7461257607731d2f59df977a96310bc28b63fb8e
[eliot.git] / blueprints / iotgateway / scripts / cni / calico / v38 / calico.yaml
1 # yamllint disable
2 ---
3 # Source: calico/templates/calico-config.yaml
4 # This ConfigMap is used to configure a self-hosted Calico installation.
5 kind: ConfigMap
6 apiVersion: v1
7 metadata:
8   name: calico-config
9   namespace: kube-system
10 data:
11   # Typha is disabled.
12   typha_service_name: "none"
13   # Configure the backend to use.
14   calico_backend: "bird"
15
16   # Configure the MTU to use
17   veth_mtu: "1440"
18
19   # The CNI network configuration to install on each node.  The special
20   # values in this config will be automatically populated.
21   cni_network_config: |-
22     {
23       "name": "k8s-pod-network",
24       "cniVersion": "0.3.1",
25       "plugins": [
26         {
27           "type": "calico",
28           "log_level": "info",
29           "datastore_type": "kubernetes",
30           "nodename": "__KUBERNETES_NODE_NAME__",
31           "mtu": __CNI_MTU__,
32           "ipam": {
33               "type": "calico-ipam"
34           },
35           "policy": {
36               "type": "k8s"
37           },
38           "kubernetes": {
39               "kubeconfig": "__KUBECONFIG_FILEPATH__"
40           }
41         },
42         {
43           "type": "portmap",
44           "snat": true,
45           "capabilities": {"portMappings": true}
46         }
47       ]
48     }
49
50 ---
51 # Source: calico/templates/kdd-crds.yaml
52 apiVersion: apiextensions.k8s.io/v1beta1
53 kind: CustomResourceDefinition
54 metadata:
55    name: felixconfigurations.crd.projectcalico.org
56 spec:
57   scope: Cluster
58   group: crd.projectcalico.org
59   version: v1
60   names:
61     kind: FelixConfiguration
62     plural: felixconfigurations
63     singular: felixconfiguration
64 ---
65
66 apiVersion: apiextensions.k8s.io/v1beta1
67 kind: CustomResourceDefinition
68 metadata:
69   name: ipamblocks.crd.projectcalico.org
70 spec:
71   scope: Cluster
72   group: crd.projectcalico.org
73   version: v1
74   names:
75     kind: IPAMBlock
76     plural: ipamblocks
77     singular: ipamblock
78
79 ---
80
81 apiVersion: apiextensions.k8s.io/v1beta1
82 kind: CustomResourceDefinition
83 metadata:
84   name: blockaffinities.crd.projectcalico.org
85 spec:
86   scope: Cluster
87   group: crd.projectcalico.org
88   version: v1
89   names:
90     kind: BlockAffinity
91     plural: blockaffinities
92     singular: blockaffinity
93
94 ---
95
96 apiVersion: apiextensions.k8s.io/v1beta1
97 kind: CustomResourceDefinition
98 metadata:
99   name: ipamhandles.crd.projectcalico.org
100 spec:
101   scope: Cluster
102   group: crd.projectcalico.org
103   version: v1
104   names:
105     kind: IPAMHandle
106     plural: ipamhandles
107     singular: ipamhandle
108
109 ---
110
111 apiVersion: apiextensions.k8s.io/v1beta1
112 kind: CustomResourceDefinition
113 metadata:
114   name: ipamconfigs.crd.projectcalico.org
115 spec:
116   scope: Cluster
117   group: crd.projectcalico.org
118   version: v1
119   names:
120     kind: IPAMConfig
121     plural: ipamconfigs
122     singular: ipamconfig
123
124 ---
125
126 apiVersion: apiextensions.k8s.io/v1beta1
127 kind: CustomResourceDefinition
128 metadata:
129   name: bgppeers.crd.projectcalico.org
130 spec:
131   scope: Cluster
132   group: crd.projectcalico.org
133   version: v1
134   names:
135     kind: BGPPeer
136     plural: bgppeers
137     singular: bgppeer
138
139 ---
140
141 apiVersion: apiextensions.k8s.io/v1beta1
142 kind: CustomResourceDefinition
143 metadata:
144   name: bgpconfigurations.crd.projectcalico.org
145 spec:
146   scope: Cluster
147   group: crd.projectcalico.org
148   version: v1
149   names:
150     kind: BGPConfiguration
151     plural: bgpconfigurations
152     singular: bgpconfiguration
153
154 ---
155
156 apiVersion: apiextensions.k8s.io/v1beta1
157 kind: CustomResourceDefinition
158 metadata:
159   name: ippools.crd.projectcalico.org
160 spec:
161   scope: Cluster
162   group: crd.projectcalico.org
163   version: v1
164   names:
165     kind: IPPool
