Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies or profiles if 'policy' is enabled in CNI config. And without any policies/profiles network access to/from PODs is blocked. K8s related policies are created by calico-policy-controller in such case. So we need to start it as soon as possible, before any real workloads. This patch also fixes kube-api port in calico-policy-controller yaml template. Closes #1132
2026-03-10 20:29:18 +03:00 · 2017-03-13 16:04:31 +01:00
parent 565d4a53b0
commit 3a39904011
11 changed files with 33 additions and 22 deletions
--- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
+++ b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
@@ -1,20 +0,0 @@
---
- set_fact:
-    calico_cert_dir: "{{ canal_cert_dir }}"
-  when: kube_network_plugin == 'canal'
-  tags: facts
-
- name: Write calico-policy-controller yaml
-  template:
-    src: calico-policy-controller.yml.j2
-    dest: "{{kube_config_dir}}/calico-policy-controller.yml"
-  when: inventory_hostname == groups['kube-master'][0]
-
- name: Start of Calico policy controller
-  kube:
-    name: "calico-policy-controller"
-    kubectl: "{{bin_dir}}/kubectl"
-    filename: "{{kube_config_dir}}/calico-policy-controller.yml"
-    namespace: "{{system_namespace}}"
-    resource: "rs"
-  when: inventory_hostname == groups['kube-master'][0]
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -32,11 +32,6 @@
  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
  tags: dnsmasq

- include: tasks/calico-policy-controller.yml
-  when: ( enable_network_policy is defined and enable_network_policy == True ) or
-    ( kube_network_plugin == 'canal' )
-  tags: [network, canal]
-
 - name: Kubernetes Apps | Netchecker
  include: tasks/netchecker.yml
  when: deploy_netchecker