kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template

466 lines
12 KiB
Plaintext
Raw Blame History

{{- $etcd_scheme := EtcdScheme }}
kind: ConfigMap
apiVersion: v1
metadata:
name: cilium-config
namespace: kube-system
data:
etcd-config: |-
---
endpoints: [{{ $cluster := index .EtcdClusters 0 -}}
{{- range $j, $member := $cluster.Members -}}
{{- if $j }},{{ end -}}
"{{ $etcd_scheme }}://etcd-{{ $member.Name }}.internal.{{ ClusterName }}:4001"
{{- end }}]
{{- if eq $etcd_scheme "https" }}
ca-file: '/var/lib/etcd-secrets/ca.pem'
key-file: '/var/lib/etcd-secrets/calico-client-key.pem'
cert-file: '/var/lib/etcd-secrets/calico-client.pem'
{{- end }}
# If you want to run cilium in debug mode change this value to true
debug: "false"
disable-ipv4: "false"
sidecar-http-proxy: "false"
# If you want to clean cilium state; change this value to true
clean-cilium-state: "false"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: cilium
namespace: kube-system
- kind: Group
name: system:nodes
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: cilium
namespace: kube-system
spec:
template:
metadata:
labels:
k8s-app: cilium
kubernetes.io/cluster-service: "true"
annotations:
# This annotation plus the CriticalAddonsOnly toleration makes
# cilium to be a critical pod in the cluster, which ensures cilium
# gets priority scheduling.
# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: >-
[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]
prometheus.io/scrape: "true"
prometheus.io/port: "9090"
spec:
serviceAccountName: cilium
{{ with .Networking.Cilium }}
containers:
- image: "cilium/cilium:{{ .Version }}"
imagePullPolicy: Always
name: cilium-agent
command: [ "cilium-agent" ]
args:
{{ if .Debug }}
- "--debug=true"
{{ end }}
{{ if .DebugVerbose}}
{{ range $j, $group:= .DebugVerbose}}
- "--debug-verbose"
- "{{ $group}}"
{{ end }}
{{ end }}
{{ if ne .AccessLog "" }}
- "--access-log"
- "{{ .AccessLog}}"
{{ end }}
{{ if .AgentLabels }}
{{ range $j, $label := .AgentLabels }}
- "--agent-labels"
- "{{ $label }}"
{{ end }}
{{ end }}
{{ if ne .AllowLocalhost "" }}
- "--allow-localhost"
- "{{ .AllowLocalhost}}"
{{ end }}
{{ if .AutoIpv6NodeRoutes }}
- "--auto-ipv6-node-routes"
{{ end }}
{{ if ne .BPFRoot "" }}
- "--bpf-root"
- "{{ .BPFRoot }}"
{{ end }}
{{ if .ContainerRuntime }}
{{ range $j, $runtime:= .ContainerRuntime }}
- "--container-runtime"
- "{{ $runtime}}"
{{ end }}
{{ end }}
{{ if .ContainerRuntimeEndpoint }}
{{ range $runtime, $endpoint:= .ContainerRuntimeEndpoint }}
- "--container-runtime-endpoint={{ $runtime }}={{ $endpoint }}"
{{ end }}
{{ end }}
{{ if ne .Device "" }}
- "--device"
- "{{ .Device }}"
{{ end }}
{{ if .DisableConntrack }}
- "--disable-conntrack"
{{ end }}
{{ if .DisableIpv4 }}
- "--disable-ipv4"
{{ end }}
{{ if .DisableK8sServices }}
- "--disable-k8s-services"
{{ end }}
{{ if ne .EnablePolicy "" }}
- "--enable-policy"
- "{{ .EnablePolicy }}"
{{ end }}
{{ if .EnableTracing }}
- "--enable-tracing"
{{ end }}
{{ if ne .EnvoyLog "" }}
- "--envoy-log"
- "{{ .EnvoyLog }}"
{{ end }}
{{ if ne .Ipv4ClusterCIDRMaskSize 0 }}
- "--ipv4-cluster-cidr-mask-size"
- "{{ .Ipv4ClusterCIDRMaskSize }}"
{{ end }}
{{ if ne .Ipv4Node "" }}
- "--ipv4-node"
- "{{ .Ipv4Node }}"
{{ end }}
{{ if ne .Ipv4Range "" }}
- "--ipv4-range"
- "{{ .Ipv4Range }}"
{{ end }}
{{ if ne .Ipv4ServiceRange "" }}
- "--ipv4-service-range"
- "{{ .Ipv4ServiceRange }}"
{{ end }}
{{ if ne .Ipv6ClusterAllocCidr "" }}
- "--ipv6-cluster-alloc-cidr"
- "{{ .Ipv6ClusterAllocCidr }}"
{{ end }}
{{ if ne .Ipv6Node "" }}
- "--ipv6-node"
- "{{ .Ipv6Node }}"
{{ end }}
{{ if ne .Ipv6Range "" }}
- "--ipv6-range"
- "{{ .Ipv6Range }}"
{{ end }}
{{ if ne .Ipv6ServiceRange "" }}
- "--ipv6-service-range"
- "{{ .Ipv6ServiceRange }}"
{{ end }}
{{ if ne .K8sAPIServer "" }}
- "--k8s-api-server"
- "{{ .K8sAPIServer }}"
{{ end }}
{{ if ne .K8sKubeconfigPath "" }}
- "--k8s-kubeconfig-path"
- "{{ .K8sKubeconfigPath }}"
{{ end }}
{{ if .KeepBPFTemplates }}
- "--keep-bpf-templates"
{{ end }}
{{ if .KeepConfig }}
- "--keep-config"
{{ end }}
{{ if ne .LabelPrefixFile "" }}
