Gitiles
Code Review Sign In
gerrit.opencord.org / voltha / refs/tags/1.3.0 / . / k8s / calico-1.6.yml
blob: e57071a95ea92c9a4b67efa92c3a333f92cbf647 [file] [log] [blame]
Richard Jankowski8f52afb2018-03-29 14:19:11 -0400[diff] [blame]1# Calico Version v2.6.8
2# https://docs.projectcalico.org/v2.6/releases#v2.6.8
3# This manifest includes the following component versions:
4# calico/node:v2.6.8
5# calico/cni:v1.11.4
6# calico/kube-controllers:v1.0.3
7
8# This ConfigMap is used to configure a self-hosted Calico installation.
9kind: ConfigMap
10apiVersion: v1
11metadata:
12 name: calico-config
13 namespace: kube-system
14data:
15 # The location of your etcd cluster. This uses the Service clusterIP
16 # defined below.
17 etcd_endpoints: "http://10.96.232.136:6666"
18
19 # Configure the Calico backend to use.
20 calico_backend: "bird"
21
22 # The CNI network configuration to install on each node.
23 cni_network_config: |-
24 {
25 "name": "k8s-pod-network",
26 "cniVersion": "0.1.0",
27 "type": "calico",
28 "etcd_endpoints": "__ETCD_ENDPOINTS__",
29 "log_level": "info",
30 "mtu": 1500,
31 "ipam": {
32 "type": "calico-ipam"
33 },
34 "policy": {
35 "type": "k8s",
36 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
37 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
38 },
39 "kubernetes": {
40 "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
41 }
42 }
43
44---
45
46# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
47# to force it to run on the master even when the master isn't schedulable, and uses
48# nodeSelector to ensure it only runs on the master.
49apiVersion: extensions/v1beta1
50kind: DaemonSet
51metadata:
52 name: calico-etcd
53 namespace: kube-system
54 labels:
55 k8s-app: calico-etcd
56spec:
57 template:
58 metadata:
59 labels:
60 k8s-app: calico-etcd
61 annotations:
62 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
63 # reserves resources for critical add-on pods so that they can be rescheduled after
64 # a failure. This annotation works in tandem with the toleration below.
65 scheduler.alpha.kubernetes.io/critical-pod: ''
66 spec:
67 tolerations:
68 # this taint is set by all kubelets running `--cloud-provider=external`
69 # so we should tolerate it to schedule the calico pods
70 - key: node.cloudprovider.kubernetes.io/uninitialized
71 value: "true"
72 effect: NoSchedule
73 # Toleration allows the pod to run on master
74 - key: node-role.kubernetes.io/master
75 effect: NoSchedule
76 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
77 # This, along with the annotation above marks this pod as a critical add-on.
78 - key: CriticalAddonsOnly
79 operator: Exists
80 # Only run this pod on the master.
81 nodeSelector:
82 node-role.kubernetes.io/master: ""
83 hostNetwork: true
84 containers:
85 - name: calico-etcd
86 image: quay.io/coreos/etcd:v3.1.10
87 env:
88 - name: CALICO_ETCD_IP
89 valueFrom:
90 fieldRef:
91 fieldPath: status.podIP
92 command: ["/bin/sh","-c"]
93 args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
94 volumeMounts:
95 - name: var-etcd
96 mountPath: /var/etcd
97 volumes:
98 - name: var-etcd
99 hostPath:
100 path: /var/etcd
101
102---
103
104# This manifest installs the Service which gets traffic to the Calico
105# etcd.
106apiVersion: v1
107kind: Service
108metadata:
109 labels:
110 k8s-app: calico-etcd
111 name: calico-etcd
112 namespace: kube-system
113spec:
114 # Select the calico-etcd pod running on the master.
115 selector:
116 k8s-app: calico-etcd
117 # This ClusterIP needs to be known in advance, since we cannot rely
118 # on DNS to get access to etcd.
119 clusterIP: 10.96.232.136
120 ports:
121 - port: 6666
122
123---
124
125# This manifest installs the calico/node container, as well
126# as the Calico CNI plugins and network config on
127# each master and worker node in a Kubernetes cluster.
128kind: DaemonSet
129apiVersion: extensions/v1beta1
130metadata:
131 name: calico-node
132 namespace: kube-system
133 labels:
134 k8s-app: calico-node
135spec:
136 selector:
137 matchLabels:
138 k8s-app: calico-node
139 template:
140 metadata:
141 labels:
142 k8s-app: calico-node
143 annotations:
144 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
145 # reserves resources for critical add-on pods so that they can be rescheduled after
146 # a failure. This annotation works in tandem with the toleration below.
