From d0d833144d5fc30ace351277e5a2c30dde2ca24a Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Wed, 19 Feb 2020 10:06:09 +0100 Subject: [PATCH] Bump Cilium to 1.7 for k8s 1.12+ Cilium 1.7 requires K8s 1.12 minimum. Changed the templates so that we can have different cilium versions for different k8s versions. This also mean that this addon will behave similar to other addons wrt upgrades. Cilium used to add a fixed version to the cluster spec on cluster creation so upgrades were slightly more manual. Now, for new clusters, upgrades will happen implicitly with kops updates unless the .Version is added manually to the cluster spec. --- pkg/apis/kops/cluster.go | 3 -- pkg/apis/kops/networking.go | 1 - .../k8s-1.12.yaml.template | 28 ++++++++++++++++--- .../k8s-1.7.yaml.template | 4 +-- .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- .../cilium/manifest.yaml | 8 +++--- 6 files changed, 31 insertions(+), 15 deletions(-) diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index 0508983c44..04ab408cec 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -593,9 +593,6 @@ func (c *Cluster) FillDefaults() error { } else if c.Spec.Networking.AmazonVPC != nil { // OK } else if c.Spec.Networking.Cilium != nil { - if c.Spec.Networking.Cilium.Version == "" { - c.Spec.Networking.Cilium.Version = CiliumDefaultVersion - } // OK } else if c.Spec.Networking.LyftVPC != nil { // OK diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 507f087333..54bb091a2b 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -191,7 +191,6 @@ type AmazonVPCNetworkingSpec struct { ImageName string `json:"imageName,omitempty"` } -const CiliumDefaultVersion = "v1.6.6" const CiliumIpamEni = "eni" // CiliumNetworkingSpec declares that we want Cilium networking diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template index 9e561703a8..e30474834c 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12.yaml.template @@ -162,6 +162,14 @@ rules: - get - list - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -215,6 +223,8 @@ rules: resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status - ciliumendpoints - ciliumendpoints/status - ciliumnodes @@ -242,6 +252,14 @@ rules: - list - watch - delete +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -263,6 +281,8 @@ rules: resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status - ciliumendpoints - ciliumendpoints/status - ciliumnodes @@ -324,7 +344,6 @@ spec: # gets priority scheduling. # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ scheduler.alpha.kubernetes.io/critical-pod: "" - scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' labels: k8s-app: cilium kubernetes.io/cluster-service: "true" @@ -380,7 +399,7 @@ spec: value: {{ . }} {{ end }} {{ with .Networking.Cilium }} - image: "docker.io/cilium/cilium:{{ .Version }}" + image: "docker.io/cilium/cilium:{{- or .Version "v.1.7.0" }}" imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -433,6 +452,7 @@ spec: volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps + mountPropagation: HostToContainer - mountPath: /var/run/cilium name: cilium-run - mountPath: /host/opt/cni/bin @@ -474,7 +494,7 @@ spec: key: wait-bpf-mount name: cilium-config optional: true - image: "docker.io/cilium/cilium:{{ .Version }}" + image: "docker.io/cilium/cilium:{{- or .Version "v1.7.0" }}" ## end of `with .Networking.Cilium` #{{ end }} imagePullPolicy: IfNotPresent @@ -660,7 +680,7 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "443" {{ with .Networking.Cilium }} - image: "docker.io/cilium/operator:{{ .Version }}" + image: "docker.io/cilium/operator:{{- if eq .Version "" -}}v1.7.0{{- else -}}{{ .Version }}{{- end -}}" imagePullPolicy: IfNotPresent name: cilium-operator {{ if .EnablePrometheusMetrics }} diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template index 6ad0a79f85..bf4d290a8c 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template @@ -380,7 +380,7 @@ spec: value: {{ . }} {{ end }} {{ with .Networking.Cilium }} - image: "docker.io/cilium/cilium:{{ .Version }}" + image: "docker.io/cilium/cilium:{{- or .Version "v1.6.6" }}" imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -652,7 +652,7 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "443" {{ with .Networking.Cilium }} - image: "docker.io/cilium/operator:{{ .Version }}" + image: "docker.io/cilium/operator:{{- or .Version "v1.6.6" }}" imagePullPolicy: IfNotPresent name: cilium-operator {{ if .EnablePrometheusMetrics }} diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 4b22472a6e..279b437d87 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -924,7 +924,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { if b.cluster.Spec.Networking.Cilium != nil { key := "networking.cilium.io" - version := "1.6.6-kops.0" + version := "1.7.0-kops.1" { id := "k8s-1.7" diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml index 617a8a502b..8ccbf47d21 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml @@ -89,16 +89,16 @@ spec: - id: k8s-1.7 kubernetesVersion: <1.12.0 manifest: networking.cilium.io/k8s-1.7.yaml - manifestHash: 48b2e968039622b7dd5941497d0cda203334b508 + manifestHash: e6670d455bcd03c5b85ccb6ff6bbe6e068aa7674 name: networking.cilium.io selector: role.kubernetes.io/networking: "1" - version: 1.6.6-kops.0 + version: 1.7.0-kops.1 - id: k8s-1.12 kubernetesVersion: '>=1.12.0' manifest: networking.cilium.io/k8s-1.12.yaml - manifestHash: f52e9593af72a8caa8b8230f120594344f8418f1 + manifestHash: b01164cd1ba9d9bda7b4c9c22deda9bb6408aae9 name: networking.cilium.io selector: role.kubernetes.io/networking: "1" - version: 1.6.6-kops.0 + version: 1.7.0-kops.1