--- # ovnkube-node # daemonset version 3 # starts node daemons for ovs and ovn, each in a separate container # it is run on all nodes kind: DaemonSet apiVersion: apps/v1 metadata: name: ovnkube-node # namespace set up by install namespace: ovn-kubernetes annotations: kubernetes.io/description: | This DaemonSet launches the ovn-kubernetes networking components for worker nodes. spec: selector: matchLabels: app: ovnkube-node updateStrategy: type: RollingUpdate template: metadata: labels: app: ovnkube-node name: ovnkube-node component: network type: infra kubernetes.io/os: "linux" annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: # Requires fairly broad permissions - ability to read all services and network functions as well # as all pods. serviceAccountName: ovn hostNetwork: true hostPID: true containers: # ovsdb-server and ovs-switchd daemons - name: ovs-daemons image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}" imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}" command: ["/root/ovnkube.sh", "ovs-server"] livenessProbe: exec: command: - /usr/share/openvswitch/scripts/ovs-ctl - status initialDelaySeconds: 30 timeoutSeconds: 30 periodSeconds: 60 readinessProbe: exec: command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovs-daemons"] initialDelaySeconds: 30 timeoutSeconds: 30 periodSeconds: 60 securityContext: runAsUser: 0 # Permission could be reduced by selecting an appropriate SELinux policy privileged: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /lib/modules name: host-modules readOnly: true - mountPath: /run/openvswitch name: host-run-ovs - mountPath: /var/run/openvswitch name: host-var-run-ovs - mountPath: /sys name: host-sys readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch resources: requests: cpu: 100m memory: 300Mi limits: cpu: 200m memory: 400Mi env: - name: OVN_DAEMONSET_VERSION value: "3" - name: K8S_APISERVER valueFrom: configMapKeyRef: name: ovn-config key: k8s_apiserver lifecycle: preStop: exec: command: ["/root/ovnkube.sh", "cleanup-ovs-server"] - name: ovn-controller image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}" imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}" command: ["/root/ovnkube.sh", "ovn-controller"] securityContext: runAsUser: 0 capabilities: add: ["SYS_NICE"] terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/dbus/ name: host-var-run-dbus readOnly: true - mountPath: /var/log/openvswitch/ name: host-var-log-ovs - mountPath: /var/log/ovn/ name: host-var-log-ovs - mountPath: /var/run/openvswitch/ name: host-var-run-ovs - mountPath: /var/run/ovn/ name: host-var-run-ovs - mountPath: /ovn-cert name: host-ovn-cert readOnly: true resources: requests: cpu: 100m memory: 300Mi env: - name: OVN_DAEMONSET_VERSION value: "3" - name: OVN_LOG_CONTROLLER value: "{{ ovn_loglevel_controller }}" - name: K8S_APISERVER valueFrom: configMapKeyRef: name: ovn-config key: k8s_apiserver - name: OVN_KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: OVN_SSL_ENABLE value: "{{ ovn_ssl_en }}" readinessProbe: exec: command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovn-controller"] initialDelaySeconds: 30 timeoutSeconds: 30 periodSeconds: 60 - name: ovnkube-node image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}" imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}" command: ["/root/ovnkube.sh", "ovn-node"] securityContext: runAsUser: 0 capabilities: add: ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE"] {% if kind is defined and kind -%} privileged: true {% endif %} terminationMessagePolicy: FallbackToLogsOnError volumeMounts: # for the iptables wrapper - mountPath: /host name: host-slash readOnly: true - mountPath: /var/run/dbus/ name: host-var-run-dbus readOnly: true - mountPath: /var/log/ovn-kubernetes/ name: host-var-log-ovnkube - mountPath: /var/run/openvswitch/ name: host-var-run-ovs - mountPath: /var/run/ovn/ name: host-var-run-ovs # We mount our socket here - mountPath: /var/run/ovn-kubernetes name: host-var-run-ovn-kubernetes # CNI related mounts which we take over - mountPath: /opt/cni/bin name: host-opt-cni-bin - mountPath: /etc/cni/net.d name: host-etc-cni-netd - mountPath: /ovn-cert name: host-ovn-cert readOnly: true {% if kind is defined and kind -%} - mountPath: /var/run/netns name: host-netns mountPropagation: Bidirectional {% endif %} resources: requests: cpu: 100m memory: 300Mi env: - name: OVN_DAEMONSET_VERSION value: "3" - name: OVNKUBE_LOGLEVEL value: "{{ ovnkube_node_loglevel }}" - name: OVN_NET_CIDR valueFrom: configMapKeyRef: name: ovn-config key: net_cidr - name: OVN_SVC_CIDR valueFrom: configMapKeyRef: name: ovn-config key: svc_cidr - name: K8S_APISERVER valueFrom: configMapKeyRef: name: ovn-config key: k8s_apiserver - name: OVN_MTU valueFrom: configMapKeyRef: name: ovn-config key: mtu - name: K8S_NODE valueFrom: fieldRef: fieldPath: spec.nodeName - name: OVN_GATEWAY_MODE value: "{{ ovn_gateway_mode }}" - name: OVN_GATEWAY_OPTS value: "{{ ovn_gateway_opts }}" - name: OVN_HYBRID_OVERLAY_ENABLE value: "{{ ovn_hybrid_overlay_enable }}" - name: OVN_HYBRID_OVERLAY_NET_CIDR value: "{{ ovn_hybrid_overlay_net_cidr }}" - name: OVN_SSL_ENABLE value: "{{ ovn_ssl_en }}" lifecycle: preStop: exec: command: ["/root/ovnkube.sh", "cleanup-ovn-node"] readinessProbe: exec: command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovnkube-node"] initialDelaySeconds: 30 timeoutSeconds: 30 periodSeconds: 60 nodeSelector: kubernetes.io/os: "linux" volumes: - name: host-modules hostPath: path: /lib/modules - name: host-var-run-dbus hostPath: path: /var/run/dbus - name: host-var-log-ovs hostPath: path: /var/log/openvswitch - name: host-var-log-ovnkube hostPath: path: /var/log/ovn-kubernetes - name: host-run-ovs hostPath: path: /run/openvswitch - name: host-var-run-ovs hostPath: path: /var/run/openvswitch - name: host-var-run-ovn-kubernetes hostPath: path: /var/run/ovn-kubernetes - name: host-sys hostPath: path: /sys - name: host-opt-cni-bin hostPath: path: /opt/cni/bin - name: host-etc-cni-netd hostPath: path: /etc/cni/net.d - name: host-ovn-cert hostPath: path: /etc/ovn type: DirectoryOrCreate - name: host-slash hostPath: path: / - name: host-config-openvswitch hostPath: path: /etc/origin/openvswitch {% if kind is defined and kind -%} - name: host-netns hostPath: path: /var/run/netns {% endif %} tolerations: - operator: "Exists"