Created
April 23, 2017 02:36
-
-
Save slashk/72f5ecbdd8795833abc8191f8afd7f83 to your computer and use it in GitHub Desktop.
yaml manifest to create non-ipip calico kubernetes clusters with kubeadm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This ConfigMap is used to configure a self-hosted Calico installation. | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: calico-config | |
namespace: kube-system | |
data: | |
# The location of your etcd cluster. This uses the Service clusterIP | |
# defined below. | |
etcd_endpoints: "http://10.96.232.136:6666" | |
# Configure the Calico backend to use. | |
calico_backend: "bird" | |
# The CNI network configuration to install on each node. | |
cni_network_config: |- | |
{ | |
"name": "k8s-pod-network", | |
"type": "calico", | |
"etcd_endpoints": "__ETCD_ENDPOINTS__", | |
"log_level": "info", | |
"ipam": { | |
"type": "calico-ipam" | |
}, | |
"policy": { | |
"type": "k8s", | |
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", | |
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" | |
}, | |
"kubernetes": { | |
"kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" | |
} | |
} | |
--- | |
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet | |
# to force it to run on the master even when the master isn't schedulable, and uses | |
# nodeSelector to ensure it only runs on the master. | |
apiVersion: extensions/v1beta1 | |
kind: DaemonSet | |
metadata: | |
name: calico-etcd | |
namespace: kube-system | |
labels: | |
k8s-app: calