aws · mogren · Mar 11, 2020 · Feb 11, 2020 · Feb 29, 2020 · Mar 10, 2020
@@ -32,7 +32,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: quay.io/calico/node:v3.8.1
+          image: quay.io/calico/node:v3.13.0
           env:
             # Use Kubernetes API as the backing datastore.
             - name: DATASTORE_TYPE
@@ -86,10 +86,10 @@ spec:
           securityContext:
             privileged: true
           livenessProbe:
-            httpGet:
-              path: /liveness
-              port: 9099
-              host: localhost
+            exec:
+              command:
+              - /bin/calico-node
+              - -felix-live
             periodSeconds: 10
             initialDelaySeconds: 10
             failureThreshold: 6
@@ -371,63 +371,55 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: calico-node
 rules:
+  # The CNI plugin needs to get pods, nodes, and namespaces.
   - apiGroups: [""]
     resources:
+      - pods
+      - nodes
       - namespaces
-      - serviceaccounts
     verbs:
       - get
-      - list
-      - watch
   - apiGroups: [""]
     resources:
-      - pods/status
+      - endpoints
+      - services
     verbs:
-      - patch
+      # Used to discover service IPs for advertisement.
+      - watch
+      - list
+      # Used to discover Typhas.
+      - get
   - apiGroups: [""]
     resources:
       - nodes/status
     verbs:
+      # Needed for clearing NodeNetworkUnavailable flag.
       - patch
+      # Calico stores some configuration information in node annotations.
       - update
-  - apiGroups: [""]
+  # Watch for changes to Kubernetes NetworkPolicies.
+  - apiGroups: ["networking.k8s.io"]
     resources:
-      - pods
+      - networkpolicies
     verbs:
-      - get
-      - list
       - watch
-  - apiGroups: [""]
-    resources:
-      - services
-    verbs:
-      - get
-  - apiGroups: [""]
-    resources:
-      - endpoints
-    verbs:
-      - get
-  - apiGroups: [""]
-    resources:
-      - nodes
-    verbs:
-      - get
       - list
-      - update
-      - watch
-  - apiGroups: ["extensions"]
+  # Used by Calico for policy information.
+  - apiGroups: [""]
     resources:
-      - networkpolicies
+      - pods
+      - namespaces
+      - serviceaccounts
     verbs:
-      - get
       - list
       - watch
-  - apiGroups: ["networking.k8s.io"]
+  # The CNI plugin patches pods/status.
+  - apiGroups: [""]
     resources:
-      - networkpolicies
+      - pods/status
     verbs:
-      - watch
-      - list
+      - patch
+  # Calico monitors various CRDs for config.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - globalfelixconfigs
@@ -443,12 +435,38 @@ rules:
       - networksets
       - clusterinformations
       - hostendpoints
+      - blockaffinities
     verbs:
-      - create
       - get
       - list
+      - watch
+  # Calico must create and update some CRDs on startup.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ippools
+      - felixconfigurations
+      - clusterinformations
+    verbs:
+      - create
       - update
+  # Calico stores some configuration information on the node.
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
       - watch
+  # These permissions are only requried for upgrade from v2.6, and can
+  # be removed after upgrade or on fresh installations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - bgpconfigurations
+      - bgppeers
+    verbs:
+      - create
+      - update
+  # These permissions are required for Calico CNI to perform IPAM allocations.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - blockaffinities
@@ -460,11 +478,24 @@ rules:
       - create
       - update
       - delete
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ipamconfigs
+    verbs:
+      - get
+  # Block affinities must also be watchable by confd for route aggregation.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - blockaffinities
     verbs:
       - watch
+  # The Calico IPAM migration needs to get daemonsets. These permissions can be
+  # removed if not upgrading from an installation using host-local IPAM.
+  - apiGroups: ["apps"]
+    resources:
+      - daemonsets
+    verbs:
+      - get
 
 ---
 
@@ -511,8 +542,11 @@ spec:
           operator: Exists
       hostNetwork: true
       serviceAccountName: calico-node
+      # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573
+      securityContext:
+        fsGroup: 65534
       containers:
-        - image: quay.io/calico/typha:v3.8.1
+        - image: quay.io/calico/typha:v3.13.0
           name: calico-typha
           ports:
             - containerPort: 5473
@@ -551,6 +585,9 @@ spec:
               host: localhost
             periodSeconds: 30
             initialDelaySeconds: 30
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
           readinessProbe:
             httpGet:
               path: /readiness