blueprints/iotgateway/scripts/cni/calico/v38/calico.yaml

   1 # yamllint disable
   2 ---
   3 # Source: calico/templates/calico-config.yaml
   4 # This ConfigMap is used to configure a self-hosted Calico installation.
   5 kind: ConfigMap
   6 apiVersion: v1
   7 metadata:
   8   name: calico-config
   9   namespace: kube-system
  10 data:
  11   # Typha is disabled.
  12   typha_service_name: "none"
  13   # Configure the backend to use.
  14   calico_backend: "bird"
  15
  16   # Configure the MTU to use
  17   veth_mtu: "1440"
  18
  19   # The CNI network configuration to install on each node.  The special
  20   # values in this config will be automatically populated.
  21   cni_network_config: |-
  22     {
  23       "name": "k8s-pod-network",
  24       "cniVersion": "0.3.1",
  25       "plugins": [
  26         {
  27           "type": "calico",
  28           "log_level": "info",
  29           "datastore_type": "kubernetes",
  30           "nodename": "__KUBERNETES_NODE_NAME__",
  31           "mtu": __CNI_MTU__,
  32           "ipam": {
  33               "type": "calico-ipam"
  34           },
  35           "policy": {
  36               "type": "k8s"
  37           },
  38           "kubernetes": {
  39               "kubeconfig": "__KUBECONFIG_FILEPATH__"
  40           }
  41         },
  42         {
  43           "type": "portmap",
  44           "snat": true,
  45           "capabilities": {"portMappings": true}
  46         }
  47       ]
  48     }
  49
  50 ---
  51 # Source: calico/templates/kdd-crds.yaml
  52 apiVersion: apiextensions.k8s.io/v1beta1
  53 kind: CustomResourceDefinition
  54 metadata:
  55    name: felixconfigurations.crd.projectcalico.org
  56 spec:
  57   scope: Cluster
  58   group: crd.projectcalico.org
  59   version: v1
  60   names:
  61     kind: FelixConfiguration
  62     plural: felixconfigurations
  63     singular: felixconfiguration
  64 ---
  65
  66 apiVersion: apiextensions.k8s.io/v1beta1
  67 kind: CustomResourceDefinition
  68 metadata:
  69   name: ipamblocks.crd.projectcalico.org
  70 spec:
  71   scope: Cluster
  72   group: crd.projectcalico.org
  73   version: v1
  74   names:
  75     kind: IPAMBlock
  76     plural: ipamblocks
  77     singular: ipamblock
  78
  79 ---
  80
  81 apiVersion: apiextensions.k8s.io/v1beta1
  82 kind: CustomResourceDefinition
  83 metadata:
  84   name: blockaffinities.crd.projectcalico.org
  85 spec:
  86   scope: Cluster
  87   group: crd.projectcalico.org
  88   version: v1
  89   names:
  90     kind: BlockAffinity
  91     plural: blockaffinities
  92     singular: blockaffinity
  93
  94 ---
  95
  96 apiVersion: apiextensions.k8s.io/v1beta1
  97 kind: CustomResourceDefinition
  98 metadata:
  99   name: ipamhandles.crd.projectcalico.org
 100 spec:
 101   scope: Cluster
 102   group: crd.projectcalico.org
 103   version: v1
 104   names:
 105     kind: IPAMHandle
 106     plural: ipamhandles
 107     singular: ipamhandle
 108
 109 ---
 110
 111 apiVersion: apiextensions.k8s.io/v1beta1
 112 kind: CustomResourceDefinition
 113 metadata:
 114   name: ipamconfigs.crd.projectcalico.org
 115 spec:
 116   scope: Cluster
 117   group: crd.projectcalico.org
 118   version: v1
 119   names:
 120     kind: IPAMConfig
 121     plural: ipamconfigs
 122     singular: ipamconfig
 123
 124 ---
 125
 126 apiVersion: apiextensions.k8s.io/v1beta1
 127 kind: CustomResourceDefinition
 128 metadata:
 129   name: bgppeers.crd.projectcalico.org
 130 spec:
 131   scope: Cluster
 132   group: crd.projectcalico.org
 133   version: v1
