kubernetes 之网络(canal)
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/ 所有节点重设,快速销毁集群。镜像之类的还是在的 echo y|kubeadm reset kubeadm init --apiserver-advertise-address 10.0.0.4 --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers 已经无法访问的网址 kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.7/rbac.yaml kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.7/canal.yaml 部署canal命令和网址。我下面是直接下载下来修改修改部署上 kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml [machangwei@mcwk8s-master ~]$ kubectl apply -f rbac.yml #报错版本匹配不到这个种类 unable to recognize "rbac.yml": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1" unable to recognize "rbac.yml": no matches for kind "ClusterRole" in version "rbac.authorization.k8s.io/v1beta1" unable to recognize "rbac.yml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1" unable to recognize "rbac.yml": no matches for kind "ClusterRoleBinding" in version "rbac.authorization.k8s.io/v1beta1" [machangwei@mcwk8s-master ~]$ lsls -bash: lsls: command not found [machangwei@mcwk8s-master ~]$ vim rbac.yml [machangwei@mcwk8s-master ~]$ sed -n "/beta1/p" rbac.yml #将文件中的所有v1beta1改为v1就好了 apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1 [machangwei@mcwk8s-master ~]$ sed -i "s#beta1##g" rbac.yml ^C [machangwei@mcwk8s-master ~]$ cp rbac.yml rbac.ymlbak [machangwei@mcwk8s-master ~]$ sed -i "s#beta1##g" rbac.yml [machangwei@mcwk8s-master ~]$ kubectl apply -f rbac.yml clusterrole.rbac.authorization.k8s.io/calico created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/canal-flannel created clusterrolebinding.rbac.authorization.k8s.io/canal-calico created [machangwei@mcwk8s-master ~]$ cp canal.yaml canal.yamlbak [machangwei@mcwk8s-master ~]$ kubectl apply -f canal.yaml configmap/canal-config created serviceaccount/canal created unable to recognize "canal.yaml": no matches for kind "DaemonSet" in version "extensions/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" unable to recognize "canal.yaml": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" [machangwei@mcwk8s-master ~]$ sed -i "s#beta1##g" canal.yaml #将beta1都去掉 [machangwei@mcwk8s-master ~]$ kubectl apply -f canal.yaml configmap/canal-config unchanged unable to recognize "canal.yaml": no matches for kind "DaemonSet" in version "extensions/v1" error validating "canal.yaml": error validating data: [ValidationError(CustomResourceDefinition.spec): unknown field "version" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec, ValidationError(CustomResourceDefinition.spec): missing required field "versions" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec]; if you choose to ignore these errors, turn validation off with --validate=false 参考它,得到部署文件,但是文件有问题https://www.cnblogs.com/dribs/p/10318936.html 参考它和报错信息修改文件,https://www.cnblogs.com/dudu/p/14494823.html 修改1 #将beta1都去掉 因为no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1" sed -i "s#beta1##g" canal.yaml 修改2、 将DaemonSet的extensions/v1beta1改为apps/v1。因为报错:no matches for kind "DaemonSet" in version "extensions/v1beta1" kind: DaemonSet apiVersion: apps/v1 修改3、报错不识别的version,把version:v1去掉。报错显示缺少,versions,根据修改2做了修改 修改4、一步步添加 versions:- name: v1 served: true storage: true schema:这几个属性,还是得一样, 经确认,文件缺少如下: versions: - name: v1 # Each version can be enabled/disabled by Served flag. served: true # One and only one version must be marked as the storage version. storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string 博客中是下面这样写的: CRD(Custom Resource Definition) 是 kubernetes 强大扩展能力的一处体现,联系到编程场景,CRD 相当于是类(class),custom resource 相当于是对象或者实例,通过 CRD 可以创建自己定义的资源类型,api server 会直接支持,可以通过 kubectl 命令创建对应的资源并对资源进行删/查/改的操作,资源对象会被保存在 etcd 中,可以像操作 pod 那样操作自己创建的 resouce。 这篇随笔以发布博文场景为例体验一下 kubernetes 的 CRD,对应的 custom resource 就是 BlogPost。 首先,编写 BlogPost 的 CRD 清单文件 blogpost-crd.yaml,给 BlogPost 定义了3个属性:title, pushishdate, body,从编程角度就是创建了一个 BlogPost 类 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: blogposts.kube.cnblogs.com spec: group: kube.cnblogs.com scope: Namespaced names: kind: BlogPost singular: blogpost plural: blogposts listKind: BlogPostList versions: - name: v1 # Each version can be enabled/disabled by Served flag. served: true # One and only one version must be marked as the storage version. storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string 编写清单注意事项: metadata.name 是 spec.names.plural + "." + spec. group 的组合,如果写 blogposts.kube.cnblogs.com,会包下面的错误 metadata.name: Invalid value: "blogpost.kube.cnblogs.com": must be spec.names.plural+"."+spec.group scope 有2种,一种是 Cluster,一种是 Namespaced,比如 node 资源的 scope 是 Cluster,pod 资源的 scope 是 Namespaced,Cluster 资源的 url 路径是 /clusters/{cluster}/{plural},Namespaced 资源的 url 路径是 /clusters/{cluster}/namespaces/{namespace}/{plural} 属性不支持日期类型,只支持 "array", "boolean", "integer", "number", "object", "string" 五种类型。 然后,基于清单文件创建 CRD 修改完后部署上了,然后将其它两个节点加入集群。