Last active
August 1, 2018 18:24
-
-
Save bkatiemills/fab94bea1a292c21c1b8af84288a2096 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Calico Version v3.1.1 | |
| # reproduced from https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml | |
| # https://docs.projectcalico.org/v3.1/releases#v3.1.1 | |
| # This manifest includes the following component versions: | |
| # calico/node:v3.1.1 | |
| # calico/cni:v3.1.1 | |
| # calico/kube-controllers:v3.1.1 | |
| # This ConfigMap is used to configure a self-hosted Calico installation. | |
| kind: ConfigMap | |
| apiVersion: v1 | |
| metadata: | |
| name: calico-config | |
| namespace: kube-system | |
| data: | |
| # The location of your etcd cluster. This uses the Service clusterIP defined below. | |
| etcd_endpoints: "http://10.96.232.136:6666" | |
| # Configure the Calico backend to use. | |
| calico_backend: "bird" | |
| # The CNI network configuration to install on each node. | |
| cni_network_config: |- | |
| { | |
| "name": "k8s-pod-network", | |
| "cniVersion": "0.3.0", | |
| "plugins": [ | |
| { | |
| "type": "calico", | |
| "etcd_endpoints": "__ETCD_ENDPOINTS__", | |
| "log_level": "info", | |
| "mtu": 1500, | |
| "ipam": { | |
| "type": "calico-ipam" | |
| }, | |
| "policy": { | |
| "type": "k8s" | |
| }, | |
| "kubernetes": { | |
| "kubeconfig": "__KUBECONFIG_FILEPATH__" | |
| } | |
| }, | |
| { | |
| "type": "portmap", | |
| "snat": true, | |
| "capabilities": {"portMappings": true} | |
| } | |
| ] | |
| } | |
| --- | |
| # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet | |
| # to force it to run on the master even when the master isn't schedulable, and uses | |
| # nodeSelector to ensure it only runs on the master. | |
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| name: calico-etcd | |
| namespace: kube-system | |
| labels: | |
| k8s-app: calico-etcd | |
| spec: | |
| template: | |
| metadata: | |
| labels: | |
| k8s-app: calico-etcd | |
| annotations: | |
| # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler | |
| # reserves resources for critical add-on pods so that they can be rescheduled after | |
| # a failure. This annotation works in tandem with the toleration below. | |
| scheduler.alpha.kubernetes.io/critical-pod: '' | |
| spec: | |
| tolerations: | |
| # This taint is set by all kubelets running `--cloud-provider=external` | |
| # so we should tolerate it to schedule the calico pods | |
| - key: node.cloudprovider.kubernetes.io/uninitialized | |
| value: "true" | |
| effect: NoSchedule | |
| # Allow this pod to run on the master. | |
| - key: node-role.kubernetes.io/master | |
| effect: NoSchedule | |
| # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. | |
| # This, along with the annotation above marks this pod as a critical add-on. | |
| - key: CriticalAddonsOnly | |
| operator: Exists | |
| # Only run this pod on the master. | |
| nodeSelector: | |
| node-role.kubernetes.io/master: "" | |
| hostNetwork: true | |
| containers: | |
| - name: calico-etcd | |
| image: quay.io/coreos/etcd:v3.1.10 | |
| env: | |
| - name: CALICO_ETCD_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.podIP | |
| command: | |
| - /usr/local/bin/etcd | |
| args: | |
| - --name=calico | |
| - --data-dir=/var/etcd/calico-data | |
| - --advertise-client-urls=http://$CALICO_ETCD_IP:6666 | |
| - --listen-client-urls=http://0.0.0.0:6666 | |
| - --listen-peer-urls=http://0.0.0.0:6667 | |
| - --auto-compaction-retention=1 | |
| volumeMounts: | |
| - name: var-etcd | |
| mountPath: /var/etcd | |
| volumes: | |
| - name: var-etcd | |
| hostPath: | |
| path: /var/etcd | |
| --- | |
| # This manifest installs the Service which gets traffic to the Calico | |
| # etcd. | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| k8s-app: calico-etcd | |
| name: calico-etcd | |
| namespace: kube-system | |
| spec: | |
| # Select the calico-etcd pod running on the master. | |
| selector: | |
| k8s-app: calico-etcd | |
| # This ClusterIP needs to be known in advance, since we cannot rely | |
| # on DNS to get access to etcd. | |
| clusterIP: 10.96.232.136 | |
| ports: | |
| - port: 6666 | |
| --- | |