- "--label-prefix-file"
- "{{ .LabelPrefixFile }}"
{{ end }}
{{ if .Labels }}
{{ range $j, $label := .Labels }}
- "--labels"
- "{{ $label }}"
{{ end }}
{{ end }}
{{ if ne .LB "" }}
- "--lb"
- "{{ .LB }}"
{{ end }}
{{ if ne .LibDir "" }}
- "--lib-dir"
- "{{ .LibDir }}"
{{ end }}
{{ if .LogDrivers }}
{{ range $j, $driver := .LogDrivers }}
- "--log-driver"
- "{{ $driver}}"
{{ end }}
{{ end }}
{{ if .LogOpt }}
{{ range $option, $value := .LogOpt }}
- "--log-opt={{ $option }}={{ $value }}"
{{ end }}
{{ end }}
{{ if .Logstash }}
- "--logstash"
{{ end }}
{{ if ne .LogstashAgent "" }}
- "--logstash-agent"
- "{{ .LogstashAgent }}"
{{ end }}
{{ if ne .LogstashProbeTimer 0 }}
- "--logstash-probe-timer"
- "{{ .LogstashProbeTimer }}"
{{ end }}
{{ if eq .DisableMasquerade true }}
- "--masquerade"
- "false"
{{ end }}
{{ if ne .Nat46Range "" }}
- "--nat46-range"
- "{{ .Nat46Range }}"
{{ end }}
{{ if .Pprof}}
- "--pprof"
{{ end }}
{{ if ne .PrefilterDevice "" }}
- "--prefilter-device"
- "{{ .PrefilterDevice }}"
{{ end }}
{{ if ne .PrometheusServeAddr "" }}
- "--prometheus-serve-addr"
- "{{ .PrometheusServeAddr }}"
{{ end }}
{{ if .Restore}}
- "--restore"
{{ end }}
{{ if .SingleClusterRoute}}
- "--single-cluster-route"
{{ end }}
{{ if ne .SocketPath "" }}
- "--socket-path"
- "{{ .SocketPath }}"
{{ end }}
{{ if ne .StateDir "" }}
- "--state-dir"
- "{{ .StateDir }}"
{{ end }}
{{ if ne .TracePayloadLen 0 }}
- "--trace-payloadlen"
- "{{ .TracePayloadLen}}"
{{ end }}
{{ if ne .Tunnel "" }}
- "--tunnel"
- "{{ .Tunnel }}"
{{ end }}
# end of `with .Networking.Cilium`
{{ end }}
- "--kvstore"
- "etcd"
- "--kvstore-opt"
- "etcd.config=/var/lib/etcd-config/etcd.config"
ports:
- name: prometheus
containerPort: 9090
lifecycle:
postStart:
exec:
command:
- "/cni-install.sh"
preStop:
exec:
command:
- "/cni-uninstall.sh"
env:
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
optional: true
key: prometheus-serve-addr
livenessProbe:
exec:
command:
- cilium
- status
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
failureThreshold: 10
periodSeconds: 10
readinessProbe:
exec:
command:
- cilium
- status
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
- name: cilium-run
mountPath: /var/run/cilium
- name: cni-path
mountPath: /host/opt/cni/bin
- name: etc-cni-netd
mountPath: /host/etc/cni/net.d
- name: docker-socket
mountPath: /var/run/docker.sock
readOnly: true
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
{{- if eq $etcd_scheme "https" }}
- name: etcd-secrets
mountPath: /var/lib/etcd-secrets
readOnly: true
{{- end }}
securityContext:
capabilities:
add:
- "NET_ADMIN"
privileged: true
hostNetwork: true
volumes:
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: /var/run/cilium
# To keep state between restarts / upgrades
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
# To read docker events from the node
- name: docker-socket
hostPath:
path: /var/run/docker.sock
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: /opt/cni/bin
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d
# To read the etcd config stored in config maps
- name: etcd-config-path
configMap:
name: cilium-config
items:
- key: etcd-config
path: etcd.config
{{- if eq $etcd_scheme "https" }}
- name: etcd-secrets
hostPath:
path: /srv/kubernetes/calico
{{- end }}
tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
# Mark cilium's pod as critical for rescheduling
- key: CriticalAddonsOnly
operator: "Exists"
- effect: NoExecute
operator: Exists
# Allow the pod to run on all nodes. This is required
# for cluster communication
- effect: NoSchedule
operator: Exists
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cilium
rules:
- apiGroups:
- "networking.k8s.io"
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- nodes
- endpoints
- componentstatuses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- extensions
resources:
- networkpolicies
- thirdpartyresources
- ingresses
verbs:
- create
- get
- list
- watch
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumendpoints
verbs:
- "*"
Reference in New Issue View Git Blame Copy Permalink