From 3e3dadb8b7b8680bdcea6da85a29f3aa7f862257 Mon Sep 17 00:00:00 2001 From: Sidney Shiba Date: Tue, 17 Nov 2020 16:34:29 -0600 Subject: [PATCH] Azure provider integration - CAPZ Calico Azure does not currently suport Calico networking. As a workaround, this patch set includes CAPZ Calico manifests that uses VXLAN, instead. The CAPZ Calico manifest are located under manifest/function/cni/calico-capz. Change-Id: Iadb2d5e10131e6a2df8cef49e2ec189ab948eeb9 --- .../function/cni/calico-capz/v3/README.md | 10 + .../cni/calico-capz/v3/calico-config.yaml | 51 ++ .../function/cni/calico-capz/v3/calico.yaml | 787 ++++++++++++++++++ ...pconfigurations.crd.projectcalico.org.yaml | 12 + .../crd/bgppeers.crd.projectcalico.org.yaml | 12 + ...blockaffinities.crd.projectcalico.org.yaml | 12 + ...terinformations.crd.projectcalico.org.yaml | 12 + ...xconfigurations.crd.projectcalico.org.yaml | 12 + ...networkpolicies.crd.projectcalico.org.yaml | 12 + ...obalnetworksets.crd.projectcalico.org.yaml | 12 + .../hostendpoints.crd.projectcalico.org.yaml | 12 + .../crd/ipamblocks.crd.projectcalico.org.yaml | 12 + .../ipamconfigs.crd.projectcalico.org.yaml | 12 + .../ipamhandles.crd.projectcalico.org.yaml | 12 + .../v3/crd/ippools.crd.projectcalico.org.yaml | 12 + .../cni/calico-capz/v3/crd/kustomization.yaml | 18 + ...networkpolicies.crd.projectcalico.org.yaml | 12 + .../networksets.crd.projectcalico.org.yaml | 12 + .../cni/calico-capz/v3/kube-controller.yaml | 52 ++ .../cni/calico-capz/v3/kustomization.yaml | 10 + .../function/cni/calico-capz/v3/node.yaml | 241 ++++++ .../v3/rbac/kube-controllers-role.yaml | 62 ++ .../kube-controllers-service-account.yaml | 6 + .../calico-capz/v3/rbac/kustomization.yaml | 7 + .../cni/calico-capz/v3/rbac/node-role.yaml | 146 ++++ .../v3/rbac/node-service-account.yaml | 6 + .../target/initinfra/kustomization.yaml | 2 +- 27 files changed, 1565 insertions(+), 1 deletion(-) create mode 100644 manifests/function/cni/calico-capz/v3/README.md create mode 100644 manifests/function/cni/calico-capz/v3/calico-config.yaml create mode 100644 manifests/function/cni/calico-capz/v3/calico.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/bgpconfigurations.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/bgppeers.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/blockaffinities.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/clusterinformations.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/felixconfigurations.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/globalnetworkpolicies.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/globalnetworksets.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/hostendpoints.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/ipamblocks.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/ipamconfigs.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/ipamhandles.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/ippools.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/kustomization.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/networkpolicies.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/crd/networksets.crd.projectcalico.org.yaml create mode 100644 manifests/function/cni/calico-capz/v3/kube-controller.yaml create mode 100644 manifests/function/cni/calico-capz/v3/kustomization.yaml create mode 100644 manifests/function/cni/calico-capz/v3/node.yaml create mode 100644 manifests/function/cni/calico-capz/v3/rbac/kube-controllers-role.yaml create mode 100644 manifests/function/cni/calico-capz/v3/rbac/kube-controllers-service-account.yaml create mode 100644 manifests/function/cni/calico-capz/v3/rbac/kustomization.yaml create mode 100644 manifests/function/cni/calico-capz/v3/rbac/node-role.yaml create mode 100644 manifests/function/cni/calico-capz/v3/rbac/node-service-account.yaml diff --git a/manifests/function/cni/calico-capz/v3/README.md b/manifests/function/cni/calico-capz/v3/README.md new file mode 100644 index 000000000..6e0268bf8 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/README.md @@ -0,0 +1,10 @@ +# Calico for Azure Target Cluster + +Azure does not currently support Calico networking. The reason is Azure does not allow traffic with unknown source IPs. +As a workaround, it is recommended that Azure clusters use the Calico spec below that uses VXLAN. + +```bash +https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/master/templates/addons/calico.yaml +``` + +You can find more about Calico on Azure [here](https://docs.projectcalico.org/reference/public-cloud/azure). diff --git a/manifests/function/cni/calico-capz/v3/calico-config.yaml b/manifests/function/cni/calico-capz/v3/calico-config.yaml new file mode 100644 index 000000000..dcbfc428b --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/calico-config.yaml @@ -0,0 +1,51 @@ +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config + namespace: kube-system +data: + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. + calico_backend: "vxlan" + + # Configure the MTU to use + veth_mtu: "1440" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } diff --git a/manifests/function/cni/calico-capz/v3/calico.yaml b/manifests/function/cni/calico-capz/v3/calico.yaml new file mode 100644 index 000000000..e7987328a --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/calico.yaml @@ -0,0 +1,787 @@ +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config + namespace: kube-system +data: + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. + calico_backend: "vxlan" + + # Configure the MTU to use + veth_mtu: "1440" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + +--- +# # Source: calico/templates/kdd-crds.yaml +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: felixconfigurations.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: FelixConfiguration +# plural: felixconfigurations +# singular: felixconfiguration +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: ipamblocks.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: IPAMBlock +# plural: ipamblocks +# singular: ipamblock + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: blockaffinities.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: BlockAffinity +# plural: blockaffinities +# singular: blockaffinity + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: ipamhandles.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: IPAMHandle +# plural: ipamhandles +# singular: ipamhandle + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: ipamconfigs.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: IPAMConfig +# plural: ipamconfigs +# singular: ipamconfig + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: bgppeers.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: BGPPeer +# plural: bgppeers +# singular: bgppeer + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: bgpconfigurations.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: BGPConfiguration +# plural: bgpconfigurations +# singular: bgpconfiguration + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: ippools.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: IPPool +# plural: ippools +# singular: ippool + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: hostendpoints.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: HostEndpoint +# plural: hostendpoints +# singular: hostendpoint + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: clusterinformations.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: ClusterInformation +# plural: clusterinformations +# singular: clusterinformation + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: globalnetworkpolicies.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: GlobalNetworkPolicy +# plural: globalnetworkpolicies +# singular: globalnetworkpolicy + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: globalnetworksets.crd.projectcalico.org +# spec: +# scope: Cluster +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: GlobalNetworkSet +# plural: globalnetworksets +# singular: globalnetworkset + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: networkpolicies.crd.projectcalico.org +# spec: +# scope: Namespaced +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: NetworkPolicy +# plural: networkpolicies +# singular: networkpolicy + +# --- + +# apiVersion: apiextensions.k8s.io/v1beta1 +# kind: CustomResourceDefinition +# metadata: +# name: networksets.crd.projectcalico.org +# spec: +# scope: Namespaced +# group: crd.projectcalico.org +# version: v1 +# names: +# kind: NetworkSet +# plural: networksets +# singular: networkset +# --- +# Source: calico/templates/rbac.yaml + +# # Include a clusterrole for the kube-controllers component, +# # and bind it to the calico-kube-controllers serviceaccount. +# kind: ClusterRole +# apiVersion: rbac.authorization.k8s.io/v1 +# metadata: +# name: calico-kube-controllers +# rules: +# # Nodes are watched to monitor for deletions. +# - apiGroups: [""] +# resources: +# - nodes +# verbs: +# - watch +# - list +# - get +# # Pods are queried to check for existence. +# - apiGroups: [""] +# resources: +# - pods +# verbs: +# - get +# # IPAM resources are manipulated when nodes are deleted. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - ippools +# verbs: +# - list +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - blockaffinities +# - ipamblocks +# - ipamhandles +# verbs: +# - get +# - list +# - create +# - update +# - delete +# # Needs access to update clusterinformations. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - clusterinformations +# verbs: +# - get +# - create +# - update +# --- +# kind: ClusterRoleBinding +# apiVersion: rbac.authorization.k8s.io/v1 +# metadata: +# name: calico-kube-controllers +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: calico-kube-controllers +# subjects: +# - kind: ServiceAccount +# name: calico-kube-controllers +# namespace: kube-system +--- +# # Include a clusterrole for the calico-node DaemonSet, +# # and bind it to the calico-node serviceaccount. +# kind: ClusterRole +# apiVersion: rbac.authorization.k8s.io/v1 +# metadata: +# name: calico-node +# rules: +# # The CNI plugin needs to get pods, nodes, and namespaces. +# - apiGroups: [""] +# resources: +# - pods +# - nodes +# - namespaces +# verbs: +# - get +# - apiGroups: [""] +# resources: +# - endpoints +# - services +# verbs: +# # Used to discover service IPs for advertisement. +# - watch +# - list +# # Used to discover Typhas. +# - get +# - apiGroups: [""] +# resources: +# - nodes/status +# verbs: +# # Needed for clearing NodeNetworkUnavailable flag. +# - patch +# # Calico stores some configuration information in node annotations. +# - update +# # Watch for changes to Kubernetes NetworkPolicies. +# - apiGroups: ["networking.k8s.io"] +# resources: +# - networkpolicies +# verbs: +# - watch +# - list +# # Used by Calico for policy information. +# - apiGroups: [""] +# resources: +# - pods +# - namespaces +# - serviceaccounts +# verbs: +# - list +# - watch +# # The CNI plugin patches pods/status. +# - apiGroups: [""] +# resources: +# - pods/status +# verbs: +# - patch +# # Calico monitors various CRDs for config. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - globalfelixconfigs +# - felixconfigurations +# - bgppeers +# - globalbgpconfigs +# - bgpconfigurations +# - ippools +# - ipamblocks +# - globalnetworkpolicies +# - globalnetworksets +# - networkpolicies +# - networksets +# - clusterinformations +# - hostendpoints +# - blockaffinities +# verbs: +# - get +# - list +# - watch +# # Calico must create and update some CRDs on startup. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - ippools +# - felixconfigurations +# - clusterinformations +# verbs: +# - create +# - update +# # Calico stores some configuration information on the node. +# - apiGroups: [""] +# resources: +# - nodes +# verbs: +# - get +# - list +# - watch +# # These permissions are only requried for upgrade from v2.6, and can +# # be removed after upgrade or on fresh installations. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - bgpconfigurations +# - bgppeers +# verbs: +# - create +# - update +# # These permissions are required for Calico CNI to perform IPAM allocations. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - blockaffinities +# - ipamblocks +# - ipamhandles +# verbs: +# - get +# - list +# - create +# - update +# - delete +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - ipamconfigs +# verbs: +# - get +# # Block affinities must also be watchable by confd for route aggregation. +# - apiGroups: ["crd.projectcalico.org"] +# resources: +# - blockaffinities +# verbs: +# - watch +# # The Calico IPAM migration needs to get daemonsets. These permissions can be +# # removed if not upgrading from an installation using host-local IPAM. +# - apiGroups: ["apps"] +# resources: +# - daemonsets +# verbs: +# - get +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: ClusterRoleBinding +# metadata: +# name: calico-node +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: calico-node +# subjects: +# - kind: ServiceAccount +# name: calico-node +# namespace: kube-system + +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the calico-node container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container performs upgrade from host-local IPAM to calico-ipam. + # It can be deleted if this is a fresh installation, or if you have already + # upgraded to use calico-ipam. + - name: upgrade-ipam + image: calico/cni:v3.12.1 + command: ["/opt/cni/bin/calico-ipam", "-upgrade"] + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + volumeMounts: + - mountPath: /var/lib/cni/networks + name: host-local-net-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + securityContext: + privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: calico/cni:v3.12.1 + command: ["/install-cni.sh"] + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver + image: calico/pod2daemon-flexvol:v3.12.1 + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver + securityContext: + privileged: true + containers: + # Runs calico-node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: calico/node:v3.12.1 + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Choose the backend to use. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,bgp" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + # Enable VXLAN + - name: CALICO_IPV4POOL_VXLAN + value: "Always" + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + - name: CALICO_IPV4POOL_CIDR + value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN + value: "info" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + volumes: + # Used by calico-node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Mount in the directory for host-local IPAM allocations. This is + # used when upgrading from host-local to calico-ipam, and can be removed + # if not using the upgrade-ipam init container. + - name: host-local-net-dir + hostPath: + path: /var/lib/cni/networks + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent + # Used to install Flex Volume Driver + - name: flexvol-driver-host + hostPath: + type: DirectoryOrCreate + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds +--- + +# apiVersion: v1 +# kind: ServiceAccount +# metadata: +# name: calico-node +# namespace: kube-system + +--- +# Source: calico/templates/calico-kube-controllers.yaml + +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-kube-controllers + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers + image: calico/kube-controllers:v3.12.1 + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: node + - name: DATASTORE_TYPE + value: kubernetes + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r + +--- + +# apiVersion: v1 +# kind: ServiceAccount +# metadata: +# name: calico-kube-controllers +# namespace: kube-system +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/calico-typha.yaml + +--- +# Source: calico/templates/configure-canal.yaml + diff --git a/manifests/function/cni/calico-capz/v3/crd/bgpconfigurations.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/bgpconfigurations.crd.projectcalico.org.yaml new file mode 100644 index 000000000..297768c4f --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/bgpconfigurations.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgpconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BGPConfiguration + plural: bgpconfigurations + singular: bgpconfiguration diff --git a/manifests/function/cni/calico-capz/v3/crd/bgppeers.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/bgppeers.crd.projectcalico.org.yaml new file mode 100644 index 000000000..7e4ded15b --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/bgppeers.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgppeers.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BGPPeer + plural: bgppeers + singular: bgppeer diff --git a/manifests/function/cni/calico-capz/v3/crd/blockaffinities.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/blockaffinities.crd.projectcalico.org.yaml new file mode 100644 index 000000000..27fcb0543 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/blockaffinities.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: blockaffinities.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BlockAffinity + plural: blockaffinities + singular: blockaffinity diff --git a/manifests/function/cni/calico-capz/v3/crd/clusterinformations.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/clusterinformations.crd.projectcalico.org.yaml new file mode 100644 index 000000000..d8557c835 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/clusterinformations.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterinformations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: ClusterInformation + plural: clusterinformations + singular: clusterinformation diff --git a/manifests/function/cni/calico-capz/v3/crd/felixconfigurations.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/felixconfigurations.crd.projectcalico.org.yaml new file mode 100644 index 000000000..80e962157 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/felixconfigurations.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: FelixConfiguration + plural: felixconfigurations + singular: felixconfiguration diff --git a/manifests/function/cni/calico-capz/v3/crd/globalnetworkpolicies.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/globalnetworkpolicies.crd.projectcalico.org.yaml new file mode 100644 index 000000000..8b3d86926 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/globalnetworkpolicies.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalNetworkPolicy + plural: globalnetworkpolicies + singular: globalnetworkpolicy diff --git a/manifests/function/cni/calico-capz/v3/crd/globalnetworksets.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/globalnetworksets.crd.projectcalico.org.yaml new file mode 100644 index 000000000..5fc643c87 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/globalnetworksets.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworksets.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalNetworkSet + plural: globalnetworksets + singular: globalnetworkset diff --git a/manifests/function/cni/calico-capz/v3/crd/hostendpoints.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/hostendpoints.crd.projectcalico.org.yaml new file mode 100644 index 000000000..a14edcddf --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/hostendpoints.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: HostEndpoint + plural: hostendpoints + singular: hostendpoint diff --git a/manifests/function/cni/calico-capz/v3/crd/ipamblocks.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/ipamblocks.crd.projectcalico.org.yaml new file mode 100644 index 000000000..d2879ac00 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/ipamblocks.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMBlock + plural: ipamblocks + singular: ipamblock diff --git a/manifests/function/cni/calico-capz/v3/crd/ipamconfigs.