diff --git a/config/v1.3/calico.yaml b/config/v1.3/calico.yaml index 2c5be7b33c..730b7edfd1 100644 --- a/config/v1.3/calico.yaml +++ b/config/v1.3/calico.yaml @@ -25,6 +25,8 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: + nodeSelector: + beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force @@ -35,7 +37,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.1.3 + image: quay.io/calico/node:v3.3.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -60,10 +62,6 @@ spec: # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return # Disable IPV6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" @@ -88,6 +86,9 @@ spec: value: "true" securityContext: privileged: true + resources: + requests: + cpu: 250m livenessProbe: httpGet: path: /liveness @@ -97,17 +98,24 @@ spec: initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: - httpGet: - path: /readiness - port: 9099 + exec: + command: + - /bin/calico-node + - -felix-ready periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false volumes: # Used to ensure proper kmods are installed. - name: lib-modules @@ -116,9 +124,22 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - - operator: Exists + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists --- @@ -128,7 +149,7 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: felixconfigurations.crd.projectcalico.org + name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org @@ -263,6 +284,7 @@ rules: - apiGroups: [""] resources: - namespaces + - serviceaccounts verbs: - get - list @@ -271,7 +293,7 @@ rules: resources: - pods/status verbs: - - update + - patch - apiGroups: [""] resources: - pods @@ -279,7 +301,6 @@ rules: - get - list - watch - - patch - apiGroups: [""] resources: - services @@ -342,9 +363,9 @@ roleRef: kind: ClusterRole name: calico-node subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system + - kind: ServiceAccount + name: calico-node + namespace: kube-system --- @@ -363,67 +384,78 @@ spec: k8s-app: calico-typha annotations: scheduler.alpha.kubernetes.io/critical-pod: '' + cluster-autoscaler.kuberentes.io/safe-to-evict: 'true' spec: + nodeSelector: + beta.kubernetes.io/os: linux tolerations: - - operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists hostNetwork: true serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v0.7.4 - name: calico-typha - ports: - - containerPort: 5473 + - image: quay.io/calico/typha:v3.3.6 name: calico-typha - protocol: TCP - env: - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - - name: TYPHA_LOGFILEPATH - value: "none" - - name: TYPHA_LOGSEVERITYSYS - value: "none" - - name: TYPHA_LOGSEVERITYSCREEN - value: "info" - - name: TYPHA_PROMETHEUSMETRICSENABLED - value: "true" - - name: TYPHA_CONNECTIONREBALANCINGMODE - value: "kubernetes" - - name: TYPHA_PROMETHEUSMETRICSPORT - value: "9093" - - name: TYPHA_DATASTORETYPE - value: "kubernetes" - - name: TYPHA_MAXCONNECTIONSLOWERLIMIT - value: "1" - - name: TYPHA_HEALTHENABLED - value: "true" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - volumeMounts: - - mountPath: /etc/calico - name: etc-calico - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 9098 - periodSeconds: 30 - initialDelaySeconds: 30 - readinessProbe: - httpGet: - path: /readiness - port: 9098 - periodSeconds: 10 - volumes: - - name: etc-calico - hostPath: - path: /etc/calico - + ports: + - containerPort: 5473 + name: calico-typha + protocol: TCP + env: + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + - name: TYPHA_LOGFILEPATH + value: "none" + - name: TYPHA_LOGSEVERITYSYS + value: "none" + - name: TYPHA_LOGSEVERITYSCREEN + value: "info" + - name: TYPHA_PROMETHEUSMETRICSENABLED + value: "true" + - name: TYPHA_CONNECTIONREBALANCINGMODE + value: "kubernetes" + - name: TYPHA_PROMETHEUSMETRICSPORT + value: "9093" + - name: TYPHA_DATASTORETYPE + value: "kubernetes" + - name: TYPHA_MAXCONNECTIONSLOWERLIMIT + value: "1" + - name: TYPHA_HEALTHENABLED + value: "true" + livenessProbe: + exec: + command: + - calico-typha + - check + - liveness + periodSeconds: 30 + initialDelaySeconds: 30 + readinessProbe: + exec: + command: + - calico-typha + - check + - readiness + periodSeconds: 10 --- +# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-typha + +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: diff --git a/config/v1.4/calico.yaml b/config/v1.4/calico.yaml index 97d955f9eb..573f530524 100644 --- a/config/v1.4/calico.yaml +++ b/config/v1.4/calico.yaml @@ -25,6 +25,8 @@ spec: # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: + nodeSelector: + beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force @@ -35,7 +37,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.1.3 + image: quay.io/calico/node:v3.3.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -60,10 +62,6 @@ spec: # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return # Disable IPV6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" @@ -88,6 +86,9 @@ spec: value: "true" securityContext: privileged: true + resources: + requests: + cpu: 250m livenessProbe: httpGet: path: /liveness @@ -97,17 +98,24 @@ spec: initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: - httpGet: - path: /readiness - port: 9099 + exec: + command: + - /bin/calico-node + - -felix-ready periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false volumes: # Used to ensure proper kmods are installed. - name: lib-modules @@ -116,9 +124,22 @@ spec: - name: var-run-calico hostPath: path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - - operator: Exists + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists --- @@ -128,7 +149,7 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: felixconfigurations.crd.projectcalico.org + name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org @@ -177,7 +198,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: HostEndpoint plural: hostendpoints @@ -192,7 +216,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: ClusterInformation plural: clusterinformations @@ -207,7 +234,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: GlobalNetworkPolicy plural: globalnetworkpolicies @@ -222,7 +252,10 @@ metadata: spec: scope: Cluster group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: GlobalNetworkSet plural: globalnetworksets @@ -237,7 +270,10 @@ metadata: spec: scope: Namespaced group: crd.projectcalico.org - version: v1 + versions: + - name: v1 + served: true + storage: true names: kind: NetworkPolicy plural: networkpolicies @@ -263,6 +299,7 @@ rules: - apiGroups: [""] resources: - namespaces + - serviceaccounts verbs: - get - list @@ -271,7 +308,7 @@ rules: resources: - pods/status verbs: - - update + - patch - apiGroups: [""] resources: - pods @@ -279,7 +316,6 @@ rules: - get - list - watch - - patch - apiGroups: [""] resources: - services @@ -342,9 +378,9 @@ roleRef: kind: ClusterRole name: calico-node subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system + - kind: ServiceAccount + name: calico-node + namespace: kube-system --- @@ -363,66 +399,78 @@ spec: k8s-app: calico-typha annotations: scheduler.alpha.kubernetes.io/critical-pod: '' + cluster-autoscaler.kuberentes.io/safe-to-evict: 'true' spec: + nodeSelector: + beta.kubernetes.io/os: linux tolerations: - - operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists hostNetwork: true serviceAccountName: calico-node containers: - - image: quay.io/calico/typha:v0.7.4 - name: calico-typha - ports: - - containerPort: 5473 + - image: quay.io/calico/typha:v3.3.6 name: calico-typha - protocol: TCP - env: - # Use eni not cali for interface prefix - - name: FELIX_INTERFACEPREFIX - value: "eni" - - name: TYPHA_LOGFILEPATH - value: "none" - - name: TYPHA_LOGSEVERITYSYS - value: "none" - - name: TYPHA_LOGSEVERITYSCREEN - value: "info" - - name: TYPHA_PROMETHEUSMETRICSENABLED - value: "true" - - name: TYPHA_CONNECTIONREBALANCINGMODE - value: "kubernetes" - - name: TYPHA_PROMETHEUSMETRICSPORT - value: "9093" - - name: TYPHA_DATASTORETYPE - value: "kubernetes" - - name: TYPHA_MAXCONNECTIONSLOWERLIMIT - value: "1" - - name: TYPHA_HEALTHENABLED - value: "true" - # This will make Felix honor AWS VPC CNI's mangle table - # rules. - - name: FELIX_IPTABLESMANGLEALLOWACTION - value: Return - volumeMounts: - - mountPath: /etc/calico - name: etc-calico - readOnly: true - livenessProbe: - httpGet: - path: /liveness - port: 9098 - periodSeconds: 30 - initialDelaySeconds: 30 - readinessProbe: - httpGet: - path: /readiness - port: 9098 - periodSeconds: 10 - volumes: - - name: etc-calico - hostPath: - path: /etc/calico + ports: + - containerPort: 5473 + name: calico-typha + protocol: TCP + env: + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + - name: TYPHA_LOGFILEPATH + value: "none" + - name: TYPHA_LOGSEVERITYSYS + value: "none" + - name: TYPHA_LOGSEVERITYSCREEN + value: "info" + - name: TYPHA_PROMETHEUSMETRICSENABLED + value: "true" + - name: TYPHA_CONNECTIONREBALANCINGMODE + value: "kubernetes" + - name: TYPHA_PROMETHEUSMETRICSPORT + value: "9093" + - name: TYPHA_DATASTORETYPE + value: "kubernetes" + - name: TYPHA_MAXCONNECTIONSLOWERLIMIT + value: "1" + - name: TYPHA_HEALTHENABLED + value: "true" + livenessProbe: + exec: + command: + - calico-typha + - check + - liveness + periodSeconds: 30 + initialDelaySeconds: 30 + readinessProbe: + exec: + command: + - calico-typha + - check + - readiness + periodSeconds: 10 --- +# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-typha + +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: