-rbac.yaml |
|||
|
|||
# Include a clusterrole for the kube-controllers component, |
|||
# and bind it to the calico-kube-controllers serviceaccount. |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: calico-kube-controllers |
|||
rules: |
|||
# Nodes are watched to monitor for deletions. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- nodes |
|||
verbs: |
|||
- watch |
|||
- list |
|||
- get |
|||
# Pods are watched to check for existence as part of IPAM controller. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
# IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- ipreservations |
|||
verbs: |
|||
- list |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- blockaffinities |
|||
- ipamblocks |
|||
- ipamhandles |
|||
verbs: |
|||
- get |
|||
- list |
|||
- create |
|||
- update |
|||
- delete |
|||
- watch |
|||
# Pools are watched to maintain a mapping of blocks to IP pools. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- ippools |
|||
verbs: |
|||
- list |
|||
- watch |
|||
# kube-controllers manages hostendpoints. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- hostendpoints |
|||
verbs: |
|||
- get |
|||
- list |
|||
- create |
|||
- update |
|||
- delete |
|||
# Needs access to update clusterinformations. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- clusterinformations |
|||
verbs: |
|||
- get |
|||
- list |
|||
- create |
|||
- update |
|||
- watch |
|||
# KubeControllersConfiguration is where it gets its config |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- kubecontrollersconfigurations |
|||
verbs: |
|||
# read its own config |
|||
- get |
|||
# create a default if none exists |
|||
- create |
|||
# update status |
|||
- update |
|||
# watch for changes |
|||
- watch |
|||
@ -1,133 +0,0 @@ |
|||
# Source: calico/templates/calico-node-rbac.yaml |
|||
# Include a clusterrole for the calico-node DaemonSet, |
|||
# and bind it to the calico-node serviceaccount. |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: calico-node |
|||
rules: |
|||
# Used for creating service account tokens to be used by the CNI plugin |
|||
- apiGroups: [""] |
|||
resources: |
|||
- serviceaccounts/token |
|||
resourceNames: |
|||
- canal |
|||
verbs: |
|||
- create |
|||
# The CNI plugin needs to get pods, nodes, and namespaces. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
- nodes |
|||
- namespaces |
|||
verbs: |
|||
- get |
|||
# EndpointSlices are used for Service-based network policy rule |
|||
# enforcement. |
|||
- apiGroups: ["discovery.k8s.io"] |
|||
resources: |
|||
- endpointslices |
|||
verbs: |
|||
- watch |
|||
- list |
|||
- apiGroups: [""] |
|||
resources: |
|||
- endpoints |
|||
- services |
|||
verbs: |
|||
# Used to discover service IPs for advertisement. |
|||
- watch |
|||
- list |
|||
# Used to discover Typhas. |
|||
- get |
|||
# Pod CIDR auto-detection on kubeadm needs access to config maps. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- configmaps |
|||
verbs: |
|||
- get |
|||
- apiGroups: [""] |
|||
resources: |
|||
- nodes/status |
|||
verbs: |
|||
# Needed for clearing NodeNetworkUnavailable flag. |
|||
- patch |
|||
# Calico stores some configuration information in node annotations. |
|||
- update |
|||
# Watch for changes to Kubernetes NetworkPolicies. |
|||
- apiGroups: ["networking.k8s.io"] |
|||
resources: |
|||
- networkpolicies |
|||
verbs: |
|||
- watch |
|||
- list |
|||
# Used by Calico for policy information. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
- namespaces |
|||
- serviceaccounts |
|||
verbs: |
|||
- list |
|||
- watch |
|||
# The CNI plugin patches pods/status. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods/status |
|||
verbs: |
|||
- patch |
|||
# Calico monitors various CRDs for config. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- globalfelixconfigs |
|||
- felixconfigurations |
|||
- bgppeers |
|||
- globalbgpconfigs |
|||
- bgpconfigurations |
|||
- ippools |
|||
- ipreservations |
|||
- ipamblocks |
|||
- globalnetworkpolicies |
|||
- globalnetworksets |
|||
- networkpolicies |
|||
- networksets |
|||
- clusterinformations |
|||
- hostendpoints |
|||
- blockaffinities |
|||
- caliconodestatuses |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