 134   names:
 135     kind: BGPPeer
 136     plural: bgppeers
 137     singular: bgppeer
 138
 139 ---
 140
 141 apiVersion: apiextensions.k8s.io/v1beta1
 142 kind: CustomResourceDefinition
 143 metadata:
 144   name: bgpconfigurations.crd.projectcalico.org
 145 spec:
 146   scope: Cluster
 147   group: crd.projectcalico.org
 148   version: v1
 149   names:
 150     kind: BGPConfiguration
 151     plural: bgpconfigurations
 152     singular: bgpconfiguration
 153
 154 ---
 155
 156 apiVersion: apiextensions.k8s.io/v1beta1
 157 kind: CustomResourceDefinition
 158 metadata:
 159   name: ippools.crd.projectcalico.org
 160 spec:
 161   scope: Cluster
 162   group: crd.projectcalico.org
 163   version: v1
 164   names:
 165     kind: IPPool
 166     plural: ippools
 167     singular: ippool
 168
 169 ---
 170
 171 apiVersion: apiextensions.k8s.io/v1beta1
 172 kind: CustomResourceDefinition
 173 metadata:
 174   name: hostendpoints.crd.projectcalico.org
 175 spec:
 176   scope: Cluster
 177   group: crd.projectcalico.org
 178   version: v1
 179   names:
 180     kind: HostEndpoint
 181     plural: hostendpoints
 182     singular: hostendpoint
 183
 184 ---
 185
 186 apiVersion: apiextensions.k8s.io/v1beta1
 187 kind: CustomResourceDefinition
 188 metadata:
 189   name: clusterinformations.crd.projectcalico.org
 190 spec:
 191   scope: Cluster
 192   group: crd.projectcalico.org
 193   version: v1
 194   names:
 195     kind: ClusterInformation
 196     plural: clusterinformations
 197     singular: clusterinformation
 198
 199 ---
 200
 201 apiVersion: apiextensions.k8s.io/v1beta1
 202 kind: CustomResourceDefinition
 203 metadata:
 204   name: globalnetworkpolicies.crd.projectcalico.org
 205 spec:
 206   scope: Cluster
 207   group: crd.projectcalico.org
 208   version: v1
 209   names:
 210     kind: GlobalNetworkPolicy
 211     plural: globalnetworkpolicies
 212     singular: globalnetworkpolicy
 213
 214 ---
 215
 216 apiVersion: apiextensions.k8s.io/v1beta1
 217 kind: CustomResourceDefinition
 218 metadata:
 219   name: globalnetworksets.crd.projectcalico.org
 220 spec:
 221   scope: Cluster
 222   group: crd.projectcalico.org
 223   version: v1
 224   names:
 225     kind: GlobalNetworkSet
 226     plural: globalnetworksets
 227     singular: globalnetworkset
 228
 229 ---
 230
 231 apiVersion: apiextensions.k8s.io/v1beta1
 232 kind: CustomResourceDefinition
 233 metadata:
 234   name: networkpolicies.crd.projectcalico.org
 235 spec:
 236   scope: Namespaced
 237   group: crd.projectcalico.org
 238   version: v1
 239   names:
 240     kind: NetworkPolicy
 241     plural: networkpolicies
 242     singular: networkpolicy
 243
 244 ---
 245
 246 apiVersion: apiextensions.k8s.io/v1beta1
 247 kind: CustomResourceDefinition
 248 metadata:
 249   name: networksets.crd.projectcalico.org
 250 spec:
 251   scope: Namespaced
 252   group: crd.projectcalico.org
 253   version: v1
 254   names:
 255     kind: NetworkSet
 256     plural: networksets
 257     singular: networkset
 258 ---
 259 # Source: calico/templates/rbac.yaml
 260
 261 # Include a clusterrole for the kube-controllers component,
 262 # and bind it to the calico-kube-controllers serviceaccount.
 263 kind: ClusterRole
 264 apiVersion: rbac.authorization.k8s.io/v1
 265 metadata:
 266   name: calico-kube-controllers
 267 rules:
 268   # Nodes are watched to monitor for deletions.
 269   - apiGroups: [""]
 270     resources:
 271       - nodes
 272     verbs:
 273       - watch
 274       - list
 275       - get
 276   # Pods are queried to check for existence.