166     plural: ippools
167     singular: ippool
168
169 ---
170
171 apiVersion: apiextensions.k8s.io/v1beta1
172 kind: CustomResourceDefinition
173 metadata:
174   name: hostendpoints.crd.projectcalico.org
175 spec:
176   scope: Cluster
177   group: crd.projectcalico.org
178   version: v1
179   names:
180     kind: HostEndpoint
181     plural: hostendpoints
182     singular: hostendpoint
183
184 ---
185
186 apiVersion: apiextensions.k8s.io/v1beta1
187 kind: CustomResourceDefinition
188 metadata:
189   name: clusterinformations.crd.projectcalico.org
190 spec:
191   scope: Cluster
192   group: crd.projectcalico.org
193   version: v1
194   names:
195     kind: ClusterInformation
196     plural: clusterinformations
197     singular: clusterinformation
198
199 ---
200
201 apiVersion: apiextensions.k8s.io/v1beta1
202 kind: CustomResourceDefinition
203 metadata:
204   name: globalnetworkpolicies.crd.projectcalico.org
205 spec:
206   scope: Cluster
207   group: crd.projectcalico.org
208   version: v1
209   names:
210     kind: GlobalNetworkPolicy
211     plural: globalnetworkpolicies
212     singular: globalnetworkpolicy
213
214 ---
215
216 apiVersion: apiextensions.k8s.io/v1beta1
217 kind: CustomResourceDefinition
218 metadata:
219   name: globalnetworksets.crd.projectcalico.org
220 spec:
221   scope: Cluster
222   group: crd.projectcalico.org
223   version: v1
224   names:
225     kind: GlobalNetworkSet
226     plural: globalnetworksets
227     singular: globalnetworkset
228
229 ---
230
231 apiVersion: apiextensions.k8s.io/v1beta1
232 kind: CustomResourceDefinition
233 metadata:
234   name: networkpolicies.crd.projectcalico.org
235 spec:
236   scope: Namespaced
237   group: crd.projectcalico.org
238   version: v1
239   names:
240     kind: NetworkPolicy
241     plural: networkpolicies
242     singular: networkpolicy
243
244 ---
245
246 apiVersion: apiextensions.k8s.io/v1beta1
247 kind: CustomResourceDefinition
248 metadata:
249   name: networksets.crd.projectcalico.org
250 spec:
251   scope: Namespaced
252   group: crd.projectcalico.org
253   version: v1
254   names:
255     kind: NetworkSet
256     plural: networksets
257     singular: networkset
258 ---
259 # Source: calico/templates/rbac.yaml
260
261 # Include a clusterrole for the kube-controllers component,
262 # and bind it to the calico-kube-controllers serviceaccount.
263 kind: ClusterRole
264 apiVersion: rbac.authorization.k8s.io/v1
265 metadata:
266   name: calico-kube-controllers
267 rules:
268   # Nodes are watched to monitor for deletions.
269   - apiGroups: [""]
270     resources:
271       - nodes
272     verbs:
273       - watch
274       - list
275       - get
276   # Pods are queried to check for existence.
277   - apiGroups: [""]
278     resources:
279       - pods
280     verbs:
281       - get
282   # IPAM resources are manipulated when nodes are deleted.
283   - apiGroups: ["crd.projectcalico.org"]
284     resources:
285       - ippools
286     verbs:
287       - list
288   - apiGroups: ["crd.projectcalico.org"]
289     resources:
290       - blockaffinities
291       - ipamblocks
292       - ipamhandles
293     verbs:
294       - get
295       - list
296       - create
297       - update
298       - delete
299   # Needs access to update clusterinformations.
300   - apiGroups: ["crd.projectcalico.org"]
301     resources:
302       - clusterinformations
303     verbs:
304       - get
305       - create
306       - update
307 ---
308 kind: ClusterRoleBinding
309 apiVersion: rbac.authorization.k8s.io/v1
310 metadata:
311   name: calico-kube-controllers
312 roleRef:
313   apiGroup: rbac.authorization.k8s.io
314   kind: ClusterRole
315   name: calico-kube-controllers
316 subjects:
317 - kind: ServiceAccount
318   name: calico-kube-controllers
319   namespace: kube-system
320 ---
321 # Include a clusterrole for the calico-node DaemonSet,
322 # and bind it to the calico-node serviceaccount.
323 kind: ClusterRole
324 apiVersion: rbac.authorization.k8s.io/v1
325 metadata:
326   name: calico-node
327 rules:
328   # The CNI plugin needs to get pods, nodes, and namespaces.
329   - apiGroups: [""]
330     resources:
331       - pods
332       - nodes
333       - namespaces
334     verbs:
335       - get
336   - apiGroups: [""]
337     resources:
338       - endpoints
339       - services
340     verbs:
341       # Used to discover service IPs for advertisement.
342       - watch
343       - list
344       # Used to discover Typhas.
345       - get
346   - apiGroups: [""]
347     resources:
348       - nodes/status
349     verbs:
350       # Needed for clearing NodeNetworkUnavailable flag.
351       - patch
352       # Calico stores some configuration information in node annotations.
353       - update
354   # Watch for changes to Kubernetes NetworkPolicies.
355   - apiGroups: ["networking.k8s.io"]
356     resources:
357       - networkpolicies
358     verbs:
359       - watch
360       - list
361   # Used by Calico for policy information.
362   - apiGroups: [""]
363     resources:
364       - pods
365       - namespaces
366       - serviceaccounts
367     verbs:
368       - list
369       - watch
370   # The CNI plugin patches pods/status.
371   - apiGroups: [""]
372     resources:
373       - pods/status
374     verbs:
375       - patch
376   # Calico monitors various CRDs for config.
377   - apiGroups: ["crd.projectcalico.org"]
378     resources:
379       - globalfelixconfigs
380       - felixconfigurations
381       - bgppeers
382       - globalbgpconfigs
383       - bgpconfigurations
384       - ippools
385       - ipamblocks
386       - globalnetworkpolicies
387       - globalnetworksets
388       - networkpolicies
389       - networksets
390       - clusterinformations
391       - hostendpoints
392     verbs:
393       - get
394       - list
395       - watch
396   # Calico must create and update some CRDs on startup.
397   - apiGroups: ["crd.projectcalico.org"]
398     resources:
399       - ippools
400       - felixconfigurations
401       - clusterinformations
402     verbs:
403       - create
404       - update
405   # Calico stores some configuration information on the node.
406   - apiGroups: [""]
407     resources:
408       - nodes
409     verbs:
410       - get
411       - list
412       - watch
413   # These permissions are only requried for upgrade from v2.6, and can
414   # be removed after upgrade or on fresh installations.
415   - apiGroups: ["crd.projectcalico.org"]
416     resources:
417       - bgpconfigurations
418       - bgppeers
419     verbs:
420       - create
421       - update
422   # These permissions are required for Calico CNI to perform IPAM allocations.
423   - apiGroups: ["crd.projectcalico.org"]
424     resources:
425       - blockaffinities
426       - ipamblocks
427       - ipamhandles
428     verbs:
429       - get
430       - list
431       - create
432       - update
433       - delete
434   - apiGroups: ["crd.projectcalico.org"]
435     resources:
436       - ipamconfigs
437     verbs:
438       - get
439   # Block affinities must also be watchable by confd for route aggregation.
440   - apiGroups: ["crd.projectcalico.org"]
441     resources:
442       - blockaffinities
443     verbs:
444       - watch
445   # The Calico IPAM migration needs to get daemonsets. These permissions can be
446   # removed if not upgrading from an installation using host-local IPAM.
447   - apiGroups: ["apps"]
448     resources:
449       - daemonsets
450     verbs:
451       - get
452 ---
453 apiVersion: rbac.authorization.k8s.io/v1
454 kind: ClusterRoleBinding
455 metadata:
456   name: calico-node
457 roleRef:
458   apiGroup: rbac.authorization.k8s.io
459   kind: ClusterRole
460   name: calico-node
461 subjects:
462 - kind: ServiceAccount
463   name: calico-node
464   namespace: kube-system
465
466 ---
467 # Source: calico/templates/calico-node.yaml
468 # This manifest installs the calico-node container, as well
469 # as the CNI plugins and network config on
470 # each master and worker node in a Kubernetes cluster.
471 kind: DaemonSet
472 apiVersion: apps/v1
473 metadata:
474   name: calico-node
475   namespace: kube-system
476   labels:
477     k8s-app: calico-node
478 spec:
479   selector:
480     matchLabels:
481       k8s-app: calico-node
482   updateStrategy:
483     type: RollingUpdate
484     rollingUpdate:
485       maxUnavailable: 1
486   template:
487     metadata:
488       labels:
489         k8s-app: calico-node
490       annotations:
491         # This, along with the CriticalAddonsOnly toleration below,
492         # marks the pod as a critical add-on, ensuring it gets
493         # priority scheduling and that its resources are reserved
494         # if it ever gets evicted.
