1. ---
  2. # Source: calico/templates/calico-config.yaml
  3. # This ConfigMap is used to configure a self-hosted Calico installation.
  4. kind: ConfigMap
  5. apiVersion: v1
  6. metadata:
  7. name: calico-config
  8. namespace: kube-system
  9. data:
  10. # Typha is disabled.
  11. typha_service_name: "none"
  12. # Configure the backend to use.
  13. calico_backend: "bird"
  14. # Configure the MTU to use
  15. veth_mtu: "1440"
  16. # The CNI network configuration to install on each node. The special
  17. # values in this config will be automatically populated.
  18. cni_network_config: |-
  19. {
  20. "name": "k8s-pod-network",
  21. "cniVersion": "0.3.0",
  22. "plugins": [
  23. {
  24. "type": "calico",
  25. "log_level": "info",
  26. "datastore_type": "kubernetes",
  27. "nodename": "__KUBERNETES_NODE_NAME__",
  28. "mtu": __CNI_MTU__,
  29. "ipam": {
  30. "type": "calico-ipam"
  31. },
  32. "policy": {
  33. "type": "k8s"
  34. },
  35. "kubernetes": {
  36. "kubeconfig": "__KUBECONFIG_FILEPATH__"
  37. }
  38. },
  39. {
  40. "type": "portmap",
  41. "snat": true,
  42. "capabilities": {"portMappings": true}
  43. }
  44. ]
  45. }
  46. ---
  47. # Source: calico/templates/kdd-crds.yaml
  48. apiVersion: apiextensions.k8s.io/v1beta1
  49. kind: CustomResourceDefinition
  50. metadata:
  51. name: felixconfigurations.crd.projectcalico.org
  52. spec:
  53. scope: Cluster
  54. group: crd.projectcalico.org
  55. version: v1
  56. names:
  57. kind: FelixConfiguration
  58. plural: felixconfigurations
  59. singular: felixconfiguration
  60. ---
  61. apiVersion: apiextensions.k8s.io/v1beta1
  62. kind: CustomResourceDefinition
  63. metadata:
  64. name: ipamblocks.crd.projectcalico.org
  65. spec:
  66. scope: Cluster
  67. group: crd.projectcalico.org
  68. version: v1
  69. names:
  70. kind: IPAMBlock
  71. plural: ipamblocks
  72. singular: ipamblock
  73. ---
  74. apiVersion: apiextensions.k8s.io/v1beta1
  75. kind: CustomResourceDefinition
  76. metadata:
  77. name: blockaffinities.crd.projectcalico.org
  78. spec:
  79. scope: Cluster
  80. group: crd.projectcalico.org
  81. version: v1
  82. names:
  83. kind: BlockAffinity
  84. plural: blockaffinities
  85. singular: blockaffinity
  86. ---
  87. apiVersion: apiextensions.k8s.io/v1beta1
  88. kind: CustomResourceDefinition
  89. metadata:
  90. name: ipamhandles.crd.projectcalico.org
  91. spec:
  92. scope: Cluster
  93. group: crd.projectcalico.org
  94. version: v1
  95. names:
  96. kind: IPAMHandle
  97. plural: ipamhandles
  98. singular: ipamhandle
  99. ---
  100. apiVersion: apiextensions.k8s.io/v1beta1
  101. kind: CustomResourceDefinition
  102. metadata:
  103. name: ipamconfigs.crd.projectcalico.org
  104. spec:
  105. scope: Cluster
  106. group: crd.projectcalico.org
  107. version: v1
  108. names:
  109. kind: IPAMConfig
  110. plural: ipamconfigs
  111. singular: ipamconfig
  112. ---
  113. apiVersion: apiextensions.k8s.io/v1beta1
  114. kind: CustomResourceDefinition
  115. metadata:
  116. name: bgppeers.crd.projectcalico.org
  117. spec:
  118. scope: Cluster
  119. group: crd.projectcalico.org
  120. version: v1
  121. names:
  122. kind: BGPPeer
  123. plural: bgppeers
  124. singular: bgppeer
  125. ---