 277   - apiGroups: [""]
 278     resources:
 279       - pods
 280     verbs:
 281       - get
 282   # IPAM resources are manipulated when nodes are deleted.
 283   - apiGroups: ["crd.projectcalico.org"]
 284     resources:
 285       - ippools
 286     verbs:
 287       - list
 288   - apiGroups: ["crd.projectcalico.org"]
 289     resources:
 290       - blockaffinities
 291       - ipamblocks
 292       - ipamhandles
 293     verbs:
 294       - get
 295       - list
 296       - create
 297       - update
 298       - delete
 299   # Needs access to update clusterinformations.
 300   - apiGroups: ["crd.projectcalico.org"]
 301     resources:
 302       - clusterinformations
 303     verbs:
 304       - get
 305       - create
 306       - update
 307 ---
 308 kind: ClusterRoleBinding
 309 apiVersion: rbac.authorization.k8s.io/v1
 310 metadata:
 311   name: calico-kube-controllers
 312 roleRef:
 313   apiGroup: rbac.authorization.k8s.io
 314   kind: ClusterRole
 315   name: calico-kube-controllers
 316 subjects:
 317 - kind: ServiceAccount
 318   name: calico-kube-controllers
 319   namespace: kube-system
 320 ---
 321 # Include a clusterrole for the calico-node DaemonSet,
 322 # and bind it to the calico-node serviceaccount.
 323 kind: ClusterRole
 324 apiVersion: rbac.authorization.k8s.io/v1
 325 metadata:
 326   name: calico-node
 327 rules:
 328   # The CNI plugin needs to get pods, nodes, and namespaces.
 329   - apiGroups: [""]
 330     resources:
 331       - pods
 332       - nodes
 333       - namespaces
 334     verbs:
 335       - get
 336   - apiGroups: [""]
 337     resources:
 338       - endpoints
 339       - services
 340     verbs:
 341       # Used to discover service IPs for advertisement.
 342       - watch
 343       - list
 344       # Used to discover Typhas.
 345       - get
 346   - apiGroups: [""]
 347     resources:
 348       - nodes/status
 349     verbs:
 350       # Needed for clearing NodeNetworkUnavailable flag.
 351       - patch
 352       # Calico stores some configuration information in node annotations.
 353       - update
 354   # Watch for changes to Kubernetes NetworkPolicies.
 355   - apiGroups: ["networking.k8s.io"]
 356     resources:
 357       - networkpolicies
 358     verbs:
 359       - watch
 360       - list
 361   # Used by Calico for policy information.
 362   - apiGroups: [""]
 363     resources:
 364       - pods
 365       - namespaces
 366       - serviceaccounts
 367     verbs:
 368       - list
 369       - watch
 370   # The CNI plugin patches pods/status.
 371   - apiGroups: [""]
 372     resources:
 373       - pods/status
 374     verbs:
 375       - patch
 376   # Calico monitors various CRDs for config.
 377   - apiGroups: ["crd.projectcalico.org"]
 378     resources:
 379       - globalfelixconfigs
 380       - felixconfigurations
 381       - bgppeers
 382       - globalbgpconfigs
 383       - bgpconfigurations
 384       - ippools
 385       - ipamblocks
 386       - globalnetworkpolicies
 387       - globalnetworksets
 388       - networkpolicies
 389       - networksets
 390       - clusterinformations
 391       - hostendpoints
 392     verbs:
 393       - get
 394       - list
 395       - watch
 396   # Calico must create and update some CRDs on startup.
 397   - apiGroups: ["crd.projectcalico.org"]
 398     resources:
 399       - ippools
 400       - felixconfigurations
 401       - clusterinformations
 402     verbs:
 403       - create
 404       - update
 405   # Calico stores some configuration information on the node.
 406   - apiGroups: [""]
 407     resources:
 408       - nodes
 409     verbs:
 410       - get
 411       - list
 412       - watch
 413   # These permissions are only requried for upgrade from v2.6, and can
 414   # be removed after upgrade or on fresh installations.
 415   - apiGroups: ["crd.projectcalico.org"]
 416     resources:
 417       - bgpconfigurations
 418       - bgppeers
 419     verbs:
 420       - create
 421       - update
 422   # These permissions are required for Calico CNI to perform IPAM allocations.
