src/foundation/scripts/cni/ovn-kubernetes/templates/ovnkube-node.yaml.j2

   1 ---
   2 # ovnkube-node
   3 # daemonset version 3
   4 # starts node daemons for ovs and ovn, each in a separate container
   5 # it is run on all nodes
   6 kind: DaemonSet
   7 apiVersion: apps/v1
   8 metadata:
   9   name: ovnkube-node
  10   # namespace set up by install
  11   namespace: ovn-kubernetes
  12   annotations:
  13     kubernetes.io/description: |
  14       This DaemonSet launches the ovn-kubernetes networking components for worker nodes.
  15 spec:
  16   selector:
  17     matchLabels:
  18       app: ovnkube-node
  19   updateStrategy:
  20     type: RollingUpdate
  21   template:
  22     metadata:
  23       labels:
  24         app: ovnkube-node
  25         name: ovnkube-node
  26         component: network
  27         type: infra
  28         kubernetes.io/os: "linux"
  29       annotations:
  30         scheduler.alpha.kubernetes.io/critical-pod: ''
  31     spec:
  32       # Requires fairly broad permissions - ability to read all services and network functions as well
  33       # as all pods.
  34       serviceAccountName: ovn
  35       hostNetwork: true
  36       hostPID: true
  37       containers:
  38
  39       # ovsdb-server and ovs-switchd daemons
  40       - name: ovs-daemons
  41         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
  42         imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
  43
  44         command: ["/root/ovnkube.sh", "ovs-server"]
  45
  46         livenessProbe:
  47           exec:
  48             command:
  49             - /usr/share/openvswitch/scripts/ovs-ctl
  50             - status
  51           initialDelaySeconds: 30
  52           timeoutSeconds: 30
  53           periodSeconds: 60
  54         readinessProbe:
  55           exec:
  56             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovs-daemons"]
  57           initialDelaySeconds: 30
  58           timeoutSeconds: 30
  59           periodSeconds: 60
  60
  61         securityContext:
  62           runAsUser: 0
  63           # Permission could be reduced by selecting an appropriate SELinux policy
  64           privileged: true
  65
  66         terminationMessagePolicy: FallbackToLogsOnError
  67         volumeMounts:
  68         - mountPath: /lib/modules
  69           name: host-modules
  70           readOnly: true
  71         - mountPath: /run/openvswitch
  72           name: host-run-ovs
  73         - mountPath: /var/run/openvswitch
  74           name: host-var-run-ovs
  75         - mountPath: /sys
  76           name: host-sys
  77           readOnly: true
  78         - mountPath: /etc/openvswitch
  79           name: host-config-openvswitch
  80         resources:
  81           requests:
  82             cpu: 100m
  83             memory: 300Mi
  84           limits:
  85             cpu: 200m
  86             memory: 400Mi
  87         env:
  88         - name: OVN_DAEMONSET_VERSION
  89           value: "3"
  90         - name: K8S_APISERVER
  91           valueFrom:
  92             configMapKeyRef:
  93               name: ovn-config
  94               key: k8s_apiserver
  95         lifecycle:
  96           preStop:
  97             exec:
  98               command: ["/root/ovnkube.sh", "cleanup-ovs-server"]
  99
 100       - name: ovn-controller
 101         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
 102         imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
 103
 104         command: ["/root/ovnkube.sh", "ovn-controller"]
 105
 106         securityContext:
 107           runAsUser: 0
 108           capabilities:
 109             add: ["SYS_NICE"]
 110
 111         terminationMessagePolicy: FallbackToLogsOnError
 112         volumeMounts:
 113         - mountPath: /var/run/dbus/
 114           name: host-var-run-dbus
 115           readOnly: true
 116         - mountPath: /var/log/openvswitch/
 117           name: host-var-log-ovs
 118         - mountPath: /var/log/ovn/
 119           name: host-var-log-ovs
 120         - mountPath: /var/run/openvswitch/
 121           name: host-var-run-ovs
 122         - mountPath: /var/run/ovn/
 123           name: host-var-run-ovs
 124         - mountPath: /ovn-cert
 125           name: host-ovn-cert
 126           readOnly: true
 127
 128         resources:
 129           requests:
 130             cpu: 100m
 131             memory: 300Mi
 132         env:
 133         - name: OVN_DAEMONSET_VERSION
 134           value: "3"
 135         - name: OVN_LOG_CONTROLLER
 136           value: "{{ ovn_loglevel_controller }}"
 137         - name: K8S_APISERVER
 138           valueFrom:
 139             configMapKeyRef:
 140               name: ovn-config
 141               key: k8s_apiserver
 142         - name: OVN_KUBERNETES_NAMESPACE
 143           valueFrom:
 144             fieldRef:
 145               fieldPath: metadata.namespace
 146         - name: OVN_SSL_ENABLE
 147           value: "{{ ovn_ssl_en }}"
 148
 149         readinessProbe:
 150           exec:
 151             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovn-controller"]
 152           initialDelaySeconds: 30
 153           timeoutSeconds: 30
 154           periodSeconds: 60