147 scheduler.alpha.kubernetes.io/critical-pod: ''
148 spec:
149 hostNetwork: true
150 tolerations:
151 # This taint is set by all kubelets running `--cloud-provider=external`
152 # so we should tolerate it to schedule the calico pods
153 - key: node.cloudprovider.kubernetes.io/uninitialized
154 value: "true"
155 effect: NoSchedule
156 # Toleration allows the pod to run on master
157 - key: node-role.kubernetes.io/master
158 effect: NoSchedule
159 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
160 # This, along with the annotation above marks this pod as a critical add-on.
161 - key: CriticalAddonsOnly
162 operator: Exists
163 serviceAccountName: calico-cni-plugin
164 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
165 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
166 terminationGracePeriodSeconds: 0
167 containers:
168 # Runs calico/node container on each Kubernetes node. This
169 # container programs network policy and routes on each
170 # host.
171 - name: calico-node
172 image: quay.io/calico/node:v2.6.8
173 env:
174 # The location of the Calico etcd cluster.
175 - name: ETCD_ENDPOINTS
176 valueFrom:
177 configMapKeyRef:
178 name: calico-config
179 key: etcd_endpoints
180 # Enable BGP. Disable to enforce policy only.
181 - name: CALICO_NETWORKING_BACKEND
182 valueFrom:
183 configMapKeyRef:
184 name: calico-config
185 key: calico_backend
186 # Cluster type to identify the deployment type
187 - name: CLUSTER_TYPE
188 value: "kubeadm,bgp"
189 # Set noderef for node controller.
190 - name: CALICO_K8S_NODE_REF
191 valueFrom:
192 fieldRef:
193 fieldPath: spec.nodeName
194 # Disable file logging so `kubectl logs` works.
195 - name: CALICO_DISABLE_FILE_LOGGING
196 value: "true"
197 # Set Felix endpoint to host default action to ACCEPT.
198 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
199 value: "ACCEPT"
200 # Configure the IP Pool from which Pod IPs will be chosen.
201 - name: CALICO_IPV4POOL_CIDR
202 value: "192.168.0.0/16"
203 - name: CALICO_IPV4POOL_IPIP
204 value: "always"
205 # Disable IPv6 on Kubernetes.
206 - name: FELIX_IPV6SUPPORT
207 value: "false"
208 # Set MTU for tunnel device used if ipip is enabled
209 - name: FELIX_IPINIPMTU
210 value: "1440"
211 # Set Felix logging to "info"
212 - name: FELIX_LOGSEVERITYSCREEN
213 value: "info"
214 # Auto-detect the BGP IP address.
215 - name: IP
216 value: ""
217 - name: FELIX_HEALTHENABLED
218 value: "true"
219 securityContext:
220 privileged: true
221 resources:
222 requests:
223 cpu: 250m
224 livenessProbe:
225 httpGet:
226 path: /liveness
227 port: 9099
228 periodSeconds: 10
229 initialDelaySeconds: 10
230 failureThreshold: 6
231 readinessProbe:
232 httpGet:
233 path: /readiness
234 port: 9099
235 periodSeconds: 10
236 volumeMounts:
237 - mountPath: /lib/modules
238 name: lib-modules
239 readOnly: true
240 - mountPath: /var/run/calico
241 name: var-run-calico
242 readOnly: false
243 # This container installs the Calico CNI binaries
244 # and CNI network config file on each node.
245 - name: install-cni
246 image: quay.io/calico/cni:v1.11.4
247 command: ["/install-cni.sh"]
248 env:
249 # The location of the Calico etcd cluster.
250 - name: ETCD_ENDPOINTS
251 valueFrom:
252 configMapKeyRef:
253 name: calico-config
254 key: etcd_endpoints
255 # The CNI network config to install on each node.
256 - name: CNI_NETWORK_CONFIG
257 valueFrom:
258 configMapKeyRef:
259 name: calico-config
260 key: cni_network_config
261 volumeMounts:
262 - mountPath: /host/opt/cni/bin
263 name: cni-bin-dir
264 - mountPath: /host/etc/cni/net.d
265 name: cni-net-dir
266 volumes:
267 # Used by calico/node.
268 - name: lib-modules
269 hostPath:
270 path: /lib/modules
271 - name: var-run-calico
272 hostPath:
273 path: /var/run/calico
274 # Used to install CNI.
275 - name: cni-bin-dir
276 hostPath:
277 path: /opt/cni/bin
278 - name: cni-net-dir
279 hostPath:
280 path: /etc/cni/net.d
281
282---
283
284# This manifest deploys the Calico Kubernetes controllers.
285# See https://github.com/projectcalico/kube-controllers
286apiVersion: extensions/v1beta1
287kind: Deployment
288metadata:
289 name: calico-kube-controllers
290 namespace: kube-system
291 labels:
292 k8s-app: calico-kube-controllers
293spec:
294 # The controllers can only have a single active instance.
295 replicas: 1
296 strategy:
297 type: Recreate
298 template:
299 metadata:
300 name: calico-kube-controllers
301 namespace: kube-system
302 labels:
303 k8s-app: calico-kube-controllers
304 annotations:
305 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
306 # reserves resources for critical add-on pods so that they can be rescheduled after
307 # a failure. This annotation works in tandem with the toleration below.
308 scheduler.alpha.kubernetes.io/critical-pod: ''
309 spec:
310 # The controllers must run in the host network namespace so that
311 # it isn't governed by policy that would prevent it from working.
312 hostNetwork: true
313 tolerations:
314 # this taint is set by all kubelets running `--cloud-provider=external`
315 # so we should tolerate it to schedule the calico pods
316 - key: node.cloudprovider.kubernetes.io/uninitialized
317 value: "true"
318 effect: NoSchedule
319 - key: node-role.kubernetes.io/master
320 effect: NoSchedule
321 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
322 # This, along with the annotation above marks this pod as a critical add-on.
323 - key: CriticalAddonsOnly
324 operator: Exists
325 serviceAccountName: calico-kube-controllers
326 containers:
327 - name: calico-kube-controllers
328 image: quay.io/calico/kube-controllers:v1.0.3
329 env:
330 # The location of the Calico etcd cluster.
331 - name: ETCD_ENDPOINTS
332 valueFrom:
333 configMapKeyRef:
334 name: calico-config
335 key: etcd_endpoints
336 # The location of the Kubernetes API. Use the default Kubernetes
337 # service for API access.
338 - name: K8S_API
339 value: "https://kubernetes.default:443"
340 # Choose which controllers to run.
341 - name: ENABLED_CONTROLLERS
342 value: policy,profile,workloadendpoint,node
343 # Since we're running in the host namespace and might not have KubeDNS
344 # access, configure the container's /etc/hosts to resolve
345 # kubernetes.default to the correct service clusterIP.
346 - name: CONFIGURE_ETC_HOSTS
347 value: "true"
348
349---
350
351# This deployment turns off the old "policy-controller". It should remain at 0 replicas, and then
352# be removed entirely once the new kube-controllers deployment has been deployed above.
353apiVersion: extensions/v1beta1
354kind: Deployment
355metadata:
356 name: calico-policy-controller
357 namespace: kube-system
358 labels:
359 k8s-app: calico-policy-controller
360spec:
361 # Turn this deployment off in favor of the kube-controllers deployment above.
362 replicas: 0
363 strategy:
364 type: Recreate
365 template:
366 metadata:
367 name: calico-policy-controller
368 namespace: kube-system
369 labels:
370 k8s-app: calico-policy-controller
371 spec:
372 hostNetwork: true
373 serviceAccountName: calico-kube-controllers
374 containers:
375 - name: calico-policy-controller
376 image: quay.io/calico/kube-controllers:v1.0.3
377 env:
378 - name: ETCD_ENDPOINTS
379 valueFrom:
380 configMapKeyRef:
381 name: calico-config
382 key: etcd_endpoints
383
384---
385
386apiVersion: rbac.authorization.k8s.io/v1beta1
387kind: ClusterRoleBinding
388metadata:
389 name: calico-cni-plugin
390roleRef:
391 apiGroup: rbac.authorization.k8s.io
392 kind: ClusterRole
393 name: calico-cni-plugin
394subjects:
395- kind: ServiceAccount
396 name: calico-cni-plugin
397 namespace: kube-system
398
399---
400
401kind: ClusterRole
402apiVersion: rbac.authorization.k8s.io/v1beta1
403metadata:
404 name: calico-cni-plugin
405rules:
406 - apiGroups: [""]
407 resources:
408 - pods
409 - nodes
410 verbs:
411 - get
412
413---
414
415apiVersion: v1
416kind: ServiceAccount
417metadata:
418 name: calico-cni-plugin
419 namespace: kube-system
420
421---
422
423apiVersion: rbac.authorization.k8s.io/v1beta1
424kind: ClusterRoleBinding
425metadata:
426 name: calico-kube-controllers
427roleRef:
428 apiGroup: rbac.authorization.k8s.io
429 kind: ClusterRole
430 name: calico-kube-controllers
431subjects:
432- kind: ServiceAccount
433 name: calico-kube-controllers
434 namespace: kube-system
435
436---
437
438kind: ClusterRole
439apiVersion: rbac.authorization.k8s.io/v1beta1
440metadata:
441 name: calico-kube-controllers
442rules:
443 - apiGroups:
444 - ""
445 - extensions
446 resources:
447 - pods
448 - namespaces
449 - networkpolicies
450 - nodes
451 verbs:
452 - watch
453 - list
454
455---
456
457apiVersion: v1
458kind: ServiceAccount
459metadata:
460 name: calico-kube-controllers
461 namespace: kube-system