Add Multus with Calico and SRIOV CNI support
[iec.git] / src / foundation / scripts / cni / multus / multus-sriov-calico / calico-daemonset-k8s-v1.16.yaml
1 # yamllint disable
2 # This is a modified Calico daemonset.
3 # it is based on: https://docs.projectcalico.org/v3.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
4 ---
5 kind: ConfigMap
6 apiVersion: v1
7 metadata:
8   name: calico-config
9   namespace: kube-system
10 data:
11   typha_service_name: "none"
12   calico_backend: "bird"
13   veth_mtu: "1440"
14   cni_network_config: |-
15     {
16       "name": "k8s-pod-network",
17       "cniVersion": "0.3.0",
18       "plugins": [
19         {
20           "type": "calico",
21           "log_level": "info",
22           "datastore_type": "kubernetes",
23           "nodename": "__KUBERNETES_NODE_NAME__",
24           "mtu": __CNI_MTU__,
25           "ipam": {
26             "type": "calico-ipam"
27           },
28           "policy": {
29               "type": "k8s"
30           },
31           "kubernetes": {
32               "kubeconfig": "__KUBECONFIG_FILEPATH__"
33           }
34         },
35         {
36           "type": "portmap",
37           "snat": true,
38           "capabilities": {"portMappings": true}
39         }
40       ]
41     }
42 ---
43 apiVersion: apiextensions.k8s.io/v1
44 kind: CustomResourceDefinition
45 metadata:
46    name: felixconfigurations.crd.projectcalico.org
47 spec:
48   scope: Cluster
49   group: crd.projectcalico.org
50   version: v1
51   names:
52     kind: FelixConfiguration
53     plural: felixconfigurations
54     singular: felixconfiguration
55 ---
56 apiVersion: apiextensions.k8s.io/v1
57 kind: CustomResourceDefinition
58 metadata:
59   name: ipamblocks.crd.projectcalico.org
60 spec:
61   scope: Cluster
62   group: crd.projectcalico.org
63   version: v1
64   names:
65     kind: IPAMBlock
66     plural: ipamblocks
67     singular: ipamblock
68 ---
69 apiVersion: apiextensions.k8s.io/v1
70 kind: CustomResourceDefinition
71 metadata:
72   name: blockaffinities.crd.projectcalico.org
73 spec:
74   scope: Cluster
75   group: crd.projectcalico.org
76   version: v1
77   names:
78     kind: BlockAffinity
79     plural: blockaffinities
80     singular: blockaffinity
81 ---
82 apiVersion: apiextensions.k8s.io/v1
83 kind: CustomResourceDefinition
84 metadata:
85   name: ipamhandles.crd.projectcalico.org
86 spec:
87   scope: Cluster
88   group: crd.projectcalico.org
89   version: v1
90   names:
91     kind: IPAMHandle
92     plural: ipamhandles
93     singular: ipamhandle
94 ---
95 apiVersion: apiextensions.k8s.io/v1
96 kind: CustomResourceDefinition
97 metadata:
98   name: ipamconfigs.crd.projectcalico.org
99 spec:
100   scope: Cluster
101   group: crd.projectcalico.org
102   version: v1
103   names:
104     kind: IPAMConfig
105     plural: ipamconfigs
106     singular: ipamconfig
107 ---
108 apiVersion: apiextensions.k8s.io/v1
109 kind: CustomResourceDefinition
110 metadata:
111   name: bgppeers.crd.projectcalico.org
112 spec:
113   scope: Cluster
114   group: crd.projectcalico.org
115   version: v1
116   names:
117     kind: BGPPeer
118     plural: bgppeers
119     singular: bgppeer
120 ---
121 apiVersion: apiextensions.k8s.io/v1
122 kind: CustomResourceDefinition
123 metadata:
124   name: bgpconfigurations.crd.projectcalico.org
125 spec:
126   scope: Cluster
127   group: crd.projectcalico.org
128   version: v1
129   names:
130     kind: BGPConfiguration
131     plural: bgpconfigurations
132     singular: bgpconfiguration
133 ---
134 apiVersion: apiextensions.k8s.io/v1
135 kind: CustomResourceDefinition
136 metadata:
137   name: ippools.crd.projectcalico.org
138 spec:
139   scope: Cluster
140   group: crd.projectcalico.org
141   version: v1
142   names:
143     kind: IPPool
144     plural: ippools
145     singular: ippool
146 ---
147 apiVersion: apiextensions.k8s.io/v1
148 kind: CustomResourceDefinition
149 metadata:
150   name: hostendpoints.crd.projectcalico.org
151 spec:
152   scope: Cluster
153   group: crd.projectcalico.org
154   version: v1
155   names:
156     kind: HostEndpoint
157     plural: hostendpoints
158     singular: hostendpoint
159 ---
160 apiVersion: apiextensions.k8s.io/v1
161 kind: CustomResourceDefinition
162 metadata:
163   name: clusterinformations.crd.projectcalico.org