 423   - apiGroups: ["crd.projectcalico.org"]
 424     resources:
 425       - blockaffinities
 426       - ipamblocks
 427       - ipamhandles
 428     verbs:
 429       - get
 430       - list
 431       - create
 432       - update
 433       - delete
 434   - apiGroups: ["crd.projectcalico.org"]
 435     resources:
 436       - ipamconfigs
 437     verbs:
 438       - get
 439   # Block affinities must also be watchable by confd for route aggregation.
 440   - apiGroups: ["crd.projectcalico.org"]
 441     resources:
 442       - blockaffinities
 443     verbs:
 444       - watch
 445   # The Calico IPAM migration needs to get daemonsets. These permissions can be
 446   # removed if not upgrading from an installation using host-local IPAM.
 447   - apiGroups: ["apps"]
 448     resources:
 449       - daemonsets
 450     verbs:
 451       - get
 452 ---
 453 apiVersion: rbac.authorization.k8s.io/v1
 454 kind: ClusterRoleBinding
 455 metadata:
 456   name: calico-node
 457 roleRef:
 458   apiGroup: rbac.authorization.k8s.io
 459   kind: ClusterRole
 460   name: calico-node
 461 subjects:
 462 - kind: ServiceAccount
 463   name: calico-node
 464   namespace: kube-system
 465
 466 ---
 467 # Source: calico/templates/calico-node.yaml
 468 # This manifest installs the calico-node container, as well
 469 # as the CNI plugins and network config on
 470 # each master and worker node in a Kubernetes cluster.
 471 kind: DaemonSet
 472 apiVersion: apps/v1
 473 metadata:
 474   name: calico-node
 475   namespace: kube-system
 476   labels:
 477     k8s-app: calico-node
 478 spec:
 479   selector:
 480     matchLabels:
 481       k8s-app: calico-node
 482   updateStrategy:
 483     type: RollingUpdate
 484     rollingUpdate:
 485       maxUnavailable: 1
 486   template:
 487     metadata:
 488       labels:
 489         k8s-app: calico-node
 490       annotations:
 491         # This, along with the CriticalAddonsOnly toleration below,
 492         # marks the pod as a critical add-on, ensuring it gets
 493         # priority scheduling and that its resources are reserved
 494         # if it ever gets evicted.
 495         scheduler.alpha.kubernetes.io/critical-pod: ''
 496     spec:
 497       nodeSelector:
 498         beta.kubernetes.io/os: linux
 499       hostNetwork: true
 500       tolerations:
 501         # Make sure calico-node gets scheduled on all nodes.
 502         - effect: NoSchedule
 503           operator: Exists
 504         # Mark the pod as a critical add-on for rescheduling.
 505         - key: CriticalAddonsOnly
 506           operator: Exists
 507         - effect: NoExecute
 508           operator: Exists
 509       serviceAccountName: calico-node
 510       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
 511       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
 512       terminationGracePeriodSeconds: 0
 513       priorityClassName: system-node-critical
 514       initContainers:
 515         # This container performs upgrade from host-local IPAM to calico-ipam.
 516         # It can be deleted if this is a fresh installation, or if you have already
 517         # upgraded to use calico-ipam.
 518         - name: upgrade-ipam
 519           image: calico/cni:v3.8.4
 520           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
 521           env:
 522             - name: KUBERNETES_NODE_NAME
 523               valueFrom:
 524                 fieldRef:
 525                   fieldPath: spec.nodeName
 526             - name: CALICO_NETWORKING_BACKEND
 527               valueFrom:
 528                 configMapKeyRef:
 529                   name: calico-config
 530                   key: calico_backend
 531           volumeMounts:
 532             - mountPath: /var/lib/cni/networks
 533               name: host-local-net-dir
 534             - mountPath: /host/opt/cni/bin
 535               name: cni-bin-dir
 536           securityContext:
 537             privileged: true
 538         # This container installs the CNI binaries
 539         # and CNI network config file on each node.
 540         - name: install-cni
 541           image: calico/cni:v3.8.4
 542           command: ["/install-cni.sh"]
 543           env:
 544             # Name of the CNI config file to create.
 545             - name: CNI_CONF_NAME
 546               value: "10-calico.conflist"
 547             # The CNI network config to install on each node.
 548             - name: CNI_NETWORK_CONFIG
 549               valueFrom:
 550                 configMapKeyRef:
 551                   name: calico-config
 552                   key: cni_network_config
 553             # Set the hostname based on the k8s node name.
 554             - name: KUBERNETES_NODE_NAME
 555               valueFrom:
 556                 fieldRef:
 557                   fieldPath: spec.nodeName
 558             # CNI MTU Config variable
 559             - name: CNI_MTU
 560               valueFrom:
 561                 configMapKeyRef:
 562                   name: calico-config
 563                   key: veth_mtu
 564             # Prevents the container from sleeping forever.
 565             - name: SLEEP
 566               value: "false"
 567           volumeMounts:
 568             - mountPath: /host/opt/cni/bin
 569               name: cni-bin-dir
 570             - mountPath: /host/etc/cni/net.d
 571               name: cni-net-dir
 572           securityContext:
 573             privileged: true
 574         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
 575         # to communicate with Felix over the Policy Sync API.
 576         - name: flexvol-driver
 577           image: calico/pod2daemon-flexvol:v3.8.4
 578           volumeMounts:
 579           - name: flexvol-driver-host
 580             mountPath: /host/driver
 581           securityContext:
 582             privileged: true
 583       containers:
 584         # Runs calico-node container on each Kubernetes node.  This
 585         # container programs network policy and routes on each
 586         # host.
 587         - name: calico-node
 588           image: calico/node:v3.8.4
 589           env:
 590             # Use Kubernetes API as the backing datastore.
 591             - name: DATASTORE_TYPE
 592               value: "kubernetes"
 593             # Wait for the datastore.
 594             - name: WAIT_FOR_DATASTORE
 595               value: "true"
 596             # Set based on the k8s node name.
 597             - name: NODENAME
 598               valueFrom:
 599                 fieldRef:
 600                   fieldPath: spec.nodeName
 601             # Choose the backend to use.
 602             - name: CALICO_NETWORKING_BACKEND
 603               valueFrom:
 604                 configMapKeyRef:
 605                   name: calico-config
 606                   key: calico_backend
 607             # Cluster type to identify the deployment type
 608             - name: CLUSTER_TYPE
 609               value: "k8s,bgp"
 610             # Auto-detect the BGP IP address.
 611             - name: IP
 612               value: "autodetect"
 613             # Enable IPIP
 614             - name: CALICO_IPV4POOL_IPIP
 615               value: "Always"
 616             # Set MTU for tunnel device used if ipip is enabled
 617             - name: FELIX_IPINIPMTU
 618               valueFrom:
 619                 configMapKeyRef:
 620                   name: calico-config
 621                   key: veth_mtu
 622             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
 623             # chosen from this range. Changing this value after installation will have
 624             # no effect. This should fall within `--cluster-cidr`.
 625             - name: CALICO_IPV4POOL_CIDR
 626               value: "192.168.0.0/16"
 627             # Disable file logging so `kubectl logs` works.
 628             - name: CALICO_DISABLE_FILE_LOGGING
 629               value: "true"
 630             # Set Felix endpoint to host default action to ACCEPT.
 631             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
 632               value: "ACCEPT"
 633             # Disable IPv6 on Kubernetes.
 634             - name: FELIX_IPV6SUPPORT
 635               value: "false"
 636             # Set Felix logging to "info"
 637             - name: FELIX_LOGSEVERITYSCREEN
 638               value: "info"
 639             - name: FELIX_HEALTHENABLED
 640               value: "true"
 641           securityContext:
 642             privileged: true
 643           resources:
 644             requests:
 645               cpu: 250m
 646           livenessProbe:
 647             httpGet:
 648               path: /liveness
 649               port: 9099
 650               host: localhost
 651             periodSeconds: 10
 652             initialDelaySeconds: 10
 653             failureThreshold: 6
 654           readinessProbe:
 655             exec:
 656               command:
 657               - /bin/calico-node
 658               - -bird-ready
 659               - -felix-ready
 660             periodSeconds: 10
 661           volumeMounts:
 662             - mountPath: /lib/modules
 663               name: lib-modules
 664               readOnly: true
 665             - mountPath: /run/xtables.lock
 666               name: xtables-lock
 667               readOnly: false
 668             - mountPath: /var/run/calico
 669               name: var-run-calico
 670               readOnly: false
 671             - mountPath: /var/lib/calico
 672               name: var-lib-calico
 673               readOnly: false
 674             - name: policysync
 675               mountPath: /var/run/nodeagent
 676       volumes:
 677         # Used by calico-node.