但是pod有点问题,没有都running, [machangwei@mcwk8s-master ~]$ kubectl apply -f canal.yaml configmap/canal-config unchanged daemonset.apps/canal configured customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created serviceaccount/canal unchanged [machangwei@mcwk8s-master ~]$ kubectl get --namespace=kube-system daemonset canal NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE canal 3 3 0 3 0 <none> 65m [machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces -o wide|grep canal kube-system canal-lt2fk 2/3 CrashLoopBackOff 2 (20s ago) 5m52s 10.0.0.5 mcwk8s-node1 <none> <none> kube-system canal-rt6hz 2/3 CrashLoopBackOff 3 (43s ago) 5m41s 10.0.0.6 mcwk8s-node2 <none> <none> kube-system canal-z9sz9 2/3 CrashLoopBackOff 17 (90s ago) 68m 10.0.0.4 mcwk8s-master <none> <none> 查看容器日志有报错信息 [root@mcwk8s-master ~]$ tail /var/log/containers/canal-z9sz9_kube-system_calico-node-62f70dc10a9a7a769331c52b12d52725f2e3f440305bbf583a345ce88413702f.log {"log":"2022-02-21 17:03:40.525 [WARNING][9] startup.go 348: Unable to access datastore to query node configuration\n","stream":"stdout","time":"2022-02-21T17:03:40.526226529Z"} {"log":"2022-02-21 17:03:40.525 [WARNING][9] startup.go 1058: Terminating\n","stream":"stdout","time":"2022-02-21T17:03:40.526232118Z"} {"log":"Calico node failed to start\n","stream":"stderr","time":"2022-02-21T17:03:40.528036397Z"} 搞不定了,以后再看吧
部署配置文件
https://projectcalico.docs.tigera.io/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
# Calico Roles # Reference {{site.url}}/{{page.version}}/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: calico rules: - apiGroups: [""] resources: - namespaces verbs: - get - list - watch - apiGroups: [""] resources: - pods/status verbs: - update - apiGroups: [""] resources: - pods verbs: - get - list - watch - patch - apiGroups: [""] resources: - services verbs: - get - apiGroups: [""] resources: - endpoints verbs: - get - apiGroups: [""] resources: - nodes verbs: - get - list - update - watch - apiGroups: ["networking.k8s.io"] resources: - networkpolicies verbs: - get - list - watch - apiGroups: ["crd.projectcalico.org"] resources: - globalfelixconfigs - felixconfigurations - bgppeers - globalbgpconfigs - bgpconfigurations - ippools - globalnetworkpolicies - networkpolicies - clusterinformations - hostendpoints - globalnetworksets verbs: - create - get - list - update - watch --- # Flannel roles # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: flannel rules: - apiGroups: - "" resources: - pods verbs: - get - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - nodes/status verbs: - patch --- # Bind the flannel ClusterRole to the canal ServiceAccount. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: canal-flannel roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: flannel subjects: - kind: ServiceAccount name: canal namespace: kube-system --- # Bind the calico ClusterRole to the canal ServiceAccount. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: canal-calico roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico subjects: - kind: ServiceAccount name: canal namespace: kube-system
# Calico Roles # Reference {{site.url}}/{{page.version}}/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: calico rules: - apiGroups: [""] resources: - namespaces verbs: - get - list - watch - apiGroups: [""] resources: - pods/status verbs: - update - apiGroups: [""] resources: - pods verbs: - get - list - watch - patch - apiGroups: [""] resources: - services verbs: - get - apiGroups: [""] resources: - endpoints verbs: - get - apiGroups: [""] resources: - nodes verbs: - get - list - update - watch - apiGroups: ["networking.k8s.io"] resources: - networkpolicies verbs: - get - list - watch - apiGroups: ["crd.projectcalico.org"] resources: - globalfelixconfigs - felixconfigurations - bgppeers - globalbgpconfigs - bgpconfigurations - ippools - globalnetworkpolicies - networkpolicies - clusterinformations - hostendpoints - globalnetworksets verbs: - create - get - list - update - watch --- # Flannel roles # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: flannel rules: - apiGroups: - "" resources: - pods verbs: - get - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - nodes/status verbs: - patch --- # Bind the flannel ClusterRole to the canal ServiceAccount. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: canal-flannel roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: flannel subjects: - kind: ServiceAccount name: canal namespace: kube-system --- # Bind the calico ClusterRole to the canal ServiceAccount. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: canal-calico roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico subjects: - kind: ServiceAccount name: canal namespace: kube-system
https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml
# Canal Version v3.1.7 # https://docs.projectcalico.org/v3.1/releases#v3.1.7 # This manifest includes the following component versions: # calico/node:v3.1.7 # calico/cni:v3.1.7 # coreos/flannel:v0.9.1 # This ConfigMap can be used to configure a self-hosted Canal installation. kind: ConfigMap apiVersion: v1 metadata: name: canal-config namespace: kube-system data: # The interface used by canal for host <-> host communication. # If left blank, then the interface is chosen using the node's # default route. canal_iface: "" # Whether or not to masquerade traffic to destinations not within # the pod network. masquerade: "true" # The CNI network configuration to install on each node. cni_network_config: |- { "name": "k8s-pod-network", "cniVersion": "0.3.0", "plugins": [ { "type": "calico", "log_level": "info", "datastore_type": "kubernetes", "nodename": "__KUBERNETES_NODE_NAME__", "ipam": { "type": "host-local", "subnet": "usePodCidr" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} } ] } # Flannel network configuration. Mounted into the flannel container. net-conf.json: | { "Network": "10.244.0.0/16", "Backend": { "Type": "vxlan" } } --- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: canal namespace: kube-system labels: k8s-app: canal spec: selector: matchLabels: k8s-app: canal updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: canal annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: hostNetwork: true serviceAccountName: canal tolerations: # Tolerate this effect so the pods will be schedulable at all times - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - effect: NoExecute operator: Exists # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: quay.io/calico/node:v3.1.7 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: "kubernetes" # Enable felix logging. - name: FELIX_LOGSEVERITYSCREEN value: "info" # Don't enable BGP. - name: CALICO_NETWORKING_BACKEND value: "none" # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "k8s,canal" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Period, in seconds, at which felix re-applies all iptables state - name: FELIX_IPTABLESREFRESHINTERVAL value: "60" # Disable IPV6 support in Felix. - name: FELIX_IPV6SUPPORT value: "false" # Wait for the datastore. - name: WAIT_FOR_DATASTORE value: "true" # No IP address needed. - name: IP value: "" - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - name: FELIX_HEALTHENABLED value: "true" securityContext: privileged: true resources: requests: cpu: 250m livenessProbe: httpGet: path: /liveness port: 9099 periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: httpGet: path: /readiness port: 9099 periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: quay.io/calico/cni:v3.1.7 command: ["/install-cni.sh"] env: - name: CNI_CONF_NAME value: "10-calico.conflist" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: canal-config key: cni_network_config - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir # This container runs flannel using the kube-subnet-mgr backend # for allocating subnets. - name: kube-flannel image: quay.io/coreos/flannel:v0.9.1 command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] securityContext: privileged: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: FLANNELD_IFACE valueFrom: configMapKeyRef: name: canal-config key: canal_iface - name: FLANNELD_IP_MASQ valueFrom: configMapKeyRef: name: canal-config key: masquerade volumeMounts: - name: run mountPath: /run - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Used by flannel. - name: run hostPath: path: /run - name: flannel-cfg configMap: name: canal-config # Create all the CustomResourceDefinitions needed for # Calico policy-only mode. --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: FelixConfiguration plural: felixconfigurations singular: felixconfiguration --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: BGPConfiguration plural: bgpconfigurations singular: bgpconfiguration --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ippools.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: IPPool plural: ippools singular: ippool --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterinformations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: ClusterInformation plural: clusterinformations singular: clusterinformation --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: globalnetworkpolicies.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: GlobalNetworkPolicy plural: globalnetworkpolicies singular: globalnetworkpolicy --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.projectcalico.org spec: scope: Namespaced group: crd.projectcalico.org version: v1 names: kind: NetworkPolicy plural: networkpolicies singular: networkpolicy --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: globalnetworksets.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: GlobalNetworkSet plural: globalnetworksets singular: globalnetworkset --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: hostendpoints.