# Calico must create and update some CRDs on startup. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- ippools |
|||
- felixconfigurations |
|||
- clusterinformations |
|||
verbs: |
|||
- create |
|||
- update |
|||
# Calico must update some CRDs. |
|||
- apiGroups: [ "crd.projectcalico.org" ] |
|||
resources: |
|||
- caliconodestatuses |
|||
verbs: |
|||
- update |
|||
# Calico stores some configuration information on the node. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- nodes |
|||
verbs: |
|||
- get |
|||
- list |
|||
- watch |
|||
# These permissions are only required for upgrade from v2.6, and can |
|||
# be removed after upgrade or on fresh installations. |
|||
- apiGroups: ["crd.projectcalico.org"] |
|||
resources: |
|||
- bgpconfigurations |
|||
- bgppeers |
|||
verbs: |
|||
- create |
|||
- update |
|||
@ -1,23 +0,0 @@ |
|||
# Flannel ClusterRole |
|||
# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: flannel |
|||
rules: |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
verbs: |
|||
- get |
|||
- apiGroups: [""] |
|||
resources: |
|||
- nodes |
|||
verbs: |
|||
- list |
|||
- watch |
|||
- apiGroups: [""] |
|||
resources: |
|||
- nodes/status |
|||
verbs: |
|||
- patch |
|||
@ -1,30 +0,0 @@ |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: canal |
|||
rules: |
|||
# Used for creating service account tokens to be used by the CNI plugin |
|||
- apiGroups: [""] |
|||
resources: |
|||
- serviceaccounts/token |
|||
verbs: |
|||
- create |
|||
- apiGroups: [""] |
|||
resources: |
|||
- pods |
|||
- nodes |
|||
- namespaces |
|||
verbs: |
|||
- get |
|||
# Pod CIDR auto-detection on kubeadm needs access to config maps. |
|||
- apiGroups: [""] |
|||
resources: |
|||
- configmaps |
|||
verbs: |
|||
- get |
|||
- apiGroups: |
|||
- "" |
|||
resources: |
|||
- nodes |
|||
verbs: |
|||
- list |
|||
@ -1,27 +0,0 @@ |
|||
--- |
|||
# Bind the calico ClusterRole to the canal ServiceAccount. |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: canal-calico |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: calico-node |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: canal |
|||
namespace: kube-system |
|||
--- |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: calico-kube-controllers |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: calico-kube-controllers |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: calico-kube-controllers |
|||
namespace: kube-system |
|||
@ -1,12 +0,0 @@ |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: canal |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: canal |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: canal |
|||
namespace: kube-system |
|||
@ -1,14 +0,0 @@ |
|||
--- |
|||
# Bind the flannel ClusterRole to the canal ServiceAccount. |
|||
kind: ClusterRoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: canal-flannel |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: flannel |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: canal |
|||
namespace: kube-system |
|||
3929
roles/network_plugin/canal/templates/canal-crd-calico.yml.j2
File diff suppressed because it is too large
View File
File diff suppressed because it is too large
View File
@ -1,12 +0,0 @@ |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: canal |
|||
namespace: kube-system |
|||
--- |
|||
apiVersion: v1 |
|||
kind: ServiceAccount |
|||
metadata: |
|||
name: calico-kube-controllers |
|||
namespace: kube-system |
|||
@ -1,418 +0,0 @@ |
|||
# Source: calico/templates/calico-node.yaml |
|||
# This manifest installs the canal container, as well |
|||
# as the CNI plugins and network config on |
|||
# each master and worker node in a Kubernetes cluster. |
|||
kind: DaemonSet |
|||
apiVersion: apps/v1 |
|||
metadata: |
|||
name: canal |
|||
namespace: kube-system |
|||
labels: |
|||
k8s-app: canal |
|||
spec: |
|||
selector: |
|||
matchLabels: |
|||
k8s-app: canal |
|||
updateStrategy: |
|||
type: RollingUpdate |
|||
rollingUpdate: |
|||
maxUnavailable: {{ serial | default('20%') }} |
|||
template: |
|||
metadata: |
|||
labels: |
|||
k8s-app: canal |
|||
spec: |
|||
nodeSelector: |
|||
kubernetes.io/os: linux |
|||
hostNetwork: true |
|||
tolerations: |
|||
# Make sure canal gets scheduled on all nodes. |
|||
- effect: NoSchedule |
