Created
March 26, 2019 17:47
-
-
Save joshrosso/ed1f5ea5a2f47d86f536e9eee3f1a2c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Calico Version v3.5.3 | |
| # https://docs.projectcalico.org/v3.5/releases#v3.5.3 | |
| # This manifest includes the following component versions: | |
| # calico/node:v3.5.3 | |
| # calico/cni:v3.5.3 | |
| # This ConfigMap is used to configure a self-hosted Calico installation. | |
| kind: ConfigMap | |
| apiVersion: v1 | |
| metadata: | |
| name: calico-config | |
| namespace: kube-system | |
| data: | |
| # Typha is disabled. | |
| typha_service_name: "none" | |
| # Configure the Calico backend to use. | |
| calico_backend: "bird" | |
| # Configure the MTU to use | |
| veth_mtu: "1440" | |
| # The CNI network configuration to install on each node. The special | |
| # values in this config will be automatically populated. | |
| cni_network_config: |- | |
| { | |
| "name": "k8s-pod-network", | |
| "cniVersion": "0.3.0", | |
| "plugins": [ | |
| { | |
| "type": "calico", | |
| "log_level": "info", | |
| "datastore_type": "kubernetes", | |
| "nodename": "__KUBERNETES_NODE_NAME__", | |
| "mtu": __CNI_MTU__, | |
| "ipam": { | |
| "type": "host-local", | |
| "subnet": "usePodCidr" | |
| }, | |
| "policy": { | |
| "type": "k8s" | |
| }, | |
| "kubernetes": { | |
| "kubeconfig": "__KUBECONFIG_FILEPATH__" | |
| } | |
| }, | |
| { | |
| "type": "portmap", | |
| "snat": true, | |
| "capabilities": {"portMappings": true} | |
| } | |
| ] | |
| } | |
| --- | |
| # This manifest installs the calico/node container, as well | |
| # as the Calico CNI plugins and network config on | |
| # each master and worker node in a Kubernetes cluster. | |
| kind: DaemonSet | |
| apiVersion: extensions/v1beta1 | |
| metadata: | |
| name: calico-node | |
| namespace: kube-system | |
| labels: | |
| k8s-app: calico-node | |
| spec: | |
| selector: | |
| matchLabels: | |
| k8s-app: calico-node | |
| updateStrategy: | |
| type: RollingUpdate | |
| rollingUpdate: | |
| maxUnavailable: 1 | |
| template: | |
| metadata: | |
| labels: | |
| k8s-app: calico-node | |
| annotations: | |
| # This, along with the CriticalAddonsOnly toleration below, | |
| # marks the pod as a critical add-on, ensuring it gets | |
| # priority scheduling and that its resources are reserved | |
| # if it ever gets evicted. | |
| scheduler.alpha.kubernetes.io/critical-pod: '' | |
| spec: | |
| nodeSelector: | |
| beta.kubernetes.io/os: linux | |
| hostNetwork: true | |
| tolerations: | |
| # Make sure calico-node gets scheduled on all nodes. | |
| - effect: NoSchedule | |
| operator: Exists | |
| # Mark the pod as a critical add-on for rescheduling. | |
| - key: CriticalAddonsOnly | |
| operator: Exists | |
| - effect: NoExecute | |
| operator: Exists | |
| serviceAccountName: calico-node | |
| # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force | |
| # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. | |
| terminationGracePeriodSeconds: 0 | |
| initContainers: | |
| # This container installs the Calico CNI binaries | |
| # and CNI network config file on each node. | |
| - name: install-cni | |
| image: calico/cni:v3.5.3 | |
| command: ["/install-cni.sh"] | |
| env: | |
| # Name of the CNI config file to create. | |
| - name: CNI_CONF_NAME | |
| value: "10-calico.conflist" | |
| # The CNI network config to install on each node. | |
| - name: CNI_NETWORK_CONFIG | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: cni_network_config | |
| # Set the hostname based on the k8s node name. | |
| - name: KUBERNETES_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| # CNI MTU Config variable | |
| - name: CNI_MTU | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: veth_mtu | |
| # Prevents the container from sleeping forever. | |
| - name: SLEEP | |
| value: "false" | |
| volumeMounts: | |
| - mountPath: /host/opt/cni/bin | |
| name: cni-bin-dir | |
| - mountPath: /host/etc/cni/net.d | |
| name: cni-net-dir | |
| containers: | |
| # Runs calico/node container on each Kubernetes node. This | |
