epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-09 11:47:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

cilium v1.1.2

Browse Source 
Update all configs to current upstream state.
Add more resources (unable to pass tests now)...
This commit is contained in:
Zinin D.A
2018-07-26 23:17:27 +03:00
parent e71f261935
commit 22b89edbbc
7 changed files with 268 additions and 195 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
roles/network_plugin/cilium/templates/cilium-ds.yml.j2
View File

@@ -1,10 +1,21 @@
---
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: kube-system
spec:
updateStrategy:
type: "RollingUpdate"
rollingUpdate:
# Specifies the maximum number of Pods that can be unavailable during the update process.
# The current default value is 1 or 100% for daemonsets; Adding an explicit value here
# to avoid confusion, as the default value is specific to the type (daemonset/deployment).
maxUnavailable: "100%"
selector:
matchLabels:
k8s-app: cilium
kubernetes.io/cluster-service: "true"
template:
metadata:
labels:
@@ -26,145 +37,185 @@ spec:
{% if rbac_enabled %}
serviceAccountName: cilium
{% endif %}
initContainers:
- name: clean-cilium-state
image: docker.io/library/busybox:1.28.4
imagePullPolicy: IfNotPresent
command: ['sh', '-c', 'if [ "${CLEAN_CILIUM_STATE}" = "true" ]; then rm -rf /var/run/cilium/state; rm -rf /sys/fs/bpf/tc/globals/cilium_*; fi']
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
- name: cilium-run
mountPath: /var/run/cilium
env:
- name: "CLEAN_CILIUM_STATE"
valueFrom:
configMapKeyRef:
name: cilium-config
optional: true
key: clean-cilium-state
containers:
- image: {{ cilium_image_repo }}:{{ cilium_image_tag }}
imagePullPolicy: Always
name: cilium-agent
command: [ "cilium-agent" ]
args:
- "--debug=$(CILIUM_DEBUG)"
- "-t"
- "vxlan"
- "--kvstore"
- "etcd"
- "--kvstore-opt"
- "etcd.config=/var/lib/etcd-config/etcd.config"
- "--disable-ipv4=$(DISABLE_IPV4)"
- image: {{ cilium_image_repo }}:{{ cilium_image_tag }}
imagePullPolicy: Always
name: cilium-agent
command: ["cilium-agent"]
args:
- "--debug=$(CILIUM_DEBUG)"
- "--kvstore=etcd"
- "--kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config"
- "--disable-ipv4=$(DISABLE_IPV4)"
{% if cilium_enable_prometheus %}
ports:
- name: prometheus
containerPort: 9090
ports:
- name: prometheus
containerPort: 9090
{% endif %}
lifecycle:
postStart:
lifecycle:
postStart:
exec:
command:
- "/cni-install.sh"
preStop:
exec:
command:
- "/cni-uninstall.sh"
env:
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
{% if cilium_enable_prometheus %}
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
optional: true
key: prometheus-serve-addr
{% endif %}
- name: "CILIUM_LEGACY_HOST_ALLOWS_WORLD"
valueFrom:
configMapKeyRef:
name: cilium-config
optional: true
key: legacy-host-allows-world
- name: "CILIUM_SIDECAR_ISTIO_PROXY_IMAGE"
valueFrom:
configMapKeyRef:
name: cilium-config
key: sidecar-istio-proxy-image
optional: true
- name: "CILIUM_TUNNEL"
valueFrom:
configMapKeyRef:
key: tunnel
name: cilium-config
optional: true
- name: "CILIUM_MONITOR_AGGREGATION_LEVEL"
valueFrom:
configMapKeyRef:
key: monitor-aggregation-level
name: cilium-config
optional: true
resources:
limits:
cpu: {{ cilium_cpu_limit }}
memory: {{ cilium_memory_limit }}
requests:
cpu: {{ cilium_cpu_requests }}
memory: {{ cilium_memory_requests }}
livenessProbe:
exec:
command:
- "/cni-install.sh"
preStop:
- cilium
- status
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
failureThreshold: 10
periodSeconds: 10
readinessProbe:
exec:
command:
- "/cni-uninstall.sh"
env:
- name: "K8S_NODE_NAME"
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: "CILIUM_DEBUG"
valueFrom:
configMapKeyRef:
name: cilium-config
key: debug
- name: "DISABLE_IPV4"
valueFrom:
configMapKeyRef:
name: cilium-config
key: disable-ipv4
{% if cilium_enable_prometheus %}
# Note: this variable is a no-op if not defined, and is used in the
# prometheus examples.
- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
valueFrom:
configMapKeyRef:
name: cilium-metrics-config
optional: true
key: prometheus-serve-addr
{% endif %}
resources:
limits:
cpu: {{ cilium_cpu_limit }}
memory: {{ cilium_memory_limit }}
requests:
cpu: {{ cilium_cpu_requests }}
memory: {{ cilium_memory_requests }}
livenessProbe:
exec:
command:
- cilium
- status
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
failureThreshold: 10
periodSeconds: 10
readinessProbe:
exec:
command:
- cilium
- status
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
- name: cilium-run
mountPath: /var/run/cilium
- name: cni-path
mountPath: /host/opt/cni/bin
- name: etc-cni-netd
mountPath: /host/etc/cni/net.d
- name: docker-socket
mountPath: /var/run/docker.sock
readOnly: true
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
- name: cilium-certs
mountPath: {{ cilium_cert_dir }}
readOnly: true
securityContext:
capabilities:
add:
- "NET_ADMIN"
privileged: true
- cilium
- status
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
- name: cilium-run
mountPath: /var/run/cilium
- name: cni-path
mountPath: /host/opt/cni/bin
- name: etc-cni-netd
mountPath: /host/etc/cni/net.d
- name: docker-socket
mountPath: /var/run/docker.sock
readOnly: true
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
- name: cilium-certs
mountPath: {{ cilium_cert_dir }}
readOnly: true
securityContext:
capabilities:
add:
- "NET_ADMIN"
privileged: true
hostNetwork: true
volumes:
# To keep state between restarts / upgrades
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: /var/run/cilium
# To keep state between restarts / upgrades
# To keep state between restarts / upgrades
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
# To read docker events from the node
# To read docker events from the node
- name: docker-socket
hostPath:
path: /var/run/docker.sock
# To install cilium cni plugin in the host
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: /opt/cni/bin
# To install cilium cni configuration in the host
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d
- name: cilium-certs
hostPath:
path: {{ cilium_cert_dir }}
# To read the etcd config stored in config maps
path: /etc/cni/net.d
# To read the etcd config stored in config maps
- name: etcd-config-path
configMap:
name: cilium-config
items:
- key: etcd-config
path: etcd.config
- key: etcd-config
path: etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
- name: cilium-certs
hostPath:
path: {{ cilium_cert_dir }}
restartPolicy: Always
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
# Mark cilium's pod as critical for rescheduling
- key: CriticalAddonsOnly
operator: "Exists"
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
# Mark cilium's pod as critical for rescheduling
- key: CriticalAddonsOnly
operator: "Exists"