Upgrade ovn-kubernetes CNI to latest release
[iec.git] / src / foundation / scripts / cni / ovn-kubernetes / yaml / ovnkube-node.yaml
1 # yamllint disable rule:hyphens rule:commas rule:indentation
2 ---
3 # ovnkube-node
4 # daemonset version 3
5 # starts node daemons for ovs and ovn, each in a separate container
6 # it is run on all nodes
7 kind: DaemonSet
8 apiVersion: apps/v1
9 metadata:
10   name: ovnkube-node
11   # namespace set up by install
12   namespace: ovn-kubernetes
13   annotations:
14     kubernetes.io/description: |
15       This DaemonSet launches the ovn-kubernetes networking components for worker nodes.
16 spec:
17   selector:
18     matchLabels:
19       app: ovnkube-node
20   updateStrategy:
21     type: RollingUpdate
22   template:
23     metadata:
24       labels:
25         app: ovnkube-node
26         name: ovnkube-node
27         component: network
28         type: infra
29         kubernetes.io/os: "linux"
30       annotations:
31         scheduler.alpha.kubernetes.io/critical-pod: ''
32     spec:
33       # Requires fairly broad permissions - ability to read all services and network functions as well
34       # as all pods.
35       serviceAccountName: ovn
36       hostNetwork: true
37       hostPID: true
38       containers:
39
40       # ovsdb-server and ovs-switchd daemons
41       - name: ovs-daemons
42         image: "iecedge/ovn-daemonset-ubuntu:2020-04-16"
43         imagePullPolicy: "IfNotPresent"
44
45         command: ["/root/ovnkube.sh", "ovs-server"]
46
47         livenessProbe:
48           exec:
49             command:
50             - /usr/share/openvswitch/scripts/ovs-ctl
51             - status
52           initialDelaySeconds: 30
53           timeoutSeconds: 30
54           periodSeconds: 60
55         readinessProbe:
56           exec:
57             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovs-daemons"]
58           initialDelaySeconds: 30
59           timeoutSeconds: 30
60           periodSeconds: 60
61
62         securityContext:
63           runAsUser: 0
64           # Permission could be reduced by selecting an appropriate SELinux policy
65           privileged: true
66
67         terminationMessagePolicy: FallbackToLogsOnError
68         volumeMounts:
69         - mountPath: /lib/modules
70           name: host-modules
71           readOnly: true
72         - mountPath: /run/openvswitch
73           name: host-run-ovs
74         - mountPath: /var/run/openvswitch
75           name: host-var-run-ovs
76         - mountPath: /sys
77           name: host-sys
78           readOnly: true
79         - mountPath: /etc/openvswitch
80           name: host-config-openvswitch
81         resources:
82           requests:
83             cpu: 100m
84             memory: 300Mi
85           limits:
86             cpu: 200m
87             memory: 400Mi
88         env:
89         - name: OVN_DAEMONSET_VERSION
90           value: "3"
91         - name: K8S_APISERVER
92           valueFrom:
93             configMapKeyRef:
94               name: ovn-config
95               key: k8s_apiserver
96         lifecycle:
97           preStop:
98             exec:
99               command: ["/root/ovnkube.sh", "cleanup-ovs-server"]
100
101       - name: ovn-controller
102         image: "iecedge/ovn-daemonset-ubuntu:2020-04-16"
103         imagePullPolicy: "IfNotPresent"
104
105         command: ["/root/ovnkube.sh", "ovn-controller"]
106
107         securityContext:
108           runAsUser: 0
109           capabilities:
110             add: ["SYS_NICE"]
111
112         terminationMessagePolicy: FallbackToLogsOnError
113         volumeMounts:
114         - mountPath: /var/run/dbus/
115           name: host-var-run-dbus
116           readOnly: true
117         - mountPath: /var/log/openvswitch/
118           name: host-var-log-ovs
119         - mountPath: /var/log/ovn/
120           name: host-var-log-ovs
121         - mountPath: /var/run/openvswitch/
122           name: host-var-run-ovs
123         - mountPath: /var/run/ovn/
124           name: host-var-run-ovs
125         - mountPath: /ovn-cert
126           name: host-ovn-cert
127           readOnly: true
128
129         resources:
130           requests:
131             cpu: 100m
132             memory: 300Mi
133         env:
134         - name: OVN_DAEMONSET_VERSION
135           value: "3"
136         - name: OVN_LOG_CONTROLLER
137           value: "-vconsole:info"
138         - name: K8S_APISERVER
139           valueFrom:
140             configMapKeyRef:
141               name: ovn-config
142               key: k8s_apiserver
143         - name: OVN_KUBERNETES_NAMESPACE
144           valueFrom:
145             fieldRef:
146               fieldPath: metadata.namespace
147         - name: OVN_SSL_ENABLE
148           value: "no"
149
150         readinessProbe:
151           exec:
152             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovn-controller"]
153           initialDelaySeconds: 30
154           timeoutSeconds: 30
155           periodSeconds: 60
156
157       - name: ovnkube-node
158         image: "iecedge/ovn-daemonset-ubuntu:2020-04-16"
159         imagePullPolicy: "IfNotPresent"
160
161         command: ["/root/ovnkube.sh", "ovn-node"]
162
163         securityContext:
164           runAsUser: 0
165           capabilities:
166             add: ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE"]
167
168
169         terminationMessagePolicy: FallbackToLogsOnError
170         volumeMounts:
171         # for the iptables wrapper
172         - mountPath: /host
173           name: host-slash
174           readOnly: true
175         - mountPath: /var/run/dbus/
176           name: host-var-run-dbus
177           readOnly: true
178         - mountPath: /var/log/ovn-kubernetes/
179           name: host-var-log-ovnkube
180         - mountPath: /var/run/openvswitch/
181           name: host-var-run-ovs
182         - mountPath: /var/run/ovn/
183           name: host-var-run-ovs
184         # We mount our socket here
185         - mountPath: /var/run/ovn-kubernetes
186           name: host-var-run-ovn-kubernetes
187         # CNI related mounts which we take over
188         - mountPath: /opt/cni/bin
189           name: host-opt-cni-bin
190         - mountPath: /etc/cni/net.d
191           name: host-etc-cni-netd
192         - mountPath: /ovn-cert
193           name: host-ovn-cert
194           readOnly: true
195
196
197         resources:
198           requests:
199             cpu: 100m
200             memory: 300Mi
201         env:
202         - name: OVN_DAEMONSET_VERSION
203           value: "3"
204         - name: OVNKUBE_LOGLEVEL
205           value: "4"
206         - name: OVN_NET_CIDR
207           valueFrom:
208             configMapKeyRef:
209               name: ovn-config
210               key: net_cidr
211         - name: OVN_SVC_CIDR
212           valueFrom:
213             configMapKeyRef:
214               name: ovn-config
215               key: svc_cidr
216         - name: K8S_APISERVER
217           valueFrom:
218             configMapKeyRef:
219               name: ovn-config
220               key: k8s_apiserver
221         - name: OVN_MTU
222           valueFrom:
223             configMapKeyRef:
224               name: ovn-config
225               key: mtu
226         - name: K8S_NODE
227           valueFrom:
228             fieldRef:
229               fieldPath: spec.nodeName
230         - name: OVN_GATEWAY_MODE
231           value: "local"
232         - name: OVN_GATEWAY_OPTS
233           value: ""
234         - name: OVN_HYBRID_OVERLAY_ENABLE
235           value: ""
236         - name: OVN_HYBRID_OVERLAY_NET_CIDR
237           value: ""
238         - name: OVN_SSL_ENABLE
239           value: "no"
240
241         lifecycle:
242           preStop:
243             exec:
244               command: ["/root/ovnkube.sh", "cleanup-ovn-node"]
245         readinessProbe:
246           exec:
247             command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovnkube-node"]
248           initialDelaySeconds: 30
249           timeoutSeconds: 30
250           periodSeconds: 60
251
252       nodeSelector:
253         kubernetes.io/os: "linux"
254       volumes:
255       - name: host-modules
256         hostPath:
257           path: /lib/modules
258
259       - name: host-var-run-dbus
260         hostPath:
261           path: /var/run/dbus
262       - name: host-var-log-ovs
263         hostPath:
264           path: /var/log/openvswitch
265       - name: host-var-log-ovnkube
266         hostPath:
267           path: /var/log/ovn-kubernetes
268       - name: host-run-ovs
269         hostPath:
270           path: /run/openvswitch
271       - name: host-var-run-ovs
272         hostPath:
273           path: /var/run/openvswitch
274       - name: host-var-run-ovn-kubernetes
275         hostPath:
276           path: /var/run/ovn-kubernetes
277       - name: host-sys
278         hostPath:
279           path: /sys
280       - name: host-opt-cni-bin
281         hostPath:
282           path: /opt/cni/bin
283       - name: host-etc-cni-netd
284         hostPath:
285           path: /etc/cni/net.d
286       - name: host-ovn-cert
287         hostPath:
288           path: /etc/ovn
289           type: DirectoryOrCreate
290       - name: host-slash
291         hostPath:
292           path: /
293       - name: host-config-openvswitch
294         hostPath:
295           path: /etc/origin/openvswitch
296
297
298       tolerations:
299       - operator: "Exists"