|||
operator: Exists |
|||
# Mark the pod as a critical add-on for rescheduling. |
|||
- key: CriticalAddonsOnly |
|||
operator: Exists |
|||
- effect: NoExecute |
|||
operator: Exists |
|||
serviceAccountName: canal |
|||
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force |
|||
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. |
|||
terminationGracePeriodSeconds: 0 |
|||
priorityClassName: system-node-critical |
|||
initContainers: |
|||
# This container installs the CNI binaries |
|||
# and CNI network config file on each node. |
|||
- name: install-cni |
|||
image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
command: ["/opt/cni/bin/install"] |
|||
envFrom: |
|||
- configMapRef: |
|||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. |
|||
name: kubernetes-services-endpoint |
|||
optional: true |
|||
env: |
|||
# Set the serviceaccount name to use for the Calico CNI plugin. |
|||
# We use canal-node instead of calico-node when using flannel networking. |
|||
- name: CALICO_CNI_SERVICE_ACCOUNT |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: spec.serviceAccountName |
|||
# Name of the CNI config file to create. |
|||
- name: CNI_CONF_NAME |
|||
value: "10-canal.conflist" |
|||
# The CNI network config to install on each node. |
|||
- name: CNI_NETWORK_CONFIG |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: cni_network_config |
|||
# Set the hostname based on the k8s node name. |
|||
- name: KUBERNETES_NODE_NAME |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: spec.nodeName |
|||
# The location of the etcd cluster. |
|||
- name: ETCD_ENDPOINTS |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_endpoints |
|||
# Location of the CA certificate for etcd. |
|||
- name: ETCD_CA_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: ETCD_KEY_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: ETCD_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_cert |
|||
# CNI MTU Config variable |
|||
- name: CNI_MTU |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: veth_mtu |
|||
# Prevents the container from sleeping forever. |
|||
- name: SLEEP |
|||
value: "false" |
|||
volumeMounts: |
|||
- mountPath: /host/opt/cni/bin |
|||
name: cni-bin-dir |
|||
- mountPath: /host/etc/cni/net.d |
|||
name: cni-net-dir |
|||
- mountPath: /calico-secrets |
|||
name: etcd-certs |
|||
securityContext: |
|||
privileged: true |
|||
# This init container mounts the necessary filesystems needed by the BPF data plane |
|||
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed |
|||
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. |
|||
- name: "mount-bpffs" |
|||
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}" |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
command: ["calico-node", "-init", "-best-effort"] |
|||
volumeMounts: |
|||
- mountPath: /sys/fs |
|||
name: sys-fs |
|||
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host |
|||
# so that it outlives the init container. |
|||
mountPropagation: Bidirectional |
|||
- mountPath: /var/run/calico |
|||
name: var-run-calico |
|||
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host |
|||
# so that it outlives the init container. |
|||
mountPropagation: Bidirectional |
|||
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, |
|||
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. |
|||
- mountPath: /nodeproc |
|||
name: nodeproc |
|||
readOnly: true |
|||
securityContext: |
|||
privileged: true |
|||
containers: |
|||
# Runs canal container on each Kubernetes node. This |
|||
# container programs network policy and routes on each |
|||
# host. |
|||
- name: calico-node |
|||
image: "{{ calico_node_image_repo }}:{{ calico_node_image_tag }}" |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
envFrom: |
|||
- configMapRef: |
|||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. |
|||
name: kubernetes-services-endpoint |
|||
optional: true |
|||
env: |
|||
# The location of the etcd cluster. |
|||
- name: ETCD_ENDPOINTS |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_endpoints |
|||
# Location of the CA certificate for etcd. |
|||
- name: ETCD_CA_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: ETCD_KEY_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: ETCD_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_cert |
