diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template index 6fc9558d72..ca7bb5d24a 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template @@ -4113,6 +4113,14 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: calico rules: + # Used for creating service account tokens to be used by the CNI plugin + - apiGroups: [""] + resources: + - serviceaccounts/token + resourceNames: + - canal + verbs: + - create # The CNI plugin needs to get pods, nodes, and namespaces. - apiGroups: [""] resources: @@ -4358,7 +4366,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.23.1 + - image: calico/typha:v3.23.3 name: calico-typha ports: - containerPort: 5473 @@ -4468,7 +4476,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.23.1 + image: docker.io/calico/cni:v3.23.3 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -4476,6 +4484,12 @@ spec: name: kubernetes-services-endpoint optional: true env: + # Set the serviceaccount name to use for the Calico CNI plugin. + # We use canal-node instead of calico-node when using flannel networking. + - name: CALICO_CNI_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-canal.conflist" @@ -4506,12 +4520,36 @@ spec: name: cni-net-dir securityContext: privileged: true + # This init container mounts the necessary filesystems needed by the BPF data plane + # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed + # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. + - name: "mount-bpffs" + image: docker.io/calico/node:v3.23.3 + command: ["calico-node", "-init", "-best-effort"] + volumeMounts: + - mountPath: /sys/fs + name: sys-fs + # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + - mountPath: /var/run/calico + name: var-run-calico + # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, + # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. + - mountPath: /nodeproc + name: nodeproc + readOnly: true + securityContext: + privileged: true containers: # Runs canal container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.23.1 + image: docker.io/calico/node:v3.23.3 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -4540,6 +4578,12 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + # Set the serviceaccount name to use for the Calico CNI plugin. + # We use canal-node instead of calico-node when using flannel networking. + - name: CALICO_CNI_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName # Don't enable BGP. - name: CALICO_NETWORKING_BACKEND value: "none" @@ -4645,11 +4689,8 @@ spec: mountPath: /var/run/nodeagent # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # parent directory. - - name: sysfs - mountPath: /sys/fs/ - # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. - # If the host is known to mount that filesystem already then Bidirectional can be omitted. - mountPropagation: Bidirectional + - name: bpffs + mountPath: /sys/fs/bpf - name: cni-log-dir mountPath: /var/log/calico/cni readOnly: true @@ -4704,10 +4745,18 @@ spec: hostPath: path: /run/xtables.lock type: FileOrCreate - - name: sysfs + - name: sys-fs hostPath: path: /sys/fs/ type: DirectoryOrCreate + - name: bpffs + hostPath: + path: /sys/fs/bpf + type: Directory + # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. + - name: nodeproc + hostPath: + path: /proc # Used by flannel. - name: flannel-cfg configMap: @@ -4791,7 +4840,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.23.1 + image: docker.io/calico/kube-controllers:v3.23.3 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS