Gitiles
Code Review Sign In
gerrit.opencord.org / voltha / 353af1266839cdf6cb76b20e6c26fac849f0e8a7 / . / k8s / calico-1.6.yml
blob: 4906fb3c3f5dfa13ead47be37a4b5a377e72af37 [file] [log] [blame]
Zack Williams41513bf2018-07-07 20:08:35 -0700[diff] [blame]1# Copyright 2017-present Open Networking Foundation
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
Richard Jankowski8f52afb2018-03-29 14:19:11 -0400[diff] [blame]14# Calico Version v2.6.8
15# https://docs.projectcalico.org/v2.6/releases#v2.6.8
16# This manifest includes the following component versions:
17# calico/node:v2.6.8
18# calico/cni:v1.11.4
19# calico/kube-controllers:v1.0.3
20
21# This ConfigMap is used to configure a self-hosted Calico installation.
22kind: ConfigMap
23apiVersion: v1
24metadata:
25 name: calico-config
26 namespace: kube-system
27data:
28 # The location of your etcd cluster. This uses the Service clusterIP
29 # defined below.
30 etcd_endpoints: "http://10.96.232.136:6666"
31
32 # Configure the Calico backend to use.
33 calico_backend: "bird"
34
35 # The CNI network configuration to install on each node.
36 cni_network_config: |-
37 {
38 "name": "k8s-pod-network",
39 "cniVersion": "0.1.0",
40 "type": "calico",
41 "etcd_endpoints": "__ETCD_ENDPOINTS__",
42 "log_level": "info",
43 "mtu": 1500,
44 "ipam": {
45 "type": "calico-ipam"
46 },
47 "policy": {
48 "type": "k8s",
49 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
50 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
51 },
52 "kubernetes": {
53 "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
54 }
55 }
56
57---
58
59# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
60# to force it to run on the master even when the master isn't schedulable, and uses
61# nodeSelector to ensure it only runs on the master.
62apiVersion: extensions/v1beta1
63kind: DaemonSet
64metadata:
65 name: calico-etcd
66 namespace: kube-system
67 labels:
68 k8s-app: calico-etcd
69spec:
70 template:
71 metadata:
72 labels:
73 k8s-app: calico-etcd
74 annotations:
75 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
76 # reserves resources for critical add-on pods so that they can be rescheduled after
77 # a failure. This annotation works in tandem with the toleration below.
78 scheduler.alpha.kubernetes.io/critical-pod: ''
79 spec:
80 tolerations:
81 # this taint is set by all kubelets running `--cloud-provider=external`
82 # so we should tolerate it to schedule the calico pods
83 - key: node.cloudprovider.kubernetes.io/uninitialized
84 value: "true"
85 effect: NoSchedule
86 # Toleration allows the pod to run on master
87 - key: node-role.kubernetes.io/master
88 effect: NoSchedule
89 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
90 # This, along with the annotation above marks this pod as a critical add-on.
91 - key: CriticalAddonsOnly
92 operator: Exists
93 # Only run this pod on the master.
94 nodeSelector:
95 node-role.kubernetes.io/master: ""
96 hostNetwork: true
97 containers:
98 - name: calico-etcd
99 image: quay.io/coreos/etcd:v3.1.10
100 env:
101 - name: CALICO_ETCD_IP
102 valueFrom:
103 fieldRef:
104 fieldPath: status.podIP
105 command: ["/bin/sh","-c"]
106 args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
107 volumeMounts:
108 - name: var-etcd
109 mountPath: /var/etcd
110 volumes:
111 - name: var-etcd
112 hostPath:
113 path: /var/etcd
114
115---
116
117# This manifest installs the Service which gets traffic to the Calico
118# etcd.
119apiVersion: v1
120kind: Service
121metadata:
122 labels:
123 k8s-app: calico-etcd
124 name: calico-etcd
125 namespace: kube-system
126spec:
127 # Select the calico-etcd pod running on the master.
128 selector:
129 k8s-app: calico-etcd
130 # This ClusterIP needs to be known in advance, since we cannot rely
131 # on DNS to get access to etcd.
132 clusterIP: 10.96.232.136
133 ports:
134 - port: 6666
135
136---
137
138# This manifest installs the calico/node container, as well
139# as the Calico CNI plugins and network config on
140# each master and worker node in a Kubernetes cluster.
141kind: DaemonSet
142apiVersion: extensions/v1beta1
143metadata:
144 name: calico-node
145 namespace: kube-system
146 labels:
147 k8s-app: calico-node
148spec:
149 selector:
150 matchLabels:
151 k8s-app: calico-node
152 template:
153 metadata:
154 labels:
155 k8s-app: calico-node
156 annotations:
157 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
158 # reserves resources for critical add-on pods so that they can be rescheduled after
159 # a failure. This annotation works in tandem with the toleration below.