164 spec:
165   scope: Cluster
166   group: crd.projectcalico.org
167   version: v1
168   names:
169     kind: ClusterInformation
170     plural: clusterinformations
171     singular: clusterinformation
172 ---
173 apiVersion: apiextensions.k8s.io/v1
174 kind: CustomResourceDefinition
175 metadata:
176   name: globalnetworkpolicies.crd.projectcalico.org
177 spec:
178   scope: Cluster
179   group: crd.projectcalico.org
180   version: v1
181   names:
182     kind: GlobalNetworkPolicy
183     plural: globalnetworkpolicies
184     singular: globalnetworkpolicy
185 ---
186 apiVersion: apiextensions.k8s.io/v1
187 kind: CustomResourceDefinition
188 metadata:
189   name: globalnetworksets.crd.projectcalico.org
190 spec:
191   scope: Cluster
192   group: crd.projectcalico.org
193   version: v1
194   names:
195     kind: GlobalNetworkSet
196     plural: globalnetworksets
197     singular: globalnetworkset
198 ---
199 apiVersion: apiextensions.k8s.io/v1
200 kind: CustomResourceDefinition
201 metadata:
202   name: networkpolicies.crd.projectcalico.org
203 spec:
204   scope: Namespaced
205   group: crd.projectcalico.org
206   version: v1
207   names:
208     kind: NetworkPolicy
209     plural: networkpolicies
210     singular: networkpolicy
211 ---
212 kind: ClusterRole
213 apiVersion: rbac.authorization.k8s.io/v1beta1
214 metadata:
215   name: calico-kube-controllers
216 rules:
217   - apiGroups: [""]
218     resources:
219       - nodes
220     verbs:
221       - watch
222       - list
223       - get
224   - apiGroups: [""]
225     resources:
226       - pods
227     verbs:
228       - get
229   - apiGroups: ["crd.projectcalico.org"]
230     resources:
231       - ippools
232     verbs:
233       - list
234   - apiGroups: ["crd.projectcalico.org"]
235     resources:
236       - blockaffinities
237       - ipamblocks
238       - ipamhandles
239     verbs:
240       - get
241       - list
242       - create
243       - update
244       - delete
245   - apiGroups: ["crd.projectcalico.org"]
246     resources:
247       - clusterinformations
248     verbs:
249       - get
250       - create
251       - update
252 ---
253 kind: ClusterRoleBinding
254 apiVersion: rbac.authorization.k8s.io/v1beta1
255 metadata:
256   name: calico-kube-controllers
257 roleRef:
258   apiGroup: rbac.authorization.k8s.io
259   kind: ClusterRole
260   name: calico-kube-controllers
261 subjects:
262 - kind: ServiceAccount
263   name: calico-kube-controllers
264   namespace: kube-system
265 ---
266 kind: ClusterRole
267 apiVersion: rbac.authorization.k8s.io/v1beta1
268 metadata:
269   name: calico-node
270 rules:
271   - apiGroups: [""]
272     resources:
273       - pods
274       - nodes
275       - namespaces
276     verbs:
277       - get
278   - apiGroups: [""]
279     resources:
280       - endpoints
281       - services
282     verbs:
283       - watch
284       - list
285       - get
286   - apiGroups: [""]
287     resources:
288       - nodes/status
289     verbs:
290       - patch
291       - update
292   - apiGroups: ["networking.k8s.io"]
293     resources:
294       - networkpolicies
295     verbs:
296       - watch
297       - list
298   - apiGroups: [""]
299     resources:
300       - pods
301       - namespaces
302       - serviceaccounts
303     verbs:
304       - list
305       - watch
306   - apiGroups: [""]
307     resources:
308       - pods/status
309     verbs:
310       - patch
311   - apiGroups: ["crd.projectcalico.org"]
312     resources:
313       - globalfelixconfigs
314       - felixconfigurations
315       - bgppeers
316       - globalbgpconfigs
317       - bgpconfigurations
318       - ippools
319       - ipamblocks
320       - globalnetworkpolicies
321       - globalnetworksets
322       - networkpolicies
323       - clusterinformations
324       - hostendpoints
325     verbs:
326       - get
327       - list
328       - watch
329   - apiGroups: ["crd.projectcalico.org"]
330     resources:
331       - ippools
332       - felixconfigurations
333       - clusterinformations
334     verbs:
335       - create
336       - update
337   - apiGroups: [""]
338     resources:
339       - nodes
340     verbs:
341       - get
342       - list
343       - watch
344   - apiGroups: ["crd.projectcalico.org"]
