diff --git a/README.md b/README.md index 7811f2f..ea15899 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ AWS Kubernetes is a Kubernetes cluster deployed using [Kubeadm](https://kubernet ## Updates +* *22.1.2018:* Update Calico to 3.0.1 * *22.1.2018:* Update to Kubernetes 1.9.2, Ingres 0.10.0 and Dashboard 1.8.2 * *6.1.2018:* Update to Kubernetes 1.9.1 * *17.12.2017:* Update to Kubernetes 1.9.0, update Dashboard, Ingress, Autoscaler and Heapster dependencies diff --git a/scripts/calico.yaml b/scripts/calico.yaml index 3d397b3..6a90650 100644 --- a/scripts/calico.yaml +++ b/scripts/calico.yaml @@ -1,9 +1,9 @@ -# Calico Version v2.3.0 -# http://docs.projectcalico.org/v2.3/releases#v2.3.0 +# Calico Version v3.0.1 +# https://docs.projectcalico.org/v3.0/releases#v3.0.1 # This manifest includes the following component versions: -# calico/node:v1.3.0 -# calico/cni:v1.9.1 -# calico/kube-policy-controller:v0.6.0 +# calico/node:v3.0.1 +# calico/cni:v2.0.0 +# calico/kube-controllers:v2.0.0 # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -22,24 +22,35 @@ data: # The CNI network configuration to install on each node. cni_network_config: |- { - "name": "k8s-pod-network", - "cniVersion": "0.1.0", - "type": "calico", - "etcd_endpoints": "__ETCD_ENDPOINTS__", - "log_level": "info", - "ipam": { - "type": "calico-ipam" + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "calico", + "etcd_endpoints": "__ETCD_ENDPOINTS__", + "log_level": "info", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s", + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" + } }, - "policy": { - "type": "k8s", - "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", - "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" - }, - "kubernetes": { - "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} } + ] } + --- # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet @@ -65,6 +76,11 @@ spec: spec: # Only run this pod on the master. tolerations: + # this taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the calico pods + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. @@ -76,14 +92,21 @@ spec: hostNetwork: true containers: - name: calico-etcd - image: gcr.io/google_containers/etcd:2.2.1 + image: quay.io/coreos/etcd:v3.1.10 env: - name: CALICO_ETCD_IP valueFrom: fieldRef: fieldPath: status.podIP - command: ["/bin/sh","-c"] - args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] + command: + - /usr/local/bin/etcd + args: + - --name=calico + - --data-dir=/var/etcd/calico-data + - --advertise-client-urls=http://$CALICO_ETCD_IP:6666 + - --listen-client-urls=http://0.0.0.0:6666 + - --listen-peer-urls=http://0.0.0.0:6667 + - --auto-compaction-retention=1 volumeMounts: - name: var-etcd mountPath: /var/etcd @@ -129,6 +152,10 @@ spec: selector: matchLabels: k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 template: metadata: labels: @@ -141,6 +168,11 @@ spec: spec: hostNetwork: true tolerations: + # this taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the calico pods + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. @@ -148,12 +180,15 @@ spec: - key: CriticalAddonsOnly operator: Exists serviceAccountName: calico-cni-plugin + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v1.3.0 + image: quay.io/calico/node:v3.0.1 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS @@ -167,9 +202,17 @@ spec: configMapKeyRef: name: calico-config key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "kubeadm,bgp" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" + # Set noderef for node controller. + - name: CALICO_K8S_NODE_REF + valueFrom: + fieldRef: + fieldPath: spec.nodeName # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" @@ -177,21 +220,38 @@ spec: - name: CALICO_IPV4POOL_CIDR value: "192.168.0.0/16" - name: CALICO_IPV4POOL_IPIP - value: "always" + value: "Always" # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + value: "1440" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: "info" # Auto-detect the BGP IP address. - name: IP - value: "" + value: "autodetect" + - name: FELIX_HEALTHENABLED + value: "true" securityContext: privileged: true resources: requests: cpu: 250m + livenessProbe: + httpGet: + path: /liveness + port: 9099 + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /readiness + port: 9099 + periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules @@ -202,9 +262,12 @@ spec: # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni - image: quay.io/calico/cni:v1.9.1 + image: quay.io/calico/cni:v2.0.0 command: ["/install-cni.sh"] env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS valueFrom: @@ -240,46 +303,51 @@ spec: --- -# This manifest deploys the Calico policy controller on Kubernetes. -# See https://github.com/projectcalico/k8s-policy +# This manifest deploys the Calico Kubernetes controllers. +# See https://github.com/projectcalico/kube-controllers apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: calico-policy-controller + name: calico-kube-controllers namespace: kube-system labels: - k8s-app: calico-policy + k8s-app: calico-kube-controllers spec: - # The policy controller can only have a single active instance. + # The controllers can only have a single active instance. replicas: 1 strategy: type: Recreate template: metadata: - name: calico-policy-controller + name: calico-kube-controllers namespace: kube-system labels: - k8s-app: calico-policy-controller + k8s-app: calico-kube-controllers annotations: # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler # reserves resources for critical add-on pods so that they can be rescheduled after # a failure. This annotation works in tandem with the toleration below. scheduler.alpha.kubernetes.io/critical-pod: '' spec: - # The policy controller must run in the host network namespace so that + # The controllers must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork: true tolerations: + # this taint is set by all kubelets running `--cloud-provider=external` + # so we should tolerate it to schedule the calico pods + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule - key: node-role.kubernetes.io/master effect: NoSchedule # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists - serviceAccountName: calico-policy-controller + serviceAccountName: calico-kube-controllers containers: - - name: calico-policy-controller - image: quay.io/calico/kube-policy-controller:v0.6.0 + - name: calico-kube-controllers + image: quay.io/calico/kube-controllers:v2.0.0 env: # The location of the Calico etcd cluster. - name: ETCD_ENDPOINTS @@ -291,12 +359,17 @@ spec: # service for API access. - name: K8S_API value: "https://kubernetes.default:443" + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: policy,profile,workloadendpoint,node # Since we're running in the host namespace and might not have KubeDNS # access, configure the container's /etc/hosts to resolve # kubernetes.default to the correct service clusterIP. - name: CONFIGURE_ETC_HOSTS value: "true" + --- + apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: @@ -309,12 +382,13 @@ subjects: - kind: ServiceAccount name: calico-cni-plugin namespace: kube-system + --- + kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico-cni-plugin - namespace: kube-system rules: - apiGroups: [""] resources: @@ -322,31 +396,36 @@ rules: - nodes verbs: - get + --- + apiVersion: v1 kind: ServiceAccount metadata: name: calico-cni-plugin namespace: kube-system + --- + apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: calico-policy-controller + name: calico-kube-controllers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: calico-policy-controller + name: calico-kube-controllers subjects: - kind: ServiceAccount - name: calico-policy-controller + name: calico-kube-controllers namespace: kube-system + --- + kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: calico-policy-controller - namespace: kube-system + name: calico-kube-controllers rules: - apiGroups: - "" @@ -355,12 +434,15 @@ rules: - pods - namespaces - networkpolicies + - nodes verbs: - watch - list + --- + apiVersion: v1 kind: ServiceAccount metadata: - name: calico-policy-controller + name: calico-kube-controllers namespace: kube-system \ No newline at end of file