  126. apiVersion: apiextensions.k8s.io/v1beta1
  127. kind: CustomResourceDefinition
  128. metadata:
  129. name: bgpconfigurations.crd.projectcalico.org
  130. spec:
  131. scope: Cluster
  132. group: crd.projectcalico.org
  133. version: v1
  134. names:
  135. kind: BGPConfiguration
  136. plural: bgpconfigurations
  137. singular: bgpconfiguration
  138. ---
  139. apiVersion: apiextensions.k8s.io/v1beta1
  140. kind: CustomResourceDefinition
  141. metadata:
  142. name: ippools.crd.projectcalico.org
  143. spec:
  144. scope: Cluster
  145. group: crd.projectcalico.org
  146. version: v1
  147. names:
  148. kind: IPPool
  149. plural: ippools
  150. singular: ippool
  151. ---
  152. apiVersion: apiextensions.k8s.io/v1beta1
  153. kind: CustomResourceDefinition
  154. metadata:
  155. name: hostendpoints.crd.projectcalico.org
  156. spec:
  157. scope: Cluster
  158. group: crd.projectcalico.org
  159. version: v1
  160. names:
  161. kind: HostEndpoint
  162. plural: hostendpoints
  163. singular: hostendpoint
  164. ---
  165. apiVersion: apiextensions.k8s.io/v1beta1
  166. kind: CustomResourceDefinition
  167. metadata:
  168. name: clusterinformations.crd.projectcalico.org
  169. spec:
  170. scope: Cluster
  171. group: crd.projectcalico.org
  172. version: v1
  173. names:
  174. kind: ClusterInformation
  175. plural: clusterinformations
  176. singular: clusterinformation
  177. ---
  178. apiVersion: apiextensions.k8s.io/v1beta1
  179. kind: CustomResourceDefinition
  180. metadata:
  181. name: globalnetworkpolicies.crd.projectcalico.org
  182. spec:
  183. scope: Cluster
  184. group: crd.projectcalico.org
  185. version: v1
  186. names:
  187. kind: GlobalNetworkPolicy
  188. plural: globalnetworkpolicies
  189. singular: globalnetworkpolicy
  190. ---
  191. apiVersion: apiextensions.k8s.io/v1beta1
  192. kind: CustomResourceDefinition
  193. metadata:
  194. name: globalnetworksets.crd.projectcalico.org
  195. spec:
  196. scope: Cluster
  197. group: crd.projectcalico.org
  198. version: v1
  199. names:
  200. kind: GlobalNetworkSet
  201. plural: globalnetworksets
  202. singular: globalnetworkset
  203. ---
  204. apiVersion: apiextensions.k8s.io/v1beta1
  205. kind: CustomResourceDefinition
  206. metadata:
  207. name: networkpolicies.crd.projectcalico.org
  208. spec:
  209. scope: Namespaced
  210. group: crd.projectcalico.org
  211. version: v1
  212. names:
  213. kind: NetworkPolicy
  214. plural: networkpolicies
  215. singular: networkpolicy
  216. ---
  217. apiVersion: apiextensions.k8s.io/v1beta1
  218. kind: CustomResourceDefinition
  219. metadata:
  220. name: networksets.crd.projectcalico.org
  221. spec:
  222. scope: Namespaced
  223. group: crd.projectcalico.org
  224. version: v1
  225. names:
  226. kind: NetworkSet
  227. plural: networksets
  228. singular: networkset
  229. ---
  230. # Source: calico/templates/rbac.yaml
  231. # Include a clusterrole for the kube-controllers component,
  232. # and bind it to the calico-kube-controllers serviceaccount.
  233. kind: ClusterRole
  234. apiVersion: rbac.authorization.k8s.io/v1beta1
  235. metadata:
  236. name: calico-kube-controllers
  237. rules:
  238. # Nodes are watched to monitor for deletions.