 678         - name: lib-modules
 679           hostPath:
 680             path: /lib/modules
 681         - name: var-run-calico
 682           hostPath:
 683             path: /var/run/calico
 684         - name: var-lib-calico
 685           hostPath:
 686             path: /var/lib/calico
 687         - name: xtables-lock
 688           hostPath:
 689             path: /run/xtables.lock
 690             type: FileOrCreate
 691         # Used to install CNI.
 692         - name: cni-bin-dir
 693           hostPath:
 694             path: /opt/cni/bin
 695         - name: cni-net-dir
 696           hostPath:
 697             path: /etc/cni/net.d
 698         # Mount in the directory for host-local IPAM allocations. This is
 699         # used when upgrading from host-local to calico-ipam, and can be removed
 700         # if not using the upgrade-ipam init container.
 701         - name: host-local-net-dir
 702           hostPath:
 703             path: /var/lib/cni/networks
 704         # Used to create per-pod Unix Domain Sockets
 705         - name: policysync
 706           hostPath:
 707             type: DirectoryOrCreate
 708             path: /var/run/nodeagent
 709         # Used to install Flex Volume Driver
 710         - name: flexvol-driver-host
 711           hostPath:
 712             type: DirectoryOrCreate
 713             path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
 714 ---
 715
 716 apiVersion: v1
 717 kind: ServiceAccount
 718 metadata:
 719   name: calico-node
 720   namespace: kube-system
 721
 722 ---
 723 # Source: calico/templates/calico-kube-controllers.yaml
 724
 725 # See https://github.com/projectcalico/kube-controllers
 726 apiVersion: apps/v1
 727 kind: Deployment
 728 metadata:
 729   name: calico-kube-controllers
 730   namespace: kube-system
 731   labels:
 732     k8s-app: calico-kube-controllers
 733 spec:
 734   # The controllers can only have a single active instance.
 735   replicas: 1
 736   selector:
 737     matchLabels:
 738       k8s-app: calico-kube-controllers
 739   strategy:
 740     type: Recreate
 741   template:
 742     metadata:
 743       name: calico-kube-controllers
 744       namespace: kube-system
 745       labels:
 746         k8s-app: calico-kube-controllers
 747       annotations:
 748         scheduler.alpha.kubernetes.io/critical-pod: ''
 749     spec:
 750       nodeSelector:
 751         beta.kubernetes.io/os: linux
 752       tolerations:
 753         # Mark the pod as a critical add-on for rescheduling.
 754         - key: CriticalAddonsOnly
 755           operator: Exists
 756         - key: node-role.kubernetes.io/master
 757           effect: NoSchedule
 758       serviceAccountName: calico-kube-controllers
 759       priorityClassName: system-cluster-critical
 760       containers:
 761         - name: calico-kube-controllers
 762           image: calico/kube-controllers:v3.8.4
 763           env:
 764             # Choose which controllers to run.
 765             - name: ENABLED_CONTROLLERS
 766               value: node
 767             - name: DATASTORE_TYPE
 768               value: kubernetes
 769           readinessProbe:
 770             exec:
 771               command:
 772               - /usr/bin/check-status
 773               - -r
 774
 775 ---
 776
 777 apiVersion: v1
 778 kind: ServiceAccount
 779 metadata:
 780   name: calico-kube-controllers
 781   namespace: kube-system
 782 ---
 783 # Source: calico/templates/calico-etcd-secrets.yaml
 784
 785 ---
 786 # Source: calico/templates/calico-typha.yaml
 787
 788 ---
 789 # Source: calico/templates/configure-canal.yaml
 790
 791