345     resources:
346       - bgpconfigurations
347       - bgppeers
348     verbs:
349       - create
350       - update
351   - apiGroups: ["crd.projectcalico.org"]
352     resources:
353       - blockaffinities
354       - ipamblocks
355       - ipamhandles
356     verbs:
357       - get
358       - list
359       - create
360       - update
361       - delete
362   - apiGroups: ["crd.projectcalico.org"]
363     resources:
364       - ipamconfigs
365     verbs:
366       - get
367   - apiGroups: ["crd.projectcalico.org"]
368     resources:
369       - blockaffinities
370     verbs:
371       - watch
372   - apiGroups: ["apps"]
373     resources:
374       - daemonsets
375     verbs:
376       - get
377 ---
378 apiVersion: rbac.authorization.k8s.io/v1beta1
379 kind: ClusterRoleBinding
380 metadata:
381   name: calico-node
382 roleRef:
383   apiGroup: rbac.authorization.k8s.io
384   kind: ClusterRole
385   name: calico-node
386 subjects:
387 - kind: ServiceAccount
388   name: calico-node
389   namespace: kube-system
390 ---
391 kind: DaemonSet
392 apiVersion: apps/v1
393 metadata:
394   name: calico-node
395   namespace: kube-system
396   labels:
397     k8s-app: calico-node
398 spec:
399   selector:
400     matchLabels:
401       k8s-app: calico-node
402   updateStrategy:
403     type: RollingUpdate
404     rollingUpdate:
405       maxUnavailable: 1
406   template:
407     metadata:
408       labels:
409         k8s-app: calico-node
410       annotations:
411         scheduler.alpha.kubernetes.io/critical-pod: ''
412     spec:
413       nodeSelector:
414         beta.kubernetes.io/os: linux
415       hostNetwork: true
416       tolerations:
417         - effect: NoSchedule
418           operator: Exists
419         - key: CriticalAddonsOnly
420           operator: Exists
421         - effect: NoExecute
422           operator: Exists
423       serviceAccountName: calico-node
424       terminationGracePeriodSeconds: 0
425       initContainers:
426         - name: upgrade-ipam
427           image: calico/cni:v3.6.1
428           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
429           env:
430             - name: KUBERNETES_NODE_NAME
431               valueFrom:
432                 fieldRef:
433                   fieldPath: spec.nodeName
434             - name: CALICO_NETWORKING_BACKEND
435               valueFrom:
436                 configMapKeyRef:
437                   name: calico-config
438                   key: calico_backend
439           volumeMounts:
440             - mountPath: /var/lib/cni/networks
441               name: host-local-net-dir
442             - mountPath: /host/opt/cni/bin
443               name: cni-bin-dir
444         - name: install-cni
445           image: calico/cni:v3.6.1
446           command: ["/install-cni.sh"]
447           env:
448             - name: CNI_CONF_NAME
449               value: "10-calico.conflist"
450             - name: CNI_NETWORK_CONFIG
451               valueFrom:
452                 configMapKeyRef:
453                   name: calico-config
454                   key: cni_network_config
455             - name: KUBERNETES_NODE_NAME
456               valueFrom:
457                 fieldRef:
458                   fieldPath: spec.nodeName
459             - name: CNI_MTU
460               valueFrom:
461                 configMapKeyRef:
462                   name: calico-config
463                   key: veth_mtu
464             - name: SLEEP
465               value: "false"
466           volumeMounts:
467             - mountPath: /host/opt/cni/bin
468               name: cni-bin-dir
469             - mountPath: /host/etc/cni/net.d
470               name: cni-net-dir
471       containers:
472         - name: calico-node
473           image: calico/node:v3.6.1
474           env:
475             # Use Kubernetes API as the backing datastore.
476             - name: DATASTORE_TYPE
477               value: "kubernetes"
478             # Wait for the datastore.
479             - name: WAIT_FOR_DATASTORE
480               value: "true"
481             # Set based on the k8s node name.
482             - name: NODENAME
483               valueFrom:
484                 fieldRef:
485                   fieldPath: spec.nodeName
486             # Choose the backend to use.
