Add calico 3.7.3 support (#4953)

* Add calico 3.7.3 support * add calico_datastore variable to policy controller role * add missing clusterrole rules for calico policy controller * disable calico kube controller when kdd mode is used for versions < 3.6
2026-03-11 12:47:58 +03:00 · 2019-07-09 21:42:28 +02:00
parent 65065e7fdf
commit 20c7e31ea3
10 changed files with 235 additions and 19 deletions
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -71,9 +71,15 @@ rules:
      - globalbgpconfigs
      - bgpconfigurations
      - ippools
+{% if calico_version is version('v3.6.0', '>=') %}
+      - ipamblocks
+{% endif %}
      - globalnetworkpolicies
      - globalnetworksets
      - networkpolicies
+{% if calico_version is version('v3.7.0', '>=') %}
+      - networksets
+{% endif %}
      - clusterinformations
      - hostendpoints
    verbs:
@@ -106,4 +112,36 @@ rules:
    verbs:
      - create
      - update
+{% if calico_version is version('v3.6.0', '>=') %}
+  # These permissions are required for Calico CNI to perform IPAM allocations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+      - ipamblocks
+      - ipamhandles
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ipamconfigs
+    verbs:
+      - get
+  # Block affinities must also be watchable by confd for route aggregation.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+    verbs:
+      - watch
+  # The Calico IPAM migration needs to get daemonsets. These permissions can be
+  # removed if not upgrading from an installation using host-local IPAM.
+  - apiGroups: ["apps"]
+    resources:
+      - daemonsets
+    verbs:
+      - get
+{% endif %}
 {% endif %}