495         scheduler.alpha.kubernetes.io/critical-pod: ''
496     spec:
497       nodeSelector:
498         beta.kubernetes.io/os: linux
499       hostNetwork: true
500       tolerations:
501         # Make sure calico-node gets scheduled on all nodes.
502         - effect: NoSchedule
503           operator: Exists
504         # Mark the pod as a critical add-on for rescheduling.
505         - key: CriticalAddonsOnly
506           operator: Exists
507         - effect: NoExecute
508           operator: Exists
509       serviceAccountName: calico-node
510       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
511       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
512       terminationGracePeriodSeconds: 0
513       priorityClassName: system-node-critical
514       initContainers:
515         # This container performs upgrade from host-local IPAM to calico-ipam.
516         # It can be deleted if this is a fresh installation, or if you have already
517         # upgraded to use calico-ipam.
518         - name: upgrade-ipam
519           image: calico/cni:v3.8.4
520           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
521           env:
522             - name: KUBERNETES_NODE_NAME
523               valueFrom:
524                 fieldRef:
525                   fieldPath: spec.nodeName
526             - name: CALICO_NETWORKING_BACKEND
527               valueFrom:
528                 configMapKeyRef:
529                   name: calico-config
530                   key: calico_backend
531           volumeMounts:
532             - mountPath: /var/lib/cni/networks
533               name: host-local-net-dir
534             - mountPath: /host/opt/cni/bin
535               name: cni-bin-dir
536           securityContext:
537             privileged: true
538         # This container installs the CNI binaries
539         # and CNI network config file on each node.
540         - name: install-cni
541           image: calico/cni:v3.8.4
542           command: ["/install-cni.sh"]
543           env:
544             # Name of the CNI config file to create.
545             - name: CNI_CONF_NAME
546               value: "10-calico.conflist"
547             # The CNI network config to install on each node.
548             - name: CNI_NETWORK_CONFIG
549               valueFrom:
550                 configMapKeyRef:
551                   name: calico-config
552                   key: cni_network_config
553             # Set the hostname based on the k8s node name.
554             - name: KUBERNETES_NODE_NAME
555               valueFrom:
556                 fieldRef:
557                   fieldPath: spec.nodeName
558             # CNI MTU Config variable
559             - name: CNI_MTU
560               valueFrom:
561                 configMapKeyRef:
562                   name: calico-config
563                   key: veth_mtu
564             # Prevents the container from sleeping forever.
565             - name: SLEEP
566               value: "false"
567           volumeMounts:
568             - mountPath: /host/opt/cni/bin
569               name: cni-bin-dir
570             - mountPath: /host/etc/cni/net.d
571               name: cni-net-dir
572           securityContext:
573             privileged: true
574         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
575         # to communicate with Felix over the Policy Sync API.
576         - name: flexvol-driver
577           image: calico/pod2daemon-flexvol:v3.8.4
578           volumeMounts:
579           - name: flexvol-driver-host
580             mountPath: /host/driver
581           securityContext:
582             privileged: true
583       containers:
584         # Runs calico-node container on each Kubernetes node.  This
585         # container programs network policy and routes on each
586         # host.
587         - name: calico-node
588           image: calico/node:v3.8.4
589           env:
590             # Use Kubernetes API as the backing datastore.
591             - name: DATASTORE_TYPE
592               value: "kubernetes"
593             # Wait for the datastore.
594             - name: WAIT_FOR_DATASTORE
595               value: "true"
596             # Set based on the k8s node name.
597             - name: NODENAME
598               valueFrom:
599                 fieldRef:
600                   fieldPath: spec.nodeName
601             # Choose the backend to use.
602             - name: CALICO_NETWORKING_BACKEND
603               valueFrom:
604                 configMapKeyRef:
605                   name: calico-config
606                   key: calico_backend
607             # Cluster type to identify the deployment type
608             - name: CLUSTER_TYPE
609               value: "k8s,bgp"
610             # Auto-detect the BGP IP address.
611             - name: IP
612               value: "autodetect"
613             # Enable IPIP
614             - name: CALICO_IPV4POOL_IPIP
615               value: "Always"
616             # Set MTU for tunnel device used if ipip is enabled
617             - name: FELIX_IPINIPMTU
618               valueFrom:
619                 configMapKeyRef:
620                   name: calico-config
621                   key: veth_mtu
622             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
623             # chosen from this range. Changing this value after installation will have
624             # no effect. This should fall within `--cluster-cidr`.
625             - name: CALICO_IPV4POOL_CIDR
626               value: "192.168.0.0/16"
627             # Disable file logging so `kubectl logs` works.
628             - name: CALICO_DISABLE_FILE_LOGGING
629               value: "true"
630             # Set Felix endpoint to host default action to ACCEPT.