160 scheduler.alpha.kubernetes.io/critical-pod: ''
161 spec:
162 hostNetwork: true
163 tolerations:
164 # This taint is set by all kubelets running `--cloud-provider=external`
165 # so we should tolerate it to schedule the calico pods
166 - key: node.cloudprovider.kubernetes.io/uninitialized
167 value: "true"
168 effect: NoSchedule
169 # Toleration allows the pod to run on master
170 - key: node-role.kubernetes.io/master
171 effect: NoSchedule
172 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
173 # This, along with the annotation above marks this pod as a critical add-on.
174 - key: CriticalAddonsOnly
175 operator: Exists
176 serviceAccountName: calico-cni-plugin
177 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
178 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
179 terminationGracePeriodSeconds: 0
180 containers:
181 # Runs calico/node container on each Kubernetes node. This
182 # container programs network policy and routes on each
183 # host.
184 - name: calico-node
185 image: quay.io/calico/node:v2.6.8
186 env:
187 # The location of the Calico etcd cluster.
188 - name: ETCD_ENDPOINTS
189 valueFrom:
190 configMapKeyRef:
191 name: calico-config
192 key: etcd_endpoints
193 # Enable BGP. Disable to enforce policy only.
194 - name: CALICO_NETWORKING_BACKEND
195 valueFrom:
196 configMapKeyRef:
197 name: calico-config
198 key: calico_backend
199 # Cluster type to identify the deployment type
200 - name: CLUSTER_TYPE
201 value: "kubeadm,bgp"
202 # Set noderef for node controller.
203 - name: CALICO_K8S_NODE_REF
204 valueFrom:
205 fieldRef:
206 fieldPath: spec.nodeName
207 # Disable file logging so `kubectl logs` works.
208 - name: CALICO_DISABLE_FILE_LOGGING
209 value: "true"
210 # Set Felix endpoint to host default action to ACCEPT.
211 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
212 value: "ACCEPT"
213 # Configure the IP Pool from which Pod IPs will be chosen.
214 - name: CALICO_IPV4POOL_CIDR
215 value: "192.168.0.0/16"
216 - name: CALICO_IPV4POOL_IPIP
217 value: "always"
218 # Disable IPv6 on Kubernetes.
219 - name: FELIX_IPV6SUPPORT
220 value: "false"
221 # Set MTU for tunnel device used if ipip is enabled
222 - name: FELIX_IPINIPMTU
223 value: "1440"
224 # Set Felix logging to "info"
225 - name: FELIX_LOGSEVERITYSCREEN
226 value: "info"
227 # Auto-detect the BGP IP address.
228 - name: IP
229 value: ""
230 - name: FELIX_HEALTHENABLED
231 value: "true"
232 securityContext:
233 privileged: true
234 resources:
235 requests:
236 cpu: 250m
237 livenessProbe:
238 httpGet:
239 path: /liveness
240 port: 9099
241 periodSeconds: 10
242 initialDelaySeconds: 10
243 failureThreshold: 6
244 readinessProbe:
245 httpGet:
246 path: /readiness
247 port: 9099
248 periodSeconds: 10
249 volumeMounts:
250 - mountPath: /lib/modules
251 name: lib-modules
252 readOnly: true
253 - mountPath: /var/run/calico
254 name: var-run-calico
255 readOnly: false
256 # This container installs the Calico CNI binaries
257 # and CNI network config file on each node.
258 - name: install-cni
259 image: quay.io/calico/cni:v1.11.4
260 command: ["/install-cni.sh"]
261 env:
262 # The location of the Calico etcd cluster.
263 - name: ETCD_ENDPOINTS
264 valueFrom:
265 configMapKeyRef:
266 name: calico-config
267 key: etcd_endpoints
268 # The CNI network config to install on each node.
269 - name: CNI_NETWORK_CONFIG
270 valueFrom:
271 configMapKeyRef:
272 name: calico-config
273 key: cni_network_config
274 volumeMounts:
275 - mountPath: /host/opt/cni/bin
276 name: cni-bin-dir
277 - mountPath: /host/etc/cni/net.d
278 name: cni-net-dir
279 volumes:
280 # Used by calico/node.
281 - name: lib-modules
282 hostPath:
283 path: /lib/modules
284 - name: var-run-calico
285 hostPath:
286 path: /var/run/calico
287 # Used to install CNI.
288 - name: cni-bin-dir
289 hostPath:
290 path: /opt/cni/bin
291 - name: cni-net-dir
292 hostPath:
293 path: /etc/cni/net.d
294
295---
296
297# This manifest deploys the Calico Kubernetes controllers.
298# See https://github.com/projectcalico/kube-controllers
299apiVersion: extensions/v1beta1
300kind: Deployment
301metadata:
302 name: calico-kube-controllers
303 namespace: kube-system
304 labels:
305 k8s-app: calico-kube-controllers
306spec:
307 # The controllers can only have a single active instance.