  239. - apiGroups: [""]
  240. resources:
  241. - nodes
  242. verbs:
  243. - watch
  244. - list
  245. - get
  246. # Pods are queried to check for existence.
  247. - apiGroups: [""]
  248. resources:
  249. - pods
  250. verbs:
  251. - get
  252. # IPAM resources are manipulated when nodes are deleted.
  253. - apiGroups: ["crd.projectcalico.org"]
  254. resources:
  255. - ippools
  256. verbs:
  257. - list
  258. - apiGroups: ["crd.projectcalico.org"]
  259. resources:
  260. - blockaffinities
  261. - ipamblocks
  262. - ipamhandles
  263. verbs:
  264. - get
  265. - list
  266. - create
  267. - update
  268. - delete
  269. # Needs access to update clusterinformations.
  270. - apiGroups: ["crd.projectcalico.org"]
  271. resources:
  272. - clusterinformations
  273. verbs:
  274. - get
  275. - create
  276. - update
  277. ---
  278. kind: ClusterRoleBinding
  279. apiVersion: rbac.authorization.k8s.io/v1beta1
  280. metadata:
  281. name: calico-kube-controllers
  282. roleRef:
  283. apiGroup: rbac.authorization.k8s.io
  284. kind: ClusterRole
  285. name: calico-kube-controllers
  286. subjects:
  287. - kind: ServiceAccount
  288. name: calico-kube-controllers
  289. namespace: kube-system
  290. ---
  291. # Include a clusterrole for the calico-node DaemonSet,
  292. # and bind it to the calico-node serviceaccount.
  293. kind: ClusterRole
  294. apiVersion: rbac.authorization.k8s.io/v1beta1
  295. metadata:
  296. name: calico-node
  297. rules:
  298. # The CNI plugin needs to get pods, nodes, and namespaces.
  299. - apiGroups: [""]
  300. resources:
  301. - pods
  302. - nodes
  303. - namespaces
  304. verbs:
  305. - get
  306. - apiGroups: [""]
  307. resources:
  308. - endpoints
  309. - services
  310. verbs:
  311. # Used to discover service IPs for advertisement.
  312. - watch
  313. - list
  314. # Used to discover Typhas.
  315. - get
  316. - apiGroups: [""]
  317. resources:
  318. - nodes/status
  319. verbs:
  320. # Needed for clearing NodeNetworkUnavailable flag.
  321. - patch
  322. # Calico stores some configuration information in node annotations.
  323. - update
  324. # Watch for changes to Kubernetes NetworkPolicies.
  325. - apiGroups: ["networking.k8s.io"]
  326. resources:
  327. - networkpolicies
  328. verbs:
  329. - watch
  330. - list
  331. # Used by Calico for policy information.
  332. - apiGroups: [""]
  333. resources:
  334. - pods
  335. - namespaces
  336. - serviceaccounts
  337. verbs:
  338. - list
  339. - watch
  340. # The CNI plugin patches pods/status.
  341. - apiGroups: [""]
  342. resources:
  343. - pods/status
  344. verbs:
  345. - patch
  346. # Calico monitors various CRDs for config.
  347. - apiGroups: ["crd.projectcalico.org"]
  348. resources:
  349. - globalfelixconfigs
  350. - felixconfigurations
  351. - bgppeers
  352. - globalbgpconfigs
  353. - bgpconfigurations
  354. - ippools
  355. - ipamblocks
  356. - globalnetworkpolicies
  357. - globalnetworksets
  358. - networkpolicies
  359. - networksets
  360. - clusterinformations
  361. - hostendpoints
  362. verbs:
  363. - get
  364. - list
  365. - watch
  366. # Calico must create and update some CRDs on startup.
  367. - apiGroups: ["crd.projectcalico.org"]
  368. resources:
  369. - ippools
  370. - felixconfigurations
  371. - clusterinformations
  372. verbs:
  373. - create
  374. - update
  375. # Calico stores some configuration information on the node.