 155
 156       - name: ovnkube-node
 157         image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
 158         imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
 159
 160         command: ["/root/ovnkube.sh", "ovn-node"]
 161
 162         securityContext:
 163           runAsUser: 0
 164           capabilities:
 165             add: ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE"]
 166           {% if kind is defined and kind -%}
 167           privileged: true
 168           {% endif %}
 169
 170         terminationMessagePolicy: FallbackToLogsOnError
 171         volumeMounts:
 172         # for the iptables wrapper
 173         - mountPath: /host
 174           name: host-slash
 175           readOnly: true
 176         - mountPath: /var/run/dbus/
 177           name: host-var-run-dbus
 178           readOnly: true
 179         - mountPath: /var/log/ovn-kubernetes/
 180           name: host-var-log-ovnkube
 181         - mountPath: /var/run/openvswitch/
 182           name: host-var-run-ovs
 183         - mountPath: /var/run/ovn/
 184           name: host-var-run-ovs
 185         # We mount our socket here
 186         - mountPath: /var/run/ovn-kubernetes
 187           name: host-var-run-ovn-kubernetes
 188         # CNI related mounts which we take over
 189         - mountPath: /opt/cni/bin
 190           name: host-opt-cni-bin
 191         - mountPath: /etc/cni/net.d
 192           name: host-etc-cni-netd
 193         - mountPath: /ovn-cert
 194           name: host-ovn-cert
 195           readOnly: true
 196         {% if kind is defined and kind -%}
 197         - mountPath: /var/run/netns
 198           name: host-netns
 199           mountPropagation: Bidirectional
 200         {% endif %}
 201
 202         resources:
 203           requests:
 204             cpu: 100m
 205             memory: 300Mi
 206         env:
 207         - name: OVN_DAEMONSET_VERSION
 208           value: "3"
 209         - name: OVNKUBE_LOGLEVEL
 210           value: "{{ ovnkube_node_loglevel }}"
 211         - name: OVN_NET_CIDR
 212           valueFrom:
 213             configMapKeyRef:
 214               name: ovn-config
 215               key: net_cidr
 216         - name: OVN_SVC_CIDR
 217           valueFrom:
 218             configMapKeyRef:
 219               name: ovn-config
 220               key: svc_cidr
 221         - name: K8S_APISERVER
 222           valueFrom:
 223             configMapKeyRef:
 224               name: ovn-config
 225               key: k8s_apiserver
 226         - name: OVN_MTU
 227           valueFrom:
 228             configMapKeyRef:
 229               name: ovn-config
 230               key: mtu
 231         - name: K8S_NODE
 232           valueFrom:
 233             fieldRef:
 234               fieldPath: spec.nodeName
 235         - name: OVN_GATEWAY_MODE
 236           value: "{{ ovn_gateway_mode }}"
 237         - name: OVN_GATEWAY_OPTS
 238           value: "{{ ovn_gateway_opts }}"
 239         - name: OVN_HYBRID_OVERLAY_ENABLE
 240           value: "{{ ovn_hybrid_overlay_enable }}"
 241         - name: OVN_HYBRID_OVERLAY_NET_CIDR
 242           value: "{{ ovn_hybrid_overlay_net_cidr }}"
 243         - name: OVN_SSL_ENABLE
 244           value: "{{ ovn_ssl_en }}"
 245
 246         lifecycle:
 247           preStop:
 248             exec:
 249               command: ["/root/ovnkube.sh", "cleanup-ovn-node"]
 250         readinessProbe:
 251           exec:
 252             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovnkube-node"]
 253           initialDelaySeconds: 30
 254           timeoutSeconds: 30
 255           periodSeconds: 60
 256
 257       nodeSelector:
 258         kubernetes.io/os: "linux"
 259       volumes:
 260       - name: host-modules
 261         hostPath:
 262           path: /lib/modules
 263
 264       - name: host-var-run-dbus
 265         hostPath:
 266           path: /var/run/dbus
 267       - name: host-var-log-ovs
 268         hostPath:
 269           path: /var/log/openvswitch
 270       - name: host-var-log-ovnkube
 271         hostPath:
 272           path: /var/log/ovn-kubernetes
 273       - name: host-run-ovs
 274         hostPath:
 275           path: /run/openvswitch
 276       - name: host-var-run-ovs
 277         hostPath:
 278           path: /var/run/openvswitch
 279       - name: host-var-run-ovn-kubernetes
 280         hostPath:
 281           path: /var/run/ovn-kubernetes
 282       - name: host-sys
 283         hostPath:
 284           path: /sys
 285       - name: host-opt-cni-bin
 286         hostPath:
 287           path: /opt/cni/bin
 288       - name: host-etc-cni-netd
 289         hostPath:
 290           path: /etc/cni/net.d
 291       - name: host-ovn-cert
 292         hostPath:
 293           path: /etc/ovn
 294           type: DirectoryOrCreate
 295       - name: host-slash
 296         hostPath:
 297           path: /
 298       - name: host-config-openvswitch
 299         hostPath:
 300           path: /etc/origin/openvswitch
 301       {% if kind is defined and kind -%}
 302       - name: host-netns
 303         hostPath:
 304           path: /var/run/netns
 305       {% endif %}
 306
 307       tolerations:
 308       - operator: "Exists"