| # This manifest installs the calico/node container, as well | |
| # as the Calico CNI plugins and network config on | |
| # each master and worker node in a Kubernetes cluster. | |
| kind: DaemonSet | |
| apiVersion: extensions/v1beta1 | |
| metadata: | |
| name: calico-node | |
| namespace: kube-system | |
| labels: | |
| k8s-app: calico-node | |
| spec: | |
| selector: | |
| matchLabels: | |
| k8s-app: calico-node | |
| updateStrategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxUnavailable: 1 | |
| template: | |
| metadata: | |
| labels: | |
| k8s-app: calico-node | |
| annotations: | |
| # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler | |
| # reserves resources for critical add-on pods so that they can be rescheduled after | |
| # a failure. This annotation works in tandem with the toleration below. | |
| scheduler.alpha.kubernetes.io/critical-pod: '' | |
| spec: | |
| hostNetwork: true | |
| tolerations: | |
| # Make sure calico/node gets scheduled on all nodes. | |
| - effect: NoSchedule | |
| operator: Exists | |
| # Mark the pod as a critical add-on for rescheduling. | |
| - key: CriticalAddonsOnly | |
| operator: Exists | |
| - effect: NoExecute | |
| operator: Exists | |
| serviceAccountName: calico-cni-plugin | |
| # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force | |
| # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. | |
| terminationGracePeriodSeconds: 0 | |
| containers: | |
| # Runs calico/node container on each Kubernetes node. This | |
| # container programs network policy and routes on each | |
| # host. | |
| - name: calico-node | |
| image: quay.io/calico/node:v3.1.1 | |
| env: | |
| # The location of the Calico etcd cluster. | |
| - name: ETCD_ENDPOINTS | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: etcd_endpoints | |
| # Enable BGP. Disable to enforce policy only. | |
| - name: CALICO_NETWORKING_BACKEND | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: calico_backend | |
| # Cluster type to identify the deployment type | |
| - name: CLUSTER_TYPE | |
| value: "kubeadm,bgp" | |
| # Disable file logging so `kubectl logs` works. | |
| - name: CALICO_DISABLE_FILE_LOGGING | |
| value: "true" | |
| # Set noderef for node controller. | |
| - name: CALICO_K8S_NODE_REF | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| # Set Felix endpoint to host default action to ACCEPT. | |
| - name: FELIX_DEFAULTENDPOINTTOHOSTACTION | |
| value: "ACCEPT" | |
| # The default IPv4 pool to create on startup if none exists. Pod IPs will be | |
| # chosen from this range. Changing this value after installation will have | |
| # no effect. This should fall within `--cluster-cidr`. | |
| - name: CALICO_IPV4POOL_CIDR | |
| value: "192.168.0.0/16" | |
| - name: CALICO_IPV4POOL_IPIP | |
| value: "Always" | |
| # Disable IPv6 on Kubernetes. | |
| - name: FELIX_IPV6SUPPORT | |
| value: "false" | |
| # Set MTU for tunnel device used if ipip is enabled | |
| - name: FELIX_IPINIPMTU | |
| value: "1440" | |
| # Set Felix logging to "info" | |
| - name: FELIX_LOGSEVERITYSCREEN | |
| value: "info" | |
| # Auto-detect the BGP IP address. | |
| - name: IP | |
| value: "autodetect" | |
| - name: FELIX_HEALTHENABLED | |
| value: "true" | |
| # Set autodetection method to avoid collision with Docker networks | |
| - name: IP_AUTODETECTION_METHOD | |
| value: "interface=eth0" | |
| securityContext: | |
| privileged: true | |
| resources: | |
| requests: | |
| cpu: 250m | |
| livenessProbe: | |
| httpGet: | |
| path: /liveness | |
| port: 9099 | |
| periodSeconds: 10 | |
| initialDelaySeconds: 10 | |
| failureThreshold: 6 | |
| readinessProbe: | |
| httpGet: | |
| path: /readiness | |
| port: 9099 | |
| periodSeconds: 10 | |
| volumeMounts: | |
| - mountPath: /lib/modules | |
| name: lib-modules | |
| readOnly: true | |
| - mountPath: /var/run/calico | |
| name: var-run-calico | |
| readOnly: false | |
| - mountPath: /var/lib/calico | |
| name: var-lib-calico | |
| readOnly: false | |
| # This container installs the Calico CNI binaries | |
| # and CNI network config file on each node. | |
| - name: install-cni | |
| image: quay.io/calico/cni:v3.1.1 | |
| command: ["/install-cni.sh"] | |
| env: | |
