From 5ee9ba2ee6ab5a4838932a4018f2bab314313631 Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Tue, 7 Apr 2020 10:50:54 +0300 Subject: [PATCH 1/2] Update Calico and Canal to v3.13.2 --- .../k8s-1.16.yaml.template | 31 ++- .../k8s-1.16.yaml.template | 243 +++++++++--------- .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 4 +- 3 files changed, 148 insertions(+), 130 deletions(-) diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template index 7b7fc87be1..a659deba06 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template @@ -330,6 +330,12 @@ rules: - list # Used to discover Typhas. - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get - apiGroups: [""] resources: - nodes/status @@ -407,6 +413,7 @@ rules: verbs: - create - update + --- # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml @@ -522,6 +529,10 @@ spec: k8s-app: calico-typha role.kubernetes.io/networking: "1" annotations: + # This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical + # add-on, ensuring it gets priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' spec: nodeSelector: @@ -542,7 +553,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.13.1 + - image: calico/typha:v3.13.2 name: calico-typha ports: - containerPort: 5473 @@ -631,6 +642,12 @@ spec: labels: k8s-app: canal role.kubernetes.io/networking: "1" + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: kubernetes.io/os: linux @@ -653,7 +670,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.13.1 + image: calico/cni:v3.13.2 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -689,7 +706,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.13.1 + image: calico/pod2daemon-flexvol:v3.13.2 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -700,7 +717,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.13.1 + image: calico/node:v3.13.2 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -751,9 +768,9 @@ spec: # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" - # Set Felix logging to "INFO" + # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN - value: "{{- or .Networking.Canal.LogSeveritySys "INFO" }}" + value: "{{- or .Networking.Canal.LogSeveritySys "info" }}" - name: FELIX_HEALTHENABLED value: "true" @@ -780,7 +797,7 @@ spec: privileged: true resources: requests: - cpu: 250m + cpu: 90m livenessProbe: exec: command: diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 7d3285b3cb..547827ddd4 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -1,4 +1,4 @@ -# Pulled and modified from: https://docs.projectcalico.org/v3.12/manifests/calico-typha.yaml +# Pulled and modified from: https://docs.projectcalico.org/v3.13/manifests/calico-typha.yaml --- # Source: calico/templates/calico-config.yaml @@ -60,106 +60,6 @@ data: --- # Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: felixconfigurations.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: FelixConfiguration - plural: felixconfigurations - singular: felixconfiguration ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ipamblocks.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: IPAMBlock - plural: ipamblocks - singular: ipamblock - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: blockaffinities.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: BlockAffinity - plural: blockaffinities - singular: blockaffinity - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ipamhandles.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: IPAMHandle - plural: ipamhandles - singular: ipamhandle - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ipamconfigs.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: IPAMConfig - plural: ipamconfigs - singular: ipamconfig - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: bgppeers.crd.projectcalico.org - labels: - role.kubernetes.io/networking: "1" -spec: - scope: Cluster - group: crd.projectcalico.org - version: v1 - names: - kind: BGPPeer - plural: bgppeers - singular: bgppeer - ---- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -177,11 +77,10 @@ spec: singular: bgpconfiguration --- - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: ippools.crd.projectcalico.org + name: bgppeers.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" spec: @@ -189,16 +88,15 @@ spec: group: crd.projectcalico.org version: v1 names: - kind: IPPool - plural: ippools - singular: ippool + kind: BGPPeer + plural: bgppeers + singular: bgppeer --- - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: hostendpoints.crd.projectcalico.org + name: blockaffinities.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" spec: @@ -206,12 +104,11 @@ spec: group: crd.projectcalico.org version: v1 names: - kind: HostEndpoint - plural: hostendpoints - singular: hostendpoint + kind: BlockAffinity + plural: blockaffinities + singular: blockaffinity --- - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -229,6 +126,22 @@ spec: --- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: FelixConfiguration + plural: felixconfigurations + singular: felixconfiguration + +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -245,7 +158,6 @@ spec: singular: globalnetworkpolicy --- - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -262,7 +174,86 @@ spec: singular: globalnetworkset --- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: HostEndpoint + plural: hostendpoints + singular: hostendpoint +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMBlock + plural: ipamblocks + singular: ipamblock + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamconfigs.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMConfig + plural: ipamconfigs + singular: ipamconfig + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamhandles.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMHandle + plural: ipamhandles + singular: ipamhandle + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org + labels: + role.kubernetes.io/networking: "1" +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPPool + plural: ippools + singular: ippool + +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -279,7 +270,6 @@ spec: singular: networkpolicy --- - apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -294,6 +284,7 @@ spec: kind: NetworkSet plural: networksets singular: networkset + --- # Source: calico/templates/rbac.yaml @@ -388,6 +379,12 @@ rules: - list # Used to discover Typhas. - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get - apiGroups: [""] resources: - nodes/status @@ -495,6 +492,7 @@ rules: - daemonsets verbs: - get + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -558,6 +556,10 @@ spec: selector: matchLabels: k8s-app: calico-typha + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 template: metadata: labels: @@ -588,7 +590,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.12.0 + - image: calico/typha:v3.13.2 name: calico-typha ports: - containerPort: 5473 @@ -706,7 +708,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.12.0 + image: calico/cni:v3.13.2 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] env: - name: KUBERNETES_NODE_NAME @@ -728,7 +730,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.12.0 + image: calico/cni:v3.13.2 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -764,7 +766,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.12.0 + image: calico/pod2daemon-flexvol:v3.13.2 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -775,7 +777,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.12.0 + image: calico/node:v3.13.2 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -804,7 +806,6 @@ spec: key: calico_backend # Cluster type to identify the deployment type - name: CLUSTER_TYPE - # was value: "k8s,bgp" value: "kops,bgp" # Auto-detect the BGP IP address. - name: IP @@ -980,7 +981,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.12.0 + image: calico/kube-controllers:v3.13.2 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index de2e7f11ff..e47f6ca154 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -703,7 +703,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.5-kops.1", - "k8s-1.16": "3.12.0-kops.1", + "k8s-1.16": "3.13.2-kops.1", } { @@ -771,7 +771,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { "k8s-1.9": "3.2.3-kops.1", "k8s-1.12": "3.7.5-kops.1", "k8s-1.15": "3.12.0-kops.1", - "k8s-1.16": "3.13.1-kops.1", + "k8s-1.16": "3.13.2-kops.1", } { id := "k8s-1.9" From 49dfafc6064c7c7a36317d97f7b9626b8f008d7f Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Tue, 7 Apr 2020 11:38:33 +0300 Subject: [PATCH 2/2] Remove critical-pod annotation --- .../k8s-1.16.yaml.template | 10 ---------- .../k8s-1.16.yaml.template | 10 ---------- 2 files changed, 20 deletions(-) diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template index a659deba06..5eba5373ac 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template @@ -529,10 +529,6 @@ spec: k8s-app: calico-typha role.kubernetes.io/networking: "1" annotations: - # This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical - # add-on, ensuring it gets priority scheduling and that its resources are reserved - # if it ever gets evicted. - scheduler.alpha.kubernetes.io/critical-pod: '' cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' spec: nodeSelector: @@ -642,12 +638,6 @@ spec: labels: k8s-app: canal role.kubernetes.io/networking: "1" - annotations: - # This, along with the CriticalAddonsOnly toleration below, - # marks the pod as a critical add-on, ensuring it gets - # priority scheduling and that its resources are reserved - # if it ever gets evicted. - scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: kubernetes.io/os: linux diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 547827ddd4..48aa8f7cee 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -566,10 +566,6 @@ spec: k8s-app: calico-typha role.kubernetes.io/networking: "1" annotations: - # This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical - # add-on, ensuring it gets priority scheduling and that its resources are reserved - # if it ever gets evicted. - scheduler.alpha.kubernetes.io/critical-pod: '' cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' spec: nodeSelector: @@ -679,12 +675,6 @@ spec: labels: k8s-app: calico-node role.kubernetes.io/networking: "1" - annotations: - # This, along with the CriticalAddonsOnly toleration below, - # marks the pod as a critical add-on, ensuring it gets - # priority scheduling and that its resources are reserved - # if it ever gets evicted. - scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: kubernetes.io/os: linux