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org version: v1 names: kind: HostEndpoint plural: hostendpoints singular: hostendpoint --- apiVersion: v1 kind: ServiceAccount metadata: name: canal namespace: kube-system
# Canal Version v3.1.7 # https://docs.projectcalico.org/v3.1/releases#v3.1.7 # This manifest includes the following component versions: # calico/node:v3.1.7 # calico/cni:v3.1.7 # coreos/flannel:v0.9.1 # This ConfigMap can be used to configure a self-hosted Canal installation. kind: ConfigMap apiVersion: v1 metadata: name: canal-config namespace: kube-system data: # The interface used by canal for host <-> host communication. # If left blank, then the interface is chosen using the node's # default route. canal_iface: "" # Whether or not to masquerade traffic to destinations not within # the pod network. masquerade: "true" # The CNI network configuration to install on each node. cni_network_config: |- { "name": "k8s-pod-network", "cniVersion": "0.3.0", "plugins": [ { "type": "calico", "log_level": "info", "etcd_endpoint": "http://10.0.0.4:2379", "datastore_type": "kubernetes", "nodename": "__KUBERNETES_NODE_NAME__", "ipam": { "type": "host-local", "subnet": "usePodCidr" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} } ] } # Flannel network configuration. Mounted into the flannel container. net-conf.json: | { "Network": "10.244.0.0/16", "Backend": { "Type": "vxlan" } } --- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: apps/v1 metadata: name: canal namespace: kube-system labels: k8s-app: canal spec: selector: matchLabels: k8s-app: canal updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: canal annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: hostNetwork: true serviceAccountName: canal tolerations: # Tolerate this effect so the pods will be schedulable at all times - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - effect: NoExecute operator: Exists # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: quay.io/calico/node:v3.1.7 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: "kubernetes" # Enable felix logging. - name: FELIX_LOGSEVERITYSCREEN value: "info" # Don't enable BGP. - name: CALICO_NETWORKING_BACKEND value: "none" # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "k8s,canal" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Period, in seconds, at which felix re-applies all iptables state - name: FELIX_IPTABLESREFRESHINTERVAL value: "60" # Disable IPV6 support in Felix. - name: FELIX_IPV6SUPPORT value: "false" # Wait for the datastore. - name: WAIT_FOR_DATASTORE value: "true" # No IP address needed. - name: IP value: "" - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" - name: FELIX_HEALTHENABLED value: "true" securityContext: privileged: true resources: requests: cpu: 250m livenessProbe: httpGet: path: /liveness port: 9099 periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: httpGet: path: /readiness port: 9099 periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: quay.io/calico/cni:v3.1.7 command: ["/install-cni.sh"] env: - name: CNI_CONF_NAME value: "10-calico.conflist" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: canal-config key: cni_network_config - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir # This container runs flannel using the kube-subnet-mgr backend # for allocating subnets. - name: kube-flannel image: quay.io/coreos/flannel:v0.9.1 command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] securityContext: privileged: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: FLANNELD_IFACE valueFrom: configMapKeyRef: name: canal-config key: canal_iface - name: FLANNELD_IP_MASQ valueFrom: configMapKeyRef: name: canal-config key: masquerade volumeMounts: - name: run mountPath: /run - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Used by flannel. - name: run hostPath: path: /run - name: flannel-cfg configMap: name: canal-config # Create all the CustomResourceDefinitions needed for # Calico policy-only mode. --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: FelixConfiguration plural: felixconfigurations singular: felixconfiguration --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: BGPConfiguration plural: bgpconfigurations singular: bgpconfiguration --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: IPPool plural: ippools singular: ippool --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterinformations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: ClusterInformation plural: clusterinformations singular: clusterinformation --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworkpolicies.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: GlobalNetworkPolicy plural: globalnetworkpolicies singular: globalnetworkpolicy --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.projectcalico.org spec: scope: Namespaced group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: NetworkPolicy plural: networkpolicies singular: networkpolicy --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworksets.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: GlobalNetworkSet plural: globalnetworksets singular: globalnetworkset --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: hostendpoints.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: title: type: string url: type: string publishdate: type: string body: type: string names: kind: HostEndpoint plural: hostendpoints singular: hostendpoint --- apiVersion: v1 kind: ServiceAccount metadata: name: canal namespace: kube-system