  376. - apiGroups: [""]
  377. resources:
  378. - nodes
  379. verbs:
  380. - get
  381. - list
  382. - watch
  383. # These permissions are only requried for upgrade from v2.6, and can
  384. # be removed after upgrade or on fresh installations.
  385. - apiGroups: ["crd.projectcalico.org"]
  386. resources:
  387. - bgpconfigurations
  388. - bgppeers
  389. verbs:
  390. - create
  391. - update
  392. # These permissions are required for Calico CNI to perform IPAM allocations.
  393. - apiGroups: ["crd.projectcalico.org"]
  394. resources:
  395. - blockaffinities
  396. - ipamblocks
  397. - ipamhandles
  398. verbs:
  399. - get
  400. - list
  401. - create
  402. - update
  403. - delete
  404. - apiGroups: ["crd.projectcalico.org"]
  405. resources:
  406. - ipamconfigs
  407. verbs:
  408. - get
  409. # Block affinities must also be watchable by confd for route aggregation.
  410. - apiGroups: ["crd.projectcalico.org"]
  411. resources:
  412. - blockaffinities
  413. verbs:
  414. - watch
  415. # The Calico IPAM migration needs to get daemonsets. These permissions can be
  416. # removed if not upgrading from an installation using host-local IPAM.
  417. - apiGroups: ["apps"]
  418. resources:
  419. - daemonsets
  420. verbs:
  421. - get
  422. ---
  423. apiVersion: rbac.authorization.k8s.io/v1beta1
  424. kind: ClusterRoleBinding
  425. metadata:
  426. name: calico-node
  427. roleRef:
  428. apiGroup: rbac.authorization.k8s.io
  429. kind: ClusterRole
  430. name: calico-node
  431. subjects:
  432. - kind: ServiceAccount
  433. name: calico-node
  434. namespace: kube-system
  435. ---
  436. # Source: calico/templates/calico-node.yaml
  437. # This manifest installs the calico-node container, as well
  438. # as the CNI plugins and network config on
  439. # each master and worker node in a Kubernetes cluster.
  440. kind: DaemonSet
  441. apiVersion: extensions/v1beta1
  442. metadata:
  443. name: calico-node
  444. namespace: kube-system
  445. labels:
  446. k8s-app: calico-node
  447. spec:
  448. selector:
  449. matchLabels:
  450. k8s-app: calico-node
  451. updateStrategy:
  452. type: RollingUpdate
  453. rollingUpdate:
  454. maxUnavailable: 1
  455. template:
  456. metadata:
  457. labels:
  458. k8s-app: calico-node
  459. annotations:
  460. # This, along with the CriticalAddonsOnly toleration below,
  461. # marks the pod as a critical add-on, ensuring it gets
  462. # priority scheduling and that its resources are reserved
  463. # if it ever gets evicted.
  464. scheduler.alpha.kubernetes.io/critical-pod: ''
  465. spec:
  466. nodeSelector:
  467. beta.kubernetes.io/os: linux
  468. hostNetwork: true
  469. tolerations:
  470. # Make sure calico-node gets scheduled on all nodes.
  471. - effect: NoSchedule
  472. operator: Exists
  473. # Mark the pod as a critical add-on for rescheduling.
  474. - key: CriticalAddonsOnly
  475. operator: Exists
  476. - effect: NoExecute
  477. operator: Exists
  478. serviceAccountName: calico-node
  479. # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
  480. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
  481. terminationGracePeriodSeconds: 0
  482. initContainers:
  483. # This container performs upgrade from host-local IPAM to calico-ipam.
  484. # It can be deleted if this is a fresh installation, or if you have already
  485. # upgraded to use calico-ipam.