487             - name: CALICO_NETWORKING_BACKEND
488               valueFrom:
489                 configMapKeyRef:
490                   name: calico-config
491                   key: calico_backend
492             # Cluster type to identify the deployment type
493             - name: CLUSTER_TYPE
494               value: "k8s,bgp"
495             # Auto-detect the BGP IP address.
496             - name: IP
497               value: "autodetect"
498             - name: IP_AUTODETECTION_METHOD
499               value: "can-reach=www.google.com"
500             # Enable IPIP
501             - name: CALICO_IPV4POOL_IPIP
502               value: "Always"
503             # Set MTU for tunnel device used if ipip is enabled
504             - name: FELIX_IPINIPMTU
505               valueFrom:
506                 configMapKeyRef:
507                   name: calico-config
508                   key: veth_mtu
509             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
510             # chosen from this range. Changing this value after installation will have
511             # no effect. This should fall within `--cluster-cidr`.
512             - name: CALICO_IPV4POOL_CIDR
513               value: "10.244.0.0/16"
514             # Disable file logging so `kubectl logs` works.
515             - name: CALICO_DISABLE_FILE_LOGGING
516               value: "true"
517             # Set Felix endpoint to host default action to ACCEPT.
518             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
519               value: "ACCEPT"
520             # Disable IPv6 on Kubernetes.
521             - name: FELIX_IPV6SUPPORT
522               value: "false"
523             # Set Felix logging to "info"
524             - name: FELIX_LOGSEVERITYSCREEN
525               value: "info"
526             - name: FELIX_HEALTHENABLED
527               value: "true"
528           securityContext:
529             privileged: true
530           resources:
531             requests:
532               cpu: 250m
533           livenessProbe:
534             httpGet:
535               path: /liveness
536               port: 9099
537               host: localhost
538             periodSeconds: 10
539             initialDelaySeconds: 10
540             failureThreshold: 6
541           readinessProbe:
542             exec:
543               command:
544               - /bin/calico-node
545               - -bird-ready
546               - -felix-ready
547             periodSeconds: 10
548           volumeMounts:
549             - mountPath: /lib/modules
550               name: lib-modules
551               readOnly: true
552             - mountPath: /run/xtables.lock
553               name: xtables-lock
554               readOnly: false
555             - mountPath: /var/run/calico
556               name: var-run-calico
557               readOnly: false
558             - mountPath: /var/lib/calico
559               name: var-lib-calico
560               readOnly: false
561       volumes:
562         - name: lib-modules
563           hostPath:
564             path: /lib/modules
565         - name: var-run-calico
566           hostPath:
567             path: /var/run/calico
568         - name: var-lib-calico
569           hostPath:
570             path: /var/lib/calico
571         - name: xtables-lock
572           hostPath:
573             path: /run/xtables.lock
574             type: FileOrCreate
575         - name: cni-bin-dir
576           hostPath:
577             path: /opt/cni/bin
578         - name: cni-net-dir
579           hostPath:
580             # NOTE: moved to tmp so we can see what it attempts to write
581             path: /etc/cni/multus/calico/net.d
582         - name: host-local-net-dir
583           hostPath:
584             path: /var/lib/cni/networks
585 ---
586 apiVersion: v1
587 kind: ServiceAccount
588 metadata:
589   name: calico-node
590   namespace: kube-system
591 ---
592 apiVersion: apps/v1
593 kind: Deployment
594 metadata:
595   name: calico-kube-controllers
596   namespace: kube-system
597   labels:
598     k8s-app: calico-kube-controllers
599   annotations:
600     scheduler.alpha.kubernetes.io/critical-pod: ''
601 spec:
602   selector:
603     matchLabels:
604       k8s-app: calico-kube-controllers
605   replicas: 1
606   strategy:
607     type: Recreate
608   template:
609     metadata:
610       name: calico-kube-controllers
611       namespace: kube-system
612       labels:
613         k8s-app: calico-kube-controllers
614     spec:
615       nodeSelector:
616         beta.kubernetes.io/os: linux
617       tolerations:
618         - key: CriticalAddonsOnly
619           operator: Exists
620         - key: node-role.kubernetes.io/master
621           effect: NoSchedule
622       serviceAccountName: calico-kube-controllers
623       containers:
624         - name: calico-kube-controllers
625           image: calico/kube-controllers:v3.6.1
626           env:
627             - name: ENABLED_CONTROLLERS
628               value: node
629             - name: DATASTORE_TYPE
630               value: kubernetes
631           readinessProbe:
632             exec:
633               command:
634               - /usr/bin/check-status
635               - -r
636 ---
637 apiVersion: v1
638 kind: ServiceAccount
639 metadata:
640   name: calico-kube-controllers
641   namespace: kube-system