| # container programs network policy and routes on each | |
| # host. | |
| - name: calico-node | |
| image: calico/node:v3.5.3 | |
| env: | |
| # Use Kubernetes API as the backing datastore. | |
| - name: DATASTORE_TYPE | |
| value: "kubernetes" | |
| # Wait for the datastore. | |
| - name: WAIT_FOR_DATASTORE | |
| value: "true" | |
| # Set based on the k8s node name. | |
| - name: NODENAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| # Choose the backend to use. | |
| - name: CALICO_NETWORKING_BACKEND | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: calico_backend | |
| # Cluster type to identify the deployment type | |
| - name: CLUSTER_TYPE | |
| value: "k8s,bgp" | |
| # Auto-detect the BGP IP address. | |
| - name: IP | |
| value: "autodetect" | |
| # Enable IPIP | |
| - name: CALICO_IPV4POOL_IPIP | |
| value: "Always" | |
| # Set MTU for tunnel device used if ipip is enabled | |
| - name: FELIX_IPINIPMTU | |
| valueFrom: | |
| configMapKeyRef: | |
| name: calico-config | |
| key: veth_mtu | |
| # The default IPv4 pool to create on startup if none exists. Pod IPs will be | |
| # chosen from this range. Changing this value after installation will have | |
| # no effect. This should fall within `--cluster-cidr`. | |
| - name: CALICO_IPV4POOL_CIDR | |
| value: "192.168.0.0/18" | |
| # Disable file logging so `kubectl logs` works. | |
| - name: CALICO_DISABLE_FILE_LOGGING | |
| value: "true" | |
| # Set Felix endpoint to host default action to ACCEPT. | |
| - name: FELIX_DEFAULTENDPOINTTOHOSTACTION | |
| value: "ACCEPT" | |
| # Disable IPv6 on Kubernetes. | |
| - name: FELIX_IPV6SUPPORT | |
| value: "false" | |
| # Set Felix logging to "info" | |
| - name: FELIX_LOGSEVERITYSCREEN | |
| value: "info" | |
| - name: FELIX_HEALTHENABLED | |
| value: "true" | |
| securityContext: | |
| privileged: true | |
| resources: | |
| requests: | |
| cpu: 250m | |
| livenessProbe: | |
| httpGet: | |
| path: /liveness | |
| port: 9099 | |
| host: localhost | |
| periodSeconds: 10 | |
| initialDelaySeconds: 10 | |
| failureThreshold: 6 | |
| readinessProbe: | |
| exec: | |
| command: | |
| - /bin/calico-node | |
| - -bird-ready | |
| - -felix-ready | |
| periodSeconds: 10 | |
| volumeMounts: | |
| - mountPath: /lib/modules | |
| name: lib-modules | |
| readOnly: true | |
| - mountPath: /run/xtables.lock | |
| name: xtables-lock | |
| readOnly: false | |
| - mountPath: /var/run/calico | |
| name: var-run-calico | |
| readOnly: false | |
| - mountPath: /var/lib/calico | |
| name: var-lib-calico | |
| readOnly: false | |
| volumes: | |
| # Used by calico/node. | |
| - name: lib-modules | |
| hostPath: | |
| path: /lib/modules | |
| - name: var-run-calico | |
| hostPath: | |
| path: /var/run/calico | |
| - name: var-lib-calico | |
| hostPath: | |
| path: /var/lib/calico | |
| - name: xtables-lock | |
| hostPath: | |
| path: /run/xtables.lock | |
| type: FileOrCreate | |
| # Used to install CNI. | |
| - name: cni-bin-dir | |
| hostPath: | |
| path: /opt/cni/bin | |
| - name: cni-net-dir | |
| hostPath: | |
| path: /etc/cni/net.d | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: calico-node | |
| namespace: kube-system | |
| --- | |
| # Create all the CustomResourceDefinitions needed for | |
| # Calico policy and networking mode. | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: felixconfigurations.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: FelixConfiguration | |
| plural: felixconfigurations | |
| singular: felixconfiguration | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: bgppeers.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: BGPPeer | |
| plural: bgppeers | |
| singular: bgppeer | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: bgpconfigurations.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: BGPConfiguration | |
| plural: bgpconfigurations | |
| singular: bgpconfiguration | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: ippools.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: IPPool | |
| plural: ippools | |
| singular: ippool | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: hostendpoints.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: HostEndpoint | |
| plural: hostendpoints | |
| singular: hostendpoint | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: clusterinformations.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: ClusterInformation | |
| plural: clusterinformations | |
| singular: clusterinformation | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: globalnetworkpolicies.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: GlobalNetworkPolicy | |
| plural: globalnetworkpolicies | |
| singular: globalnetworkpolicy | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: globalnetworksets.crd.projectcalico.org | |
| spec: | |
| scope: Cluster | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: GlobalNetworkSet | |
| plural: globalnetworksets | |
| singular: globalnetworkset | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1beta1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| name: networkpolicies.crd.projectcalico.org | |
| spec: | |
| scope: Namespaced | |
| group: crd.projectcalico.org | |
| version: v1 | |
| names: | |
| kind: NetworkPolicy | |
| plural: networkpolicies | |
| singular: networkpolicy | |
| --- | |
| # Include a clusterrole for the calico-node DaemonSet, | |
| # and bind it to the calico-node serviceaccount. | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| metadata: | |
| name: calico-node | |
| rules: | |
| # The CNI plugin needs to get pods, nodes, and namespaces. | |
| - apiGroups: [""] | |
| resources: | |
| - pods | |
| - nodes | |
| - namespaces | |
| verbs: | |
| - get | |
| - apiGroups: [""] | |
| resources: | |
| - endpoints | |
| - services | |
| verbs: | |
| # Used to discover service IPs for advertisement. | |
| - watch | |
| - list | |
| # Used to discover Typhas. | |
| - get | |
| - apiGroups: [""] | |
| resources: | |
| - nodes/status | |
| verbs: | |
| # Needed for clearing NodeNetworkUnavailable flag. | |
| - patch | |
| # Calico stores some configuration information in node annotations. | |
| - update | |
| # Watch for changes to Kubernetes NetworkPolicies. | |
| - apiGroups: ["networking.k8s.io"] | |
| resources: | |
| - networkpolicies | |
| verbs: | |
| - watch | |
| - list | |
| # Used by Calico for policy information. | |
| - apiGroups: [""] | |
| resources: | |
| - pods | |
| - namespaces | |
| - serviceaccounts | |
| verbs: | |
| - list | |
| - watch | |
| # The CNI plugin patches pods/status. | |
| - apiGroups: [""] | |
| resources: | |
| - pods/status | |
| verbs: | |
| - patch | |
| # Calico monitors various CRDs for config. | |
| - apiGroups: ["crd.projectcalico.org"] | |
| resources: | |
| - globalfelixconfigs | |
| - felixconfigurations | |
| - bgppeers | |
| - globalbgpconfigs | |
| - bgpconfigurations | |
| - ippools | |
| - globalnetworkpolicies | |
| - globalnetworksets | |
| - networkpolicies | |
| - clusterinformations | |
| - hostendpoints | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| # Calico must create and update some CRDs on startup. | |
| - apiGroups: ["crd.projectcalico.org"] | |
| resources: | |
| - ippools | |
| - felixconfigurations | |
| - clusterinformations | |
| verbs: | |
| - create | |
| - update | |
| # Calico stores some configuration information on the node. | |
| - apiGroups: [""] | |
| resources: | |
| - nodes | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| # These permissions are only requried for upgrade from v2.6, and can | |
| # be removed after upgrade or on fresh installations. | |
| - apiGroups: ["crd.projectcalico.org"] | |
| resources: | |
| - bgpconfigurations | |
| - bgppeers | |
| verbs: | |
| - create | |
| - update | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: calico-node | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: calico-node | |
| subjects: | |
| - kind: ServiceAccount | |
| name: calico-node | |
| namespace: kube-system | |
| --- | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment