1 # Calico Version v3.3.2
2 # https://docs.projectcalico.org/v3.3/releases#v3.3.2
3 # This manifest includes the following component versions:
6 # calico/kube-controllers:v3.3.2
8 # This ConfigMap is used to configure a self-hosted Calico installation.
13 namespace: kube-system
15 # Configure this with the location of your etcd cluster.
16 etcd_endpoints: "http://10.96.232.136:6666"
18 # If you're using TLS enabled etcd uncomment the following.
19 # You must also populate the Secret below with these files.
20 etcd_ca: "" # "/calico-secrets/etcd-ca"
21 etcd_cert: "" # "/calico-secrets/etcd-cert"
22 etcd_key: "" # "/calico-secrets/etcd-key"
23 # Configure the Calico backend to use.
24 calico_backend: "bird"
26 # Configure the MTU to use
29 # The CNI network configuration to install on each node. The special
30 # values in this config will be automatically populated.
31 cni_network_config: |-
33 "name": "k8s-pod-network",
34 "cniVersion": "0.3.0",
39 "etcd_endpoints": "__ETCD_ENDPOINTS__",
40 "etcd_key_file": "__ETCD_KEY_FILE__",
41 "etcd_cert_file": "__ETCD_CERT_FILE__",
42 "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
51 "kubeconfig": "__KUBECONFIG_FILEPATH__"
57 "capabilities": {"portMappings": true}
65 # The following contains k8s Secrets for use with a TLS enabled etcd cluster.
66 # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
71 name: calico-etcd-secrets
72 namespace: kube-system
74 # Populate the following files with etcd TLS configuration if desired, but leave blank if
75 # not using TLS for etcd.
76 # This self-hosted install expects three files with the following names. The values
77 # should be base64 encoded strings of the entire contents of each file.
84 # This manifest installs the calico/node container, as well
85 # as the Calico CNI plugins and network config on
86 # each master and worker node in a Kubernetes cluster.
88 apiVersion: extensions/v1beta1
91 namespace: kube-system
107 # This, along with the CriticalAddonsOnly toleration below,
108 # marks the pod as a critical add-on, ensuring it gets
109 # priority scheduling and that its resources are reserved
110 # if it ever gets evicted.
111 scheduler.alpha.kubernetes.io/critical-pod: ''
114 beta.kubernetes.io/os: linux
117 # Make sure calico-node gets scheduled on all nodes.
120 # Mark the pod as a critical add-on for rescheduling.
121 - key: CriticalAddonsOnly
125 serviceAccountName: calico-node
126 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
127 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
128 terminationGracePeriodSeconds: 0
130 # Runs calico/node container on each Kubernetes node. This
131 # container programs network policy and routes on each
134 image: calico/node:v3.3.2
136 # The location of the Calico etcd cluster.
137 - name: ETCD_ENDPOINTS
142 # Location of the CA certificate for etcd.
143 - name: ETCD_CA_CERT_FILE
148 # Location of the client key for etcd.
149 - name: ETCD_KEY_FILE
154 # Location of the client certificate for etcd.
155 - name: ETCD_CERT_FILE
160 # Set noderef for node controller.
161 - name: CALICO_K8S_NODE_REF
164 fieldPath: spec.nodeName
165 # Choose the backend to use.
166 - name: CALICO_NETWORKING_BACKEND
171 # Cluster type to identify the deployment type
174 # Auto-detect the BGP IP address.
177 - name: IP_AUTODETECTION_METHOD
178 value: "can-reach=www.google.com"
180 - name: CALICO_IPV4POOL_IPIP
182 # Set MTU for tunnel device used if ipip is enabled
183 - name: FELIX_IPINIPMTU
188 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
189 # chosen from this range. Changing this value after installation will have
190 # no effect. This should fall within `--cluster-cidr`.
191 - name: CALICO_IPV4POOL_CIDR
192 value: "192.168.0.0/16"
193 # Disable file logging so `kubectl logs` works.
194 - name: CALICO_DISABLE_FILE_LOGGING
196 # Set Felix endpoint to host default action to ACCEPT.
197 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
199 # Disable IPv6 on Kubernetes.
200 - name: FELIX_IPV6SUPPORT
202 # Set Felix logging to "info"
203 - name: FELIX_LOGSEVERITYSCREEN
205 - name: FELIX_HEALTHENABLED
218 initialDelaySeconds: 10
228 - mountPath: /lib/modules
231 - mountPath: /run/xtables.lock
234 - mountPath: /var/run/calico
237 - mountPath: /var/lib/calico
240 - mountPath: /calico-secrets
242 # This container installs the Calico CNI binaries
243 # and CNI network config file on each node.
245 image: calico/cni:v3.3.2
246 command: ["/install-cni.sh"]
248 # Name of the CNI config file to create.
249 - name: CNI_CONF_NAME
250 value: "10-calico.conflist"
251 # The location of the Calico etcd cluster.
252 - name: ETCD_ENDPOINTS
257 # The CNI network config to install on each node.
258 - name: CNI_NETWORK_CONFIG
262 key: cni_network_config
263 # CNI MTU Config variable
270 - mountPath: /host/opt/cni/bin
272 - mountPath: /host/etc/cni/net.d
274 - mountPath: /calico-secrets
277 # Used by calico/node.
281 - name: var-run-calico
283 path: /var/run/calico
284 - name: var-lib-calico
286 path: /var/lib/calico
289 path: /run/xtables.lock
291 # Used to install CNI.
298 # Mount in the etcd TLS secrets with mode 400.
299 # See https://kubernetes.io/docs/concepts/configuration/secret/
302 secretName: calico-etcd-secrets
310 namespace: kube-system
314 # This manifest deploys the Calico Kubernetes controllers.
315 # See https://github.com/projectcalico/kube-controllers
316 apiVersion: extensions/v1beta1
319 name: calico-kube-controllers
320 namespace: kube-system
322 k8s-app: calico-kube-controllers
324 scheduler.alpha.kubernetes.io/critical-pod: ''
326 # The controllers can only have a single active instance.
332 name: calico-kube-controllers
333 namespace: kube-system
335 k8s-app: calico-kube-controllers
338 beta.kubernetes.io/os: linux
339 # The controllers must run in the host network namespace so that
340 # it isn't governed by policy that would prevent it from working.
343 # Mark the pod as a critical add-on for rescheduling.
344 - key: CriticalAddonsOnly
346 - key: node-role.kubernetes.io/master
348 serviceAccountName: calico-kube-controllers
350 - name: calico-kube-controllers
351 image: calico/kube-controllers:v3.3.2
353 # The location of the Calico etcd cluster.
354 - name: ETCD_ENDPOINTS
359 # Location of the CA certificate for etcd.
360 - name: ETCD_CA_CERT_FILE
365 # Location of the client key for etcd.
366 - name: ETCD_KEY_FILE
371 # Location of the client certificate for etcd.
372 - name: ETCD_CERT_FILE
377 # Choose which controllers to run.
378 - name: ENABLED_CONTROLLERS
379 value: policy,namespace,serviceaccount,workloadendpoint,node
381 # Mount in the etcd TLS secrets.
382 - mountPath: /calico-secrets
387 - /usr/bin/check-status
390 # Mount in the etcd TLS secrets with mode 400.
391 # See https://kubernetes.io/docs/concepts/configuration/secret/
394 secretName: calico-etcd-secrets
402 name: calico-kube-controllers
403 namespace: kube-system