631             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
632               value: "ACCEPT"
633             # Disable IPv6 on Kubernetes.
634             - name: FELIX_IPV6SUPPORT
635               value: "false"
636             # Set Felix logging to "info"
637             - name: FELIX_LOGSEVERITYSCREEN
638               value: "info"
639             - name: FELIX_HEALTHENABLED
640               value: "true"
641           securityContext:
642             privileged: true
643           resources:
644             requests:
645               cpu: 250m
646           livenessProbe:
647             httpGet:
648               path: /liveness
649               port: 9099
650               host: localhost
651             periodSeconds: 10
652             initialDelaySeconds: 10
653             failureThreshold: 6
654           readinessProbe:
655             exec:
656               command:
657               - /bin/calico-node
658               - -bird-ready
659               - -felix-ready
660             periodSeconds: 10
661           volumeMounts:
662             - mountPath: /lib/modules
663               name: lib-modules
664               readOnly: true
665             - mountPath: /run/xtables.lock
666               name: xtables-lock
667               readOnly: false
668             - mountPath: /var/run/calico
669               name: var-run-calico
670               readOnly: false
671             - mountPath: /var/lib/calico
672               name: var-lib-calico
673               readOnly: false
674             - name: policysync
675               mountPath: /var/run/nodeagent
676       volumes:
677         # Used by calico-node.
678         - name: lib-modules
679           hostPath:
680             path: /lib/modules
681         - name: var-run-calico
682           hostPath:
683             path: /var/run/calico
684         - name: var-lib-calico
685           hostPath:
686             path: /var/lib/calico
687         - name: xtables-lock
688           hostPath:
689             path: /run/xtables.lock
690             type: FileOrCreate
691         # Used to install CNI.
692         - name: cni-bin-dir
693           hostPath:
694             path: /opt/cni/bin
695         - name: cni-net-dir
696           hostPath:
697             path: /etc/cni/net.d
698         # Mount in the directory for host-local IPAM allocations. This is
699         # used when upgrading from host-local to calico-ipam, and can be removed
700         # if not using the upgrade-ipam init container.
701         - name: host-local-net-dir
702           hostPath:
703             path: /var/lib/cni/networks
704         # Used to create per-pod Unix Domain Sockets
705         - name: policysync
706           hostPath:
707             type: DirectoryOrCreate
708             path: /var/run/nodeagent
709         # Used to install Flex Volume Driver
710         - name: flexvol-driver-host
711           hostPath:
712             type: DirectoryOrCreate
713             path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
714 ---
715
716 apiVersion: v1
717 kind: ServiceAccount
718 metadata:
719   name: calico-node
720   namespace: kube-system
721
722 ---
723 # Source: calico/templates/calico-kube-controllers.yaml
724
725 # See https://github.com/projectcalico/kube-controllers
726 apiVersion: apps/v1
727 kind: Deployment
728 metadata:
729   name: calico-kube-controllers
730   namespace: kube-system
731   labels:
732     k8s-app: calico-kube-controllers
733 spec:
734   # The controllers can only have a single active instance.
735   replicas: 1
736   selector:
737     matchLabels:
738       k8s-app: calico-kube-controllers
739   strategy:
740     type: Recreate
741   template:
742     metadata:
743       name: calico-kube-controllers
744       namespace: kube-system
745       labels:
746         k8s-app: calico-kube-controllers
747       annotations:
748         scheduler.alpha.kubernetes.io/critical-pod: ''
749     spec:
750       nodeSelector:
751         beta.kubernetes.io/os: linux
752       tolerations:
753         # Mark the pod as a critical add-on for rescheduling.
754         - key: CriticalAddonsOnly
755           operator: Exists
756         - key: node-role.kubernetes.io/master
757           effect: NoSchedule
758       serviceAccountName: calico-kube-controllers
759       priorityClassName: system-cluster-critical
760       containers:
761         - name: calico-kube-controllers
762           image: calico/kube-controllers:v3.8.4
763           env:
764             # Choose which controllers to run.
765             - name: ENABLED_CONTROLLERS
766               value: node
767             - name: DATASTORE_TYPE
768               value: kubernetes
769           readinessProbe:
770             exec:
771               command:
772               - /usr/bin/check-status
773               - -r
774
775 ---
776
777 apiVersion: v1
778 kind: ServiceAccount
779 metadata:
780   name: calico-kube-controllers
781   namespace: kube-system
782 ---
783 # Source: calico/templates/calico-etcd-secrets.yaml
784
785 ---
786 # Source: calico/templates/calico-typha.yaml
787
788 ---
789 # Source: calico/templates/configure-canal.yaml
790
791