|||
# Set noderef for node controller. |
|||
- name: CALICO_K8S_NODE_REF |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: spec.nodeName |
|||
# Set the serviceaccount name to use for the Calico CNI plugin. |
|||
# We use canal-node instead of calico-node when using flannel networking. |
|||
- name: CALICO_CNI_SERVICE_ACCOUNT |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: spec.serviceAccountName |
|||
# Don't enable BGP. |
|||
- name: CALICO_NETWORKING_BACKEND |
|||
value: "none" |
|||
# Cluster type to identify the deployment type |
|||
- name: CLUSTER_TYPE |
|||
value: "k8s,canal" |
|||
# Period, in seconds, at which felix re-applies all iptables state |
|||
- name: FELIX_IPTABLESREFRESHINTERVAL |
|||
value: "60" |
|||
# No IP address needed. |
|||
- name: IP |
|||
value: "" |
|||
# The default IPv4 pool to create on startup if none exists. Pod IPs will be |
|||
# chosen from this range. Changing this value after installation will have |
|||
# no effect. This should fall within `--cluster-cidr`. |
|||
# - name: CALICO_IPV4POOL_CIDR |
|||
# value: "192.168.0.0/16" |
|||
# Disable file logging so `kubectl logs` works. |
|||
- name: CALICO_DISABLE_FILE_LOGGING |
|||
value: "true" |
|||
# Set Felix endpoint to host default action to ACCEPT. |
|||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION |
|||
value: "ACCEPT" |
|||
# Disable IPv6 on Kubernetes. |
|||
- name: FELIX_IPV6SUPPORT |
|||
value: "false" |
|||
- name: FELIX_HEALTHENABLED |
|||
value: "true" |
|||
securityContext: |
|||
privileged: true |
|||
resources: |
|||
limits: |
|||
cpu: {{ calico_node_cpu_limit }} |
|||
memory: {{ calico_node_memory_limit }} |
|||
requests: |
|||
cpu: {{ calico_node_cpu_requests }} |
|||
memory: {{ calico_node_memory_requests }} |
|||
lifecycle: |
|||
preStop: |
|||
exec: |
|||
command: |
|||
- /bin/calico-node |
|||
- -shutdown |
|||
livenessProbe: |
|||
exec: |
|||
command: |
|||
- /bin/calico-node |
|||
- -felix-live |
|||
periodSeconds: 10 |
|||
initialDelaySeconds: 10 |
|||
failureThreshold: 6 |
|||
timeoutSeconds: 10 |
|||
readinessProbe: |
|||
httpGet: |
|||
path: /readiness |
|||
port: 9099 |
|||
host: localhost |
|||
periodSeconds: 10 |
|||
timeoutSeconds: 10 |
|||
volumeMounts: |
|||
# For maintaining CNI plugin API credentials. |
|||
- mountPath: /host/etc/cni/net.d |
|||
name: cni-net-dir |
|||
readOnly: false |
|||
- mountPath: /lib/modules |
|||
name: lib-modules |
|||
readOnly: true |
|||
- mountPath: /run/xtables.lock |
|||
name: xtables-lock |
|||
readOnly: false |
|||
- mountPath: /var/run/calico |
|||
name: var-run-calico |
|||
readOnly: false |
|||
- mountPath: /var/lib/calico |
|||
name: var-lib-calico |
|||
readOnly: false |
|||
- mountPath: /calico-secrets |
|||
name: etcd-certs |
|||
- name: policysync |
|||
mountPath: /var/run/nodeagent |
|||
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the |
|||
# parent directory. |
|||
- name: bpffs |
|||
mountPath: /sys/fs/bpf |
|||
- name: cni-log-dir |
|||
mountPath: /var/log/calico/cni |
|||
readOnly: true |
|||
# Runs the flannel daemon to enable vxlan networking between |
|||
# container hosts. |
|||
- name: flannel |
|||
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}" |
|||
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr"] |
|||
imagePullPolicy: {{ k8s_image_pull_policy }} |
|||
env: |
|||
# The location of the etcd cluster. |
|||
- name: FLANNELD_ETCD_ENDPOINTS |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_endpoints |
|||
# Location of the CA certificate for etcd. |
|||
- name: ETCD_CA_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: ETCD_KEY_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: ETCD_CERT_FILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_cert |
|||
# Location of the CA certificate for etcd. |
|||
- name: FLANNELD_ETCD_CAFILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_ca |
|||
# Location of the client key for etcd. |
|||
- name: FLANNELD_ETCD_KEYFILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_key |
|||
# Location of the client certificate for etcd. |
|||
- name: FLANNELD_ETCD_CERTFILE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: etcd_cert |
|||
# The interface flannel should run on. |
|||