308 replicas: 1
309 strategy:
310 type: Recreate
311 template:
312 metadata:
313 name: calico-kube-controllers
314 namespace: kube-system
315 labels:
316 k8s-app: calico-kube-controllers
317 annotations:
318 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
319 # reserves resources for critical add-on pods so that they can be rescheduled after
320 # a failure. This annotation works in tandem with the toleration below.
321 scheduler.alpha.kubernetes.io/critical-pod: ''
322 spec:
323 # The controllers must run in the host network namespace so that
324 # it isn't governed by policy that would prevent it from working.
325 hostNetwork: true
326 tolerations:
327 # this taint is set by all kubelets running `--cloud-provider=external`
328 # so we should tolerate it to schedule the calico pods
329 - key: node.cloudprovider.kubernetes.io/uninitialized
330 value: "true"
331 effect: NoSchedule
332 - key: node-role.kubernetes.io/master
333 effect: NoSchedule
334 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
335 # This, along with the annotation above marks this pod as a critical add-on.
336 - key: CriticalAddonsOnly
337 operator: Exists
338 serviceAccountName: calico-kube-controllers
339 containers:
340 - name: calico-kube-controllers
341 image: quay.io/calico/kube-controllers:v1.0.3
342 env:
343 # The location of the Calico etcd cluster.
344 - name: ETCD_ENDPOINTS
345 valueFrom:
346 configMapKeyRef:
347 name: calico-config
348 key: etcd_endpoints
349 # The location of the Kubernetes API. Use the default Kubernetes
350 # service for API access.
351 - name: K8S_API
352 value: "https://kubernetes.default:443"
353 # Choose which controllers to run.
354 - name: ENABLED_CONTROLLERS
355 value: policy,profile,workloadendpoint,node
356 # Since we're running in the host namespace and might not have KubeDNS
357 # access, configure the container's /etc/hosts to resolve
358 # kubernetes.default to the correct service clusterIP.
359 - name: CONFIGURE_ETC_HOSTS
360 value: "true"
361
362---
363
364# This deployment turns off the old "policy-controller". It should remain at 0 replicas, and then
365# be removed entirely once the new kube-controllers deployment has been deployed above.
366apiVersion: extensions/v1beta1
367kind: Deployment
368metadata:
369 name: calico-policy-controller
370 namespace: kube-system
371 labels:
372 k8s-app: calico-policy-controller
373spec:
374 # Turn this deployment off in favor of the kube-controllers deployment above.
375 replicas: 0
376 strategy:
377 type: Recreate
378 template:
379 metadata:
380 name: calico-policy-controller
381 namespace: kube-system
382 labels:
383 k8s-app: calico-policy-controller
384 spec:
385 hostNetwork: true
386 serviceAccountName: calico-kube-controllers
387 containers:
388 - name: calico-policy-controller
389 image: quay.io/calico/kube-controllers:v1.0.3
390 env:
391 - name: ETCD_ENDPOINTS
392 valueFrom:
393 configMapKeyRef:
394 name: calico-config
395 key: etcd_endpoints
396
397---
398
399apiVersion: rbac.authorization.k8s.io/v1beta1
400kind: ClusterRoleBinding
401metadata:
402 name: calico-cni-plugin
403roleRef:
404 apiGroup: rbac.authorization.k8s.io
405 kind: ClusterRole
406 name: calico-cni-plugin
407subjects:
408- kind: ServiceAccount
409 name: calico-cni-plugin
410 namespace: kube-system
411
412---
413
414kind: ClusterRole
415apiVersion: rbac.authorization.k8s.io/v1beta1
416metadata:
417 name: calico-cni-plugin
418rules:
419 - apiGroups: [""]
420 resources:
421 - pods
422 - nodes
423 verbs:
424 - get
425
426---
427
428apiVersion: v1
429kind: ServiceAccount
430metadata:
431 name: calico-cni-plugin
432 namespace: kube-system
433
434---
435
436apiVersion: rbac.authorization.k8s.io/v1beta1
437kind: ClusterRoleBinding
438metadata:
439 name: calico-kube-controllers
440roleRef:
441 apiGroup: rbac.authorization.k8s.io
442 kind: ClusterRole
443 name: calico-kube-controllers
444subjects:
445- kind: ServiceAccount
446 name: calico-kube-controllers
447 namespace: kube-system
448
449---
450
451kind: ClusterRole
452apiVersion: rbac.authorization.k8s.io/v1beta1
453metadata:
454 name: calico-kube-controllers
455rules:
456 - apiGroups:
457 - ""
458 - extensions
459 resources:
460 - pods
461 - namespaces
462 - networkpolicies
463 - nodes
464 verbs:
465 - watch
466 - list
467
468---
469
470apiVersion: v1
471kind: ServiceAccount
472metadata:
473 name: calico-kube-controllers
474 namespace: kube-system