  486. - name: upgrade-ipam
  487. image: calico/cni:v3.7.4
  488. command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
  489. env:
  490. - name: KUBERNETES_NODE_NAME
  491. valueFrom:
  492. fieldRef:
  493. fieldPath: spec.nodeName
  494. - name: CALICO_NETWORKING_BACKEND
  495. valueFrom:
  496. configMapKeyRef:
  497. name: calico-config
  498. key: calico_backend
  499. volumeMounts:
  500. - mountPath: /var/lib/cni/networks
  501. name: host-local-net-dir
  502. - mountPath: /host/opt/cni/bin
  503. name: cni-bin-dir
  504. # This container installs the CNI binaries
  505. # and CNI network config file on each node.
  506. - name: install-cni
  507. image: calico/cni:v3.7.4
  508. command: ["/install-cni.sh"]
  509. env:
  510. # Name of the CNI config file to create.
  511. - name: CNI_CONF_NAME
  512. value: "10-calico.conflist"
  513. # The CNI network config to install on each node.
  514. - name: CNI_NETWORK_CONFIG
  515. valueFrom:
  516. configMapKeyRef:
  517. name: calico-config
  518. key: cni_network_config
  519. # Set the hostname based on the k8s node name.
  520. - name: KUBERNETES_NODE_NAME
  521. valueFrom:
  522. fieldRef:
  523. fieldPath: spec.nodeName
  524. # CNI MTU Config variable
  525. - name: CNI_MTU
  526. valueFrom:
  527. configMapKeyRef:
  528. name: calico-config
  529. key: veth_mtu
  530. # Prevents the container from sleeping forever.
  531. - name: SLEEP
  532. value: "false"
  533. volumeMounts:
  534. - mountPath: /host/opt/cni/bin
  535. name: cni-bin-dir
  536. - mountPath: /host/etc/cni/net.d
  537. name: cni-net-dir
  538. containers:
  539. # Runs calico-node container on each Kubernetes node. This
  540. # container programs network policy and routes on each
  541. # host.
  542. - name: calico-node
  543. image: calico/node:v3.7.4
  544. env:
  545. # Use Kubernetes API as the backing datastore.
  546. - name: DATASTORE_TYPE
  547. value: "kubernetes"
  548. # Wait for the datastore.
  549. - name: WAIT_FOR_DATASTORE
  550. value: "true"
  551. # Set based on the k8s node name.
  552. - name: NODENAME
  553. valueFrom:
  554. fieldRef:
  555. fieldPath: spec.nodeName
  556. # Choose the backend to use.
  557. - name: CALICO_NETWORKING_BACKEND
  558. valueFrom:
  559. configMapKeyRef:
  560. name: calico-config
  561. key: calico_backend
  562. # Cluster type to identify the deployment type
  563. - name: CLUSTER_TYPE
  564. value: "k8s,bgp"
  565. # Auto-detect the BGP IP address.
  566. - name: IP
  567. value: "autodetect"
  568. # Enable IPIP
  569. - name: CALICO_IPV4POOL_IPIP
  570. value: "Always"
  571. # Set MTU for tunnel device used if ipip is enabled
  572. - name: FELIX_IPINIPMTU
  573. valueFrom:
  574. configMapKeyRef:
  575. name: calico-config
  576. key: veth_mtu
  577. # The default IPv4 pool to create on startup if none exists. Pod IPs will be
  578. # chosen from this range. Changing this value after installation will have
  579. # no effect. This should fall within `--cluster-cidr`.
  580. - name: CALICO_IPV4POOL_CIDR
  581. value: "192.168.0.0/16"
  582. # Disable file logging so `kubectl logs` works.
  583. - name: CALICO_DISABLE_FILE_LOGGING
  584. value: "true"
  585. # Set Felix endpoint to host default action to ACCEPT.
  586. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
  587. value: "ACCEPT"
  588. # Disable IPv6 on Kubernetes.