| # Name of the CNI config file to create. | |
| - name: CNI_CONF_NAME | |
| value: "10-calico.conflist" | |
| # The location of the Calico etcd cluster. | |
| - name: ETCD_ENDPOINTS | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: etcd_endpoints | |
| # The CNI network config to install on each node. | |
| - name: CNI_NETWORK_CONFIG | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: cni_network_config | |
| volumeMounts: | |
| - mountPath: /host/opt/cni/bin | |
| name: cni-bin-dir | |
| - mountPath: /host/etc/cni/net.d | |
| name: cni-net-dir | |
| volumes: | |
| # Used by calico/node. | |
| - name: lib-modules | |
| hostPath: | |
| path: /lib/modules | |
| - name: var-run-calico | |
| hostPath: | |
| path: /var/run/calico | |
| - name: var-lib-calico | |
| hostPath: | |
| path: /var/lib/calico | |
| # Used to install CNI. | |
| - name: cni-bin-dir | |
| hostPath: | |
| path: /opt/cni/bin | |
| - name: cni-net-dir | |
| hostPath: | |
| path: /etc/cni/net.d | |
| --- | |
| # This manifest deploys the Calico Kubernetes controllers. | |
| # See https://github.com/projectcalico/kube-controllers | |
| apiVersion: extensions/v1beta1 | |
| kind: Deployment | |
| metadata: | |
| name: calico-kube-controllers | |
| namespace: kube-system | |
| labels: | |
| k8s-app: calico-kube-controllers | |
| spec: | |
| # The controllers can only have a single active instance. | |
| replicas: 1 | |
| strategy: | |
| type: Recreate | |
| template: | |
| metadata: | |
| name: calico-kube-controllers | |
| namespace: kube-system | |
| labels: | |
| k8s-app: calico-kube-controllers | |
| annotations: | |
| # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler | |
| # reserves resources for critical add-on pods so that they can be rescheduled after | |
| # a failure. This annotation works in tandem with the toleration below. | |
| scheduler.alpha.kubernetes.io/critical-pod: '' | |
| spec: | |
| # The controllers must run in the host network namespace so that | |
| # it isn't governed by policy that would prevent it from working. | |
| hostNetwork: true | |
| tolerations: | |
| # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. | |
| # This, along with the annotation above marks this pod as a critical add-on. | |
| - key: CriticalAddonsOnly | |
| operator: Exists | |
| - key: node-role.kubernetes.io/master | |
| effect: NoSchedule | |
| serviceAccountName: calico-kube-controllers | |
| containers: | |
| - name: calico-kube-controllers | |
| image: quay.io/calico/kube-controllers:v3.1.1 | |
| env: | |
| # The location of the Calico etcd cluster. | |
| - name: ETCD_ENDPOINTS | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: etcd_endpoints | |
| # Choose which controllers to run. | |
| - name: ENABLED_CONTROLLERS | |
| value: policy,profile,workloadendpoint,node | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: calico-cni-plugin | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: calico-cni-plugin | |
| subjects: | |
| - kind: ServiceAccount | |
| name: calico-cni-plugin | |
| namespace: kube-system | |
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: calico-cni-plugin | |
| rules: | |
| - apiGroups: [""] | |
| resources: | |
| - pods | |
| - nodes | |
| verbs: | |
| - get | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: calico-cni-plugin | |
| namespace: kube-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: calico-kube-controllers | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: calico-kube-controllers | |
| subjects: | |
| - kind: ServiceAccount | |
| name: calico-kube-controllers | |
| namespace: kube-system | |
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: calico-kube-controllers | |
| rules: | |
| - apiGroups: | |
| - "" | |
| - extensions | |
| resources: | |
| - pods | |
| - namespaces | |
| - networkpolicies | |
| - nodes | |
| verbs: | |
| - watch | |
| - list | |
| - apiGroups: | |
| - networking.k8s.io | |
| resources: | |
| - networkpolicies | |
| verbs: | |
| - watch | |
| - list | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: calico-kube-controllers | |
| namespace: kube-system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment