From d8395a941adf35d398c334c938572b6dcb85f1cc Mon Sep 17 00:00:00 2001 From: Claes Mogren Date: Fri, 29 Mar 2019 15:35:51 -0700 Subject: [PATCH 1/2] Update calico.yaml for 1.3 branch Based on #232, but includes a version bump to v3.3.5 to get the libcalico-go #1051 fix. --- config/v1.3/calico.yaml | 154 +++++++++++++++++++++++----------------- 1 file changed, 89 insertions(+), 65 deletions(-) diff --git a/config/v1.3/calico.yaml b/config/v1.3/calico.yaml index 2c5be7b33c..5eb7b5188e 100644 --- a/config/v1.3/calico.yaml +++ b/config/v1.3/calico.yaml @@ -25,6 +25,8 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: + nodeSelector: + beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force @@ -35,7 +37,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.1.3 + image: quay.io/calico/node:v3.3.5 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -60,10 +62,6 @@ spec: # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return # Disable IPV6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" @@ -97,14 +95,18 @@ spec: initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: - httpGet: - path: /readiness - port: 9099 + exec: + command: + - /bin/calico-node + - -felix-ready periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false @@ -116,9 +118,13 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - - operator: Exists + - operator: Exists --- @@ -128,7 +134,7 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: felixconfigurations.crd.projectcalico.org + name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org @@ -263,6 +269,7 @@ rules: - apiGroups: [""] resources: - namespaces + - serviceaccounts verbs: - get - list @@ -271,7 +278,7 @@ rules: resources: - pods/status verbs: - - update + - patch - apiGroups: [""] resources: - pods @@ -279,7 +286,6 @@ rules: - get - list - watch - - patch - apiGroups: [""] resources: - services @@ -342,9 +348,9 @@ roleRef: kind: ClusterRole name: calico-node subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system + - kind: ServiceAccount + name: calico-node + namespace: kube-system --- @@ -363,67 +369,85 @@ spec: k8s-app: calico-typha annotations: scheduler.alpha.kubernetes.io/critical-pod: '' + cluster-autoscaler.kuberentes.io/safe-to-evict: 'true' spec: + nodeSelector: + beta.kubernetes.io/os: linux tolerations: - - operator: Exists + - operator: Exists hostNetwork: true serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v0.7.4 - name: calico-typha - ports: - - containerPort: 5473 + - image: quay.io/calico/typha:v3.3.5 name: calico-typha - protocol: TCP - env: - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - - name: TYPHA_LOGFILEPATH - value: "none" - - name: TYPHA_LOGSEVERITYSYS - value: "none" - - name: TYPHA_LOGSEVERITYSCREEN - value: "info" - - name: TYPHA_PROMETHEUSMETRICSENABLED - value: "true" - - name: TYPHA_CONNECTIONREBALANCINGMODE - value: "kubernetes" - - name: TYPHA_PROMETHEUSMETRICSPORT - value: "9093" - - name: TYPHA_DATASTORETYPE - value: "kubernetes" - - name: TYPHA_MAXCONNECTIONSLOWERLIMIT - value: "1" - - name: TYPHA_HEALTHENABLED - value: "true" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - volumeMounts: - - mountPath: /etc/calico - name: etc-calico - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 9098 - periodSeconds: 30 - initialDelaySeconds: 30 - readinessProbe: - httpGet: - path: /readiness - port: 9098 - periodSeconds: 10 + ports: + - containerPort: 5473 + name: calico-typha + protocol: TCP + env: + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + - name: TYPHA_LOGFILEPATH + value: "none" + - name: TYPHA_LOGSEVERITYSYS + value: "none" + - name: TYPHA_LOGSEVERITYSCREEN + value: "info" + - name: TYPHA_PROMETHEUSMETRICSENABLED + value: "true" + - name: TYPHA_CONNECTIONREBALANCINGMODE + value: "kubernetes" + - name: TYPHA_PROMETHEUSMETRICSPORT + value: "9093" + - name: TYPHA_DATASTORETYPE + value: "kubernetes" + - name: TYPHA_MAXCONNECTIONSLOWERLIMIT + value: "1" + - name: TYPHA_HEALTHENABLED + value: "true" + volumeMounts: + - mountPath: /etc/calico + name: etc-calico + readOnly: true + livenessProbe: + exec: + command: + - calico-typha + - check + - liveness + periodSeconds: 30 + initialDelaySeconds: 30 + readinessProbe: + exec: + command: + - calico-typha + - check + - readiness + periodSeconds: 10 volumes: - - name: etc-calico - hostPath: - path: /etc/calico + - name: etc-calico + hostPath: + path: /etc/calico --- +# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-typha + +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: From ee13f3ef2b157e60bc01ab4692b76a22048022e7 Mon Sep 17 00:00:00 2001 From: Claes Mogren Date: Wed, 3 Apr 2019 11:15:18 -0700 Subject: [PATCH 2/2] Updated with changes for v3.3.6 --- config/v1.3/calico.yaml | 34 ++++--- config/v1.4/calico.yaml | 190 +++++++++++++++++++++++++--------------- 2 files changed, 140 insertions(+), 84 deletions(-) diff --git a/config/v1.3/calico.yaml b/config/v1.3/calico.yaml index 5eb7b5188e..730b7edfd1 100644 --- a/config/v1.3/calico.yaml +++ b/config/v1.3/calico.yaml @@ -37,7 +37,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.3.5 + image: quay.io/calico/node:v3.3.