  589. - name: FELIX_IPV6SUPPORT
  590. value: "false"
  591. # Set Felix logging to "info"
  592. - name: FELIX_LOGSEVERITYSCREEN
  593. value: "info"
  594. - name: FELIX_HEALTHENABLED
  595. value: "true"
  596. securityContext:
  597. privileged: true
  598. resources:
  599. requests:
  600. cpu: 250m
  601. livenessProbe:
  602. httpGet:
  603. path: /liveness
  604. port: 9099
  605. host: localhost
  606. periodSeconds: 10
  607. initialDelaySeconds: 10
  608. failureThreshold: 6
  609. readinessProbe:
  610. exec:
  611. command:
  612. - /bin/calico-node
  613. - -bird-ready
  614. - -felix-ready
  615. periodSeconds: 10
  616. volumeMounts:
  617. - mountPath: /lib/modules
  618. name: lib-modules
  619. readOnly: true
  620. - mountPath: /run/xtables.lock
  621. name: xtables-lock
  622. readOnly: false
  623. - mountPath: /var/run/calico
  624. name: var-run-calico
  625. readOnly: false
  626. - mountPath: /var/lib/calico
  627. name: var-lib-calico
  628. readOnly: false
  629. volumes:
  630. # Used by calico-node.
  631. - name: lib-modules
  632. hostPath:
  633. path: /lib/modules
  634. - name: var-run-calico
  635. hostPath:
  636. path: /var/run/calico
  637. - name: var-lib-calico
  638. hostPath:
  639. path: /var/lib/calico
  640. - name: xtables-lock
  641. hostPath:
  642. path: /run/xtables.lock
  643. type: FileOrCreate
  644. # Used to install CNI.
  645. - name: cni-bin-dir
  646. hostPath:
  647. path: /opt/cni/bin
  648. - name: cni-net-dir
  649. hostPath:
  650. path: /etc/cni/net.d
  651. # Mount in the directory for host-local IPAM allocations. This is
  652. # used when upgrading from host-local to calico-ipam, and can be removed
  653. # if not using the upgrade-ipam init container.
  654. - name: host-local-net-dir
  655. hostPath:
  656. path: /var/lib/cni/networks
  657. ---
  658. apiVersion: v1
  659. kind: ServiceAccount
  660. metadata:
  661. name: calico-node
  662. namespace: kube-system
  663. ---
  664. # Source: calico/templates/calico-kube-controllers.yaml
  665. # See https://github.com/projectcalico/kube-controllers
  666. apiVersion: extensions/v1beta1
  667. kind: Deployment
  668. metadata:
  669. name: calico-kube-controllers
  670. namespace: kube-system
  671. labels:
  672. k8s-app: calico-kube-controllers
  673. annotations:
  674. scheduler.alpha.kubernetes.io/critical-pod: ''
  675. spec:
  676. # The controller can only have a single active instance.
  677. replicas: 1
  678. strategy:
  679. type: Recreate
  680. template:
  681. metadata:
  682. name: calico-kube-controllers
  683. namespace: kube-system
  684. labels:
  685. k8s-app: calico-kube-controllers
  686. spec:
  687. nodeSelector:
  688. beta.kubernetes.io/os: linux
  689. tolerations:
  690. # Mark the pod as a critical add-on for rescheduling.
  691. - key: CriticalAddonsOnly
  692. operator: Exists
  693. - key: node-role.kubernetes.io/master
  694. effect: NoSchedule
  695. serviceAccountName: calico-kube-controllers
  696. containers:
  697. - name: calico-kube-controllers
  698. image: calico/kube-controllers:v3.7.4
  699. env:
  700. # Choose which controllers to run.
  701. - name: ENABLED_CONTROLLERS
  702. value: node
  703. - name: DATASTORE_TYPE
  704. value: kubernetes
  705. readinessProbe:
  706. exec:
  707. command:
  708. - /usr/bin/check-status
  709. - -r
  710. ---
  711. apiVersion: v1
  712. kind: ServiceAccount
  713. metadata:
  714. name: calico-kube-controllers
  715. namespace: kube-system
  716. ---
  717. # Source: calico/templates/calico-etcd-secrets.yaml
  718. ---
  719. # Source: calico/templates/calico-typha.yaml
  720. ---
  721. # Source: calico/templates/configure-canal.yaml
文档更新时间: 2019-08-12 09:08   作者:admin