- name: FLANNELD_IFACE |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: canal_iface |
|||
# Perform masquerade on traffic leaving the pod cidr. |
|||
- name: FLANNELD_IP_MASQ |
|||
valueFrom: |
|||
configMapKeyRef: |
|||
name: canal-config |
|||
key: masquerade |
|||
# Write the subnet.env file to the mounted directory. |
|||
- name: FLANNELD_SUBNET_FILE |
|||
value: "/run/flannel/subnet.env" |
|||
- name: POD_NAME |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.name |
|||
- name: POD_NAMESPACE |
|||
valueFrom: |
|||
fieldRef: |
|||
fieldPath: metadata.namespace |
|||
securityContext: |
|||
privileged: true |
|||
volumeMounts: |
|||
- mountPath: /etc/resolv.conf |
|||
name: resolv |
|||
- mountPath: /run/flannel |
|||
name: run-flannel |
|||
- mountPath: /calico-secrets |
|||
name: etcd-certs |
|||
- name: flannel-cfg |
|||
mountPath: /etc/kube-flannel/ |
|||
volumes: |
|||
- name: flannel-cfg |
|||
configMap: |
|||
name: canal-config |
|||
# Used by canal-node. |
|||
- name: lib-modules |
|||
hostPath: |
|||
path: /lib/modules |
|||
- name: var-run-calico |
|||
hostPath: |
|||
path: /var/run/calico |
|||
- name: var-lib-calico |
|||
hostPath: |
|||
path: /var/lib/calico |
|||
- name: xtables-lock |
|||
hostPath: |
|||
path: /run/xtables.lock |
|||
type: FileOrCreate |
|||
- name: sys-fs |
|||
hostPath: |
|||
path: /sys/fs/ |
|||
type: DirectoryOrCreate |
|||
- name: bpffs |
|||
hostPath: |
|||
path: /sys/fs/bpf |
|||
type: Directory |
|||
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. |
|||
- name: nodeproc |
|||
hostPath: |
|||
path: /proc |
|||
# Used by flannel. |
|||
- name: run-flannel |
|||
hostPath: |
|||
path: /run/flannel |
|||
- name: resolv |
|||
hostPath: |
|||
path: /etc/resolv.conf |
|||
# Used to install CNI. |
|||
- name: cni-bin-dir |
|||
hostPath: |
|||
path: /opt/cni/bin |
|||
- name: cni-net-dir |
|||
hostPath: |
|||
path: /etc/cni/net.d |
|||
# Used to access CNI logs. |
|||
- name: cni-log-dir |
|||
hostPath: |
|||
path: /var/log/calico/cni |
|||
# Mount in the etcd TLS secrets with mode 400. |
|||
# See https://kubernetes.io/docs/concepts/configuration/secret/ |
|||
- name: etcd-certs |
|||
secret: |
|||
secretName: calico-etcd-secrets |
|||
defaultMode: 0400 |
|||
# Used to create per-pod Unix Domain Sockets |
|||
- name: policysync |
|||
hostPath: |
|||
type: DirectoryOrCreate |
|||
path: /var/run/nodeagent |
|||
@ -1,18 +0,0 @@ |
|||
# Source: calico/templates/calico-etcd-secrets.yaml |
|||
# The following contains k8s Secrets for use with a TLS enabled etcd cluster. |
|||
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ |
|||
apiVersion: v1 |
|||
kind: Secret |
|||
type: Opaque |
|||
metadata: |
|||
name: calico-etcd-secrets |
|||
namespace: kube-system |
|||
data: |
|||
# Populate the following with etcd TLS configuration if desired, but leave blank if |
|||
# not using TLS for etcd. |
|||
# The keys below should be uncommented and the values populated with the base64 |
|||
# encoded contents of each file that would be associated with the TLS data. |
|||
# Example command for encoding a file contents: cat <file> | base64 -w 0 |
|||
etcd-key: {{ etcd_key_file.content }} |
|||
etcd-cert: {{ etcd_cert_file.content }} |
|||
etcd-ca: {{ etcd_ca_cert_file.content }} |
|||
@ -1,34 +0,0 @@ |
|||
{ |
|||
"name": "canal", |
|||
"cniVersion": "0.3.1", |
|||
"plugins": [ |
|||
{ |
|||
"type": "flannel", |
|||
"delegate": { |
|||
"type": "calico", |
|||
"include_default_routes": true, |
|||
"etcd_endpoints": "__ETCD_ENDPOINTS__", |
|||
"etcd_key_file": "__ETCD_KEY_FILE__", |
|||
"etcd_cert_file": "__ETCD_CERT_FILE__", |
|||
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", |
|||
"log_level": "info", |
|||
{% if calico_cni_log_file_path %} |
|||
"log_file_path": "{{ calico_cni_log_file_path }}", |
|||
{% endif %} |
|||
"policy": { |
|||
"type": "k8s", |
|||
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", |
|||
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" |
|||
}, |
|||
"kubernetes": { |
|||
"kubeconfig": "__KUBECONFIG_FILEPATH__" |
|||
} |
|||
} |
|||
}, |
|||
{ |
|||
"type": "portmap", |
|||
"capabilities": {"portMappings": true}, |
|||
"snat": true |
|||
} |
|||
] |
|||
} |
|||
Write
Preview
Loading…
Cancel
Save