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/ipamconfigs.crd.projectcalico.org.yaml new file mode 100644 index 000000000..7277b47ff --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/ipamconfigs.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamconfigs.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMConfig + plural: ipamconfigs + singular: ipamconfig diff --git a/manifests/function/cni/calico-capz/v3/crd/ipamhandles.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/ipamhandles.crd.projectcalico.org.yaml new file mode 100644 index 000000000..9d53a86d2 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/ipamhandles.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamhandles.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMHandle + plural: ipamhandles + singular: ipamhandle diff --git a/manifests/function/cni/calico-capz/v3/crd/ippools.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/ippools.crd.projectcalico.org.yaml new file mode 100644 index 000000000..86fe3e94c --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/ippools.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPPool + plural: ippools + singular: ippool diff --git a/manifests/function/cni/calico-capz/v3/crd/kustomization.yaml b/manifests/function/cni/calico-capz/v3/crd/kustomization.yaml new file mode 100644 index 000000000..c8a24b276 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: calico +resources: +- felixconfigurations.crd.projectcalico.org.yaml +- ipamblocks.crd.projectcalico.org.yaml +- blockaffinities.crd.projectcalico.org.yaml +- ipamhandles.crd.projectcalico.org.yaml +- ipamconfigs.crd.projectcalico.org.yaml +- bgppeers.crd.projectcalico.org.yaml +- bgpconfigurations.crd.projectcalico.org.yaml +- ippools.crd.projectcalico.org.yaml +- hostendpoints.crd.projectcalico.org.yaml +- clusterinformations.crd.projectcalico.org.yaml +- globalnetworkpolicies.crd.projectcalico.org.yaml +- globalnetworksets.crd.projectcalico.org.yaml +- networkpolicies.crd.projectcalico.org.yaml +- networksets.crd.projectcalico.org.yaml diff --git a/manifests/function/cni/calico-capz/v3/crd/networkpolicies.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/networkpolicies.crd.projectcalico.org.yaml new file mode 100644 index 000000000..47f542fad --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/networkpolicies.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + version: v1 + names: + kind: NetworkPolicy + plural: networkpolicies + singular: networkpolicy diff --git a/manifests/function/cni/calico-capz/v3/crd/networksets.crd.projectcalico.org.yaml b/manifests/function/cni/calico-capz/v3/crd/networksets.crd.projectcalico.org.yaml new file mode 100644 index 000000000..d6e6772c3 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/crd/networksets.crd.projectcalico.org.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networksets.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + version: v1 + names: + kind: NetworkSet + plural: networksets + singular: networkset diff --git a/manifests/function/cni/calico-capz/v3/kube-controller.yaml b/manifests/function/cni/calico-capz/v3/kube-controller.yaml new file mode 100644 index 000000000..c13e91d22 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/kube-controller.yaml @@ -0,0 +1,52 @@ +--- +# Source: calico/templates/calico-kube-controllers.yaml + +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-kube-controllers + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers + image: calico/kube-controllers:v3.12.1 + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: node + - name: DATASTORE_TYPE + value: kubernetes + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r diff --git a/manifests/function/cni/calico-capz/v3/kustomization.yaml b/manifests/function/cni/calico-capz/v3/kustomization.yaml new file mode 100644 index 000000000..832102a64 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: + - crd + - rbac +resources: + # - calico.yaml + - kube-controller.yaml + - node.yaml + - calico-config.yaml diff --git a/manifests/function/cni/calico-capz/v3/node.yaml b/manifests/function/cni/calico-capz/v3/node.yaml new file mode 100644 index 000000000..45a3687ad --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/node.yaml @@ -0,0 +1,241 @@ +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the calico-node container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container performs upgrade from host-local IPAM to calico-ipam. + # It can be deleted if this is a fresh installation, or if you have already + # upgraded to use calico-ipam. + - name: upgrade-ipam + image: calico/cni:v3.12.1 + command: ["/opt/cni/bin/calico-ipam", "-upgrade"] + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + volumeMounts: + - mountPath: /var/lib/cni/networks + name: host-local-net-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + securityContext: + privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: calico/cni:v3.12.1 + command: ["/install-cni.sh"] + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver + image: calico/pod2daemon-flexvol:v3.12.1 + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver + securityContext: + privileged: true + containers: + # Runs calico-node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: calico/node:v3.12.1 + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Choose the backend to use. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,bgp" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + # Enable VXLAN + - name: CALICO_IPV4POOL_VXLAN + value: "Always" + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + - name: CALICO_IPV4POOL_CIDR + value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN + value: "info" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + volumes: + # Used by calico-node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Mount in the directory for host-local IPAM allocations. This is + # used when upgrading from host-local to calico-ipam, and can be removed + # if not using the upgrade-ipam init container. + - name: host-local-net-dir + hostPath: + path: /var/lib/cni/networks + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent + # Used to install Flex Volume Driver + - name: flexvol-driver-host + hostPath: + type: DirectoryOrCreate + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds diff --git a/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-role.yaml b/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-role.yaml new file mode 100644 index 000000000..bb37a43eb --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-role.yaml @@ -0,0 +1,62 @@ +--- +# Source: calico/templates/rbac.yaml + +# Include a clusterrole for the kube-controllers component, +# and bind it to the calico-kube-controllers serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +rules: + # Nodes are watched to monitor for deletions. + - apiGroups: [""] + resources: + - nodes + verbs: + - watch + - list + - get + # Pods are queried to check for existence. + - apiGroups: [""] + resources: + - pods + verbs: + - get + # IPAM resources are manipulated when nodes are deleted. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + # Needs access to update clusterinformations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - clusterinformations + verbs: + - get + - create + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: +- kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system diff --git a/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-service-account.yaml b/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-service-account.yaml new file mode 100644 index 000000000..269d0a14d --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/rbac/kube-controllers-service-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system diff --git a/manifests/function/cni/calico-capz/v3/rbac/kustomization.yaml b/manifests/function/cni/calico-capz/v3/rbac/kustomization.yaml new file mode 100644 index 000000000..185d9f3d6 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/rbac/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - kube-controllers-role.yaml + - kube-controllers-service-account.yaml + - node-role.yaml + - node-service-account.yaml diff --git a/manifests/function/cni/calico-capz/v3/rbac/node-role.yaml b/manifests/function/cni/calico-capz/v3/rbac/node-role.yaml new file mode 100644 index 000000000..f568f0924 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/rbac/node-role.yaml @@ -0,0 +1,146 @@ +--- +# Include a clusterrole for the calico-node DaemonSet, +# and bind it to the calico-node serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only requried for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + # Block affinities must also be watchable by confd for route aggregation. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + verbs: + - watch + # The Calico IPAM migration needs to get daemonsets. These permissions can be + # removed if not upgrading from an installation using host-local IPAM. + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: ServiceAccount + name: calico-node + namespace: kube-system diff --git a/manifests/function/cni/calico-capz/v3/rbac/node-service-account.yaml b/manifests/function/cni/calico-capz/v3/rbac/node-service-account.yaml new file mode 100644 index 000000000..ea721b3f3 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3/rbac/node-service-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system diff --git a/manifests/site/az-test-site/target/initinfra/kustomization.yaml b/manifests/site/az-test-site/target/initinfra/kustomization.yaml index f3efc573e..1ec91046d 100755 --- a/manifests/site/az-test-site/target/initinfra/kustomization.yaml +++ b/manifests/site/az-test-site/target/initinfra/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../../function/cni/calico-capz + - ../../../../function/cni/calico-capz/v3 commonLabels: airshipit.org/stage: initinfra