3f744904c4f311ce82de76ee6405912c32083cf6
[iec.git] / scripts / cni / calico / calico.yaml
1 # Calico Version v3.3.2
2 # https://docs.projectcalico.org/v3.3/releases#v3.3.2
3 # This manifest includes the following component versions:
4 #   calico/node:v3.3.2
5 #   calico/cni:v3.3.2
6 #   calico/kube-controllers:v3.3.2
7
8 # This ConfigMap is used to configure a self-hosted Calico installation.
9 kind: ConfigMap
10 apiVersion: v1
11 metadata:
12   name: calico-config
13   namespace: kube-system
14 data:
15   # Configure this with the location of your etcd cluster.
16   etcd_endpoints: "http://10.96.232.136:6666"
17
18   # If you're using TLS enabled etcd uncomment the following.
19   # You must also populate the Secret below with these files.
20   etcd_ca: ""   # "/calico-secrets/etcd-ca"
21   etcd_cert: "" # "/calico-secrets/etcd-cert"
22   etcd_key: ""  # "/calico-secrets/etcd-key"
23   # Configure the Calico backend to use.
24   calico_backend: "bird"
25
26   # Configure the MTU to use
27   veth_mtu: "1440"
28
29   # The CNI network configuration to install on each node.  The special
30   # values in this config will be automatically populated.
31   cni_network_config: |-
32     {
33       "name": "k8s-pod-network",
34       "cniVersion": "0.3.0",
35       "plugins": [
36         {
37           "type": "calico",
38           "log_level": "info",
39           "etcd_endpoints": "__ETCD_ENDPOINTS__",
40           "etcd_key_file": "__ETCD_KEY_FILE__",
41           "etcd_cert_file": "__ETCD_CERT_FILE__",
42           "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
43           "mtu": __CNI_MTU__,
44           "ipam": {
45               "type": "calico-ipam"
46           },
47           "policy": {
48               "type": "k8s"
49           },
50           "kubernetes": {
51               "kubeconfig": "__KUBECONFIG_FILEPATH__"
52           }
53         },
54         {
55           "type": "portmap",
56           "snat": true,
57           "capabilities": {"portMappings": true}
58         }
59       ]
60     }
61
62 ---
63
64
65 # The following contains k8s Secrets for use with a TLS enabled etcd cluster.
66 # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
67 apiVersion: v1
68 kind: Secret
69 type: Opaque
70 metadata:
71   name: calico-etcd-secrets
72   namespace: kube-system
73 data:
74   # Populate the following files with etcd TLS configuration if desired, but leave blank if
75   # not using TLS for etcd.
76   # This self-hosted install expects three files with the following names.  The values
77   # should be base64 encoded strings of the entire contents of each file.
78   # etcd-key: null
79   # etcd-cert: null
80   # etcd-ca: null
81
82 ---
83
84 # This manifest installs the calico/node container, as well
85 # as the Calico CNI plugins and network config on
86 # each master and worker node in a Kubernetes cluster.
87 kind: DaemonSet
88 apiVersion: extensions/v1beta1
89 metadata:
90   name: calico-node
91   namespace: kube-system
92   labels:
93     k8s-app: calico-node
94 spec:
95   selector:
96     matchLabels:
97       k8s-app: calico-node
98   updateStrategy:
99     type: RollingUpdate
100     rollingUpdate:
101       maxUnavailable: 1
102   template:
103     metadata:
104       labels:
105         k8s-app: calico-node
106       annotations:
107         # This, along with the CriticalAddonsOnly toleration below,
108         # marks the pod as a critical add-on, ensuring it gets
109         # priority scheduling and that its resources are reserved
110         # if it ever gets evicted.
111         scheduler.alpha.kubernetes.io/critical-pod: ''
112     spec:
113       nodeSelector:
114         beta.kubernetes.io/os: linux
115       hostNetwork: true
116       tolerations:
117         # Make sure calico-node gets scheduled on all nodes.
118         - effect: NoSchedule
119           operator: Exists
120         # Mark the pod as a critical add-on for rescheduling.
121         - key: CriticalAddonsOnly
122           operator: Exists
123         - effect: NoExecute
124           operator: Exists
125       serviceAccountName: calico-node
126       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
127       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
128       terminationGracePeriodSeconds: 0
129       containers:
130         # Runs calico/node container on each Kubernetes node.  This
131         # container programs network policy and routes on each
132         # host.
133         - name: calico-node
134           image: calico/node:v3.3.2
135           env:
136             # The location of the Calico etcd cluster.
137             - name: ETCD_ENDPOINTS
138               valueFrom:
139                 configMapKeyRef:
140                   name: calico-config
141                   key: etcd_endpoints
142             # Location of the CA certificate for etcd.
143             - name: ETCD_CA_CERT_FILE
144               valueFrom:
145                 configMapKeyRef:
146                   name: calico-config
147                   key: etcd_ca
148             # Location of the client key for etcd.
149             - name: ETCD_KEY_FILE
150               valueFrom:
151                 configMapKeyRef:
152                   name: calico-config
153                   key: etcd_key
154             # Location of the client certificate for etcd.
155             - name: ETCD_CERT_FILE
156               valueFrom:
157                 configMapKeyRef:
158                   name: calico-config
159                   key: etcd_cert
160             # Set noderef for node controller.
161             - name: CALICO_K8S_NODE_REF
162               valueFrom:
163                 fieldRef:
164                   fieldPath: spec.nodeName
165             # Choose the backend to use.
166             - name: CALICO_NETWORKING_BACKEND
167               valueFrom:
168                 configMapKeyRef:
169                   name: calico-config
170                   key: calico_backend
171             # Cluster type to identify the deployment type
172             - name: CLUSTER_TYPE
173               value: "k8s,bgp"
174             # Auto-detect the BGP IP address.
175             - name: IP
176               value: "autodetect"
177             - name: IP_AUTODETECTION_METHOD
178               value: "can-reach=www.google.com"
179             # Enable IPIP
180             - name: CALICO_IPV4POOL_IPIP
181               value: "Always"
182             # Set MTU for tunnel device used if ipip is enabled
183             - name: FELIX_IPINIPMTU
184               valueFrom:
185                 configMapKeyRef:
186                   name: calico-config
187                   key: veth_mtu
188             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
189             # chosen from this range. Changing this value after installation will have
190             # no effect. This should fall within `--cluster-cidr`.
191             - name: CALICO_IPV4POOL_CIDR
192               value: "192.168.0.0/16"
193             # Disable file logging so `kubectl logs` works.
194             - name: CALICO_DISABLE_FILE_LOGGING
195               value: "true"
196             # Set Felix endpoint to host default action to ACCEPT.
197             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
198               value: "ACCEPT"
199             # Disable IPv6 on Kubernetes.
200             - name: FELIX_IPV6SUPPORT
201               value: "false"
202             # Set Felix logging to "info"
203             - name: FELIX_LOGSEVERITYSCREEN
204               value: "info"
205             - name: FELIX_HEALTHENABLED
206               value: "true"
207           securityContext:
208             privileged: true
209           resources:
210             requests:
211               cpu: 250m
212           livenessProbe:
213             httpGet:
214               path: /liveness
215               port: 9099
216               host: localhost
217             periodSeconds: 10
218             initialDelaySeconds: 10
219             failureThreshold: 6
220           readinessProbe:
221             exec:
222               command:
223               - /bin/calico-node
224               - -bird-ready
225               - -felix-ready
226             periodSeconds: 10
227           volumeMounts:
228             - mountPath: /lib/modules
229               name: lib-modules
230               readOnly: true
231             - mountPath: /run/xtables.lock
232               name: xtables-lock
233               readOnly: false
234             - mountPath: /var/run/calico
235               name: var-run-calico
236               readOnly: false
237             - mountPath: /var/lib/calico
238               name: var-lib-calico
239               readOnly: false
240             - mountPath: /calico-secrets
241               name: etcd-certs
242         # This container installs the Calico CNI binaries
243         # and CNI network config file on each node.
244         - name: install-cni
245           image: calico/cni:v3.3.2
246           command: ["/install-cni.sh"]
247           env:
248             # Name of the CNI config file to create.
249             - name: CNI_CONF_NAME
250               value: "10-calico.conflist"
251             # The location of the Calico etcd cluster.
252             - name: ETCD_ENDPOINTS
253               valueFrom:
254                 configMapKeyRef:
255                   name: calico-config
256                   key: etcd_endpoints
257             # The CNI network config to install on each node.
258             - name: CNI_NETWORK_CONFIG
259               valueFrom:
260                 configMapKeyRef:
261                   name: calico-config
262                   key: cni_network_config
263             # CNI MTU Config variable
264             - name: CNI_MTU
265               valueFrom:
266                 configMapKeyRef:
267                   name: calico-config
268                   key: veth_mtu
269           volumeMounts:
270             - mountPath: /host/opt/cni/bin
271               name: cni-bin-dir
272             - mountPath: /host/etc/cni/net.d
273               name: cni-net-dir
274             - mountPath: /calico-secrets
275               name: etcd-certs
276       volumes:
277         # Used by calico/node.
278         - name: lib-modules
279           hostPath:
280             path: /lib/modules
281         - name: var-run-calico
282           hostPath:
283             path: /var/run/calico
284         - name: var-lib-calico
285           hostPath:
286             path: /var/lib/calico
287         - name: xtables-lock
288           hostPath:
289             path: /run/xtables.lock
290             type: FileOrCreate
291         # Used to install CNI.
292         - name: cni-bin-dir
293           hostPath:
294             path: /opt/cni/bin
295         - name: cni-net-dir
296           hostPath:
297             path: /etc/cni/net.d
298         # Mount in the etcd TLS secrets with mode 400.
299         # See https://kubernetes.io/docs/concepts/configuration/secret/
300         - name: etcd-certs
301           secret:
302             secretName: calico-etcd-secrets
303             defaultMode: 0400
304 ---
305
306 apiVersion: v1
307 kind: ServiceAccount
308 metadata:
309   name: calico-node
310   namespace: kube-system
311
312 ---
313
314 # This manifest deploys the Calico Kubernetes controllers.
315 # See https://github.com/projectcalico/kube-controllers
316 apiVersion: extensions/v1beta1
317 kind: Deployment
318 metadata:
319   name: calico-kube-controllers
320   namespace: kube-system
321   labels:
322     k8s-app: calico-kube-controllers
323   annotations:
324     scheduler.alpha.kubernetes.io/critical-pod: ''
325 spec:
326   # The controllers can only have a single active instance.
327   replicas: 1
328   strategy:
329     type: Recreate
330   template:
331     metadata:
332       name: calico-kube-controllers
333       namespace: kube-system
334       labels:
335         k8s-app: calico-kube-controllers
336     spec:
337       nodeSelector:
338         beta.kubernetes.io/os: linux
339       # The controllers must run in the host network namespace so that
340       # it isn't governed by policy that would prevent it from working.
341       hostNetwork: true
342       tolerations:
343         # Mark the pod as a critical add-on for rescheduling.
344         - key: CriticalAddonsOnly
345           operator: Exists
346         - key: node-role.kubernetes.io/master
347           effect: NoSchedule
348       serviceAccountName: calico-kube-controllers
349       containers:
350         - name: calico-kube-controllers
351           image: calico/kube-controllers:v3.3.2
352           env:
353             # The location of the Calico etcd cluster.
354             - name: ETCD_ENDPOINTS
355               valueFrom:
356                 configMapKeyRef:
357                   name: calico-config
358                   key: etcd_endpoints
359             # Location of the CA certificate for etcd.
360             - name: ETCD_CA_CERT_FILE
361               valueFrom:
362                 configMapKeyRef:
363                   name: calico-config
364                   key: etcd_ca
365             # Location of the client key for etcd.
366             - name: ETCD_KEY_FILE
367               valueFrom:
368                 configMapKeyRef:
369                   name: calico-config
370                   key: etcd_key
371             # Location of the client certificate for etcd.
372             - name: ETCD_CERT_FILE
373               valueFrom:
374                 configMapKeyRef:
375                   name: calico-config
376                   key: etcd_cert
377             # Choose which controllers to run.
378             - name: ENABLED_CONTROLLERS
379               value: policy,namespace,serviceaccount,workloadendpoint,node
380           volumeMounts:
381             # Mount in the etcd TLS secrets.
382             - mountPath: /calico-secrets
383               name: etcd-certs
384           readinessProbe:
385             exec:
386               command:
387               - /usr/bin/check-status
388               - -r
389       volumes:
390         # Mount in the etcd TLS secrets with mode 400.
391         # See https://kubernetes.io/docs/concepts/configuration/secret/
392         - name: etcd-certs
393           secret:
394             secretName: calico-etcd-secrets
395             defaultMode: 0400
396
397 ---
398
399 apiVersion: v1
400 kind: ServiceAccount
401 metadata:
402   name: calico-kube-controllers
403   namespace: kube-system
404