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -86,6 +86,9 @@ spec: value: "true" securityContext: privileged: true + resources: + requests: + cpu: 250m livenessProbe: httpGet: path: /liveness @@ -110,6 +113,9 @@ spec: - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false volumes: # Used to ensure proper kmods are installed. - name: lib-modules @@ -118,13 +124,22 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - - operator: Exists + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists --- @@ -374,11 +389,13 @@ spec: nodeSelector: beta.kubernetes.io/os: linux tolerations: - - operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists hostNetwork: true serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v3.3.5 + - image: quay.io/calico/typha:v3.3.6 name: calico-typha ports: - containerPort: 5473 @@ -406,10 +423,6 @@ spec: value: "1" - name: TYPHA_HEALTHENABLED value: "true" - volumeMounts: - - mountPath: /etc/calico - name: etc-calico - readOnly: true livenessProbe: exec: command: @@ -425,11 +438,6 @@ spec: - check - readiness periodSeconds: 10 - volumes: - - name: etc-calico - hostPath: - path: /etc/calico - --- diff --git a/config/v1.4/calico.yaml b/config/v1.4/calico.yaml index 97d955f9eb..573f530524 100644 --- a/config/v1.4/calico.yaml +++ b/config/v1.4/calico.yaml @@ -25,6 +25,8 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: + nodeSelector: + beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force @@ -35,7 +37,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.1.3 + image: quay.io/calico/node:v3.3.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -60,10 +62,6 @@ spec: # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return # Disable IPV6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" @@ -88,6 +86,9 @@ spec: value: "true" securityContext: privileged: true + resources: + requests: + cpu: 250m livenessProbe: httpGet: path: /liveness @@ -97,17 +98,24 @@ spec: initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: - httpGet: - path: /readiness - port: 9099 + exec: + command: + - /bin/calico-node + - -felix-ready periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false volumes: # Used to ensure proper kmods are installed. - name: lib-modules @@ -116,9 +124,22 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - - operator: Exists + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists --- @@ -128,7 +149,7 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: felixconfigurations.crd.projectcalico.org + name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org @@ -177,7 +198,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: HostEndpoint plural: hostendpoints @@ -192,7 +216,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: ClusterInformation plural: clusterinformations @@ -207,7 +234,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: GlobalNetworkPolicy plural: globalnetworkpolicies @@ -222,7 +252,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: GlobalNetworkSet plural: globalnetworksets @@ -237,7 +270,10 @@ metadata: spec: scope: Namespaced group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: NetworkPolicy plural: networkpolicies @@ -263,6 +299,7 @@ rules: - apiGroups: [""] resources: - namespaces + - serviceaccounts verbs: - get - list @@ -271,7 +308,7 @@ rules: resources: - pods/status verbs: - - update + - patch - apiGroups: [""] resources: - pods @@ -279,7 +316,6 @@ rules: - get - list - watch - - patch - apiGroups: [""] resources: - services @@ -342,9 +378,9 @@ roleRef: kind: ClusterRole name: calico-node subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system + - kind: ServiceAccount + name: calico-node + namespace: kube-system --- @@ -363,66 +399,78 @@ spec: k8s-app: calico-typha annotations: scheduler.alpha.kubernetes.io/critical-pod: '' + cluster-autoscaler.kuberentes.io/safe-to-evict: 'true' spec: + nodeSelector: + beta.kubernetes.io/os: linux tolerations: - - operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists hostNetwork: true serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v0.7.4 - name: calico-typha - ports: - - containerPort: 5473 + - image: quay.io/calico/typha:v3.3.6 name: calico-typha - protocol: TCP - env: - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - - name: TYPHA_LOGFILEPATH - value: "none" - - name: TYPHA_LOGSEVERITYSYS - value: "none" - - name: TYPHA_LOGSEVERITYSCREEN - value: "info" - - name: TYPHA_PROMETHEUSMETRICSENABLED - value: "true" - - name: TYPHA_CONNECTIONREBALANCINGMODE - value: "kubernetes" - - name: TYPHA_PROMETHEUSMETRICSPORT - value: "9093" - - name: TYPHA_DATASTORETYPE - value: "kubernetes" - - name: TYPHA_MAXCONNECTIONSLOWERLIMIT - value: "1" - - name: TYPHA_HEALTHENABLED - value: "true" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - volumeMounts: - - mountPath: /etc/calico - name: etc-calico - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 9098 - periodSeconds: 30 - initialDelaySeconds: 30 - readinessProbe: - httpGet: - path: /readiness - port: 9098 - periodSeconds: 10 - volumes: - - name: etc-calico - hostPath: - path: /etc/calico + ports: + - containerPort: 5473 + name: calico-typha + protocol: TCP + env: + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + - name: TYPHA_LOGFILEPATH + value: "none" + - name: TYPHA_LOGSEVERITYSYS + value: "none" + - name: TYPHA_LOGSEVERITYSCREEN + value: "info" + - name: TYPHA_PROMETHEUSMETRICSENABLED + value: "true" + - name: TYPHA_CONNECTIONREBALANCINGMODE + value: "kubernetes" + - name: TYPHA_PROMETHEUSMETRICSPORT + value: "9093" + - name: TYPHA_DATASTORETYPE + value: "kubernetes" + - name: TYPHA_MAXCONNECTIONSLOWERLIMIT + value: "1" + - name: TYPHA_HEALTHENABLED + value: "true" + livenessProbe: + exec: + command: + - calico-typha + - check + - liveness + periodSeconds: 30 + initialDelaySeconds: 30 + readinessProbe: + exec: + command: + - calico-typha + - check + - readiness + periodSeconds: 10 --- +# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-typha + +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: