From f0f2b812762c520d1325af7fb4f963fb70d7b635 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 7 Dec 2016 12:45:15 +0100 Subject: [PATCH] Change GCE sysctls placement and docs Override GCE sysctl in /etc/sysctl.d/99-sysctl.conf instead of the /etc/sysctl.d/11-gce-network-security.conf. It is recreated by GCE, f.e. if gcloud CLI invokes some security related changes, thus losing customizations we want to be persistent. Update cloud providers firewall requirements in calico docs. Signed-off-by: Bogdan Dobrelya --- docs/calico.md | 5 +++++ roles/kubernetes/preinstall/tasks/main.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/calico.md b/docs/calico.md index ab4211664..74df6d7e2 100644 --- a/docs/calico.md +++ b/docs/calico.md @@ -71,3 +71,8 @@ you'll need to edit the inventory and add a and a hostvar `local_as` by node. ``` node1 ansible_ssh_host=95.54.0.12 local_as=xxxxxx ``` + +Cloud providers configuration +============================= + +Please refer to the official documentation, for example [GCE configuration](http://docs.projectcalico.org/v1.5/getting-started/docker/installation/gce) requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ``ipip: true`` if the cloud provider was defined. diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index 9c7d34c27..901544ac2 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -71,7 +71,7 @@ - name: Fix ipv4 forward rule in GCE security policy lineinfile: - dest: /etc/sysctl.d/11-gce-network-security.conf + dest: /etc/sysctl.d/99-sysctl.conf regexp: '^net.ipv4.ip_forward=' line: 'net.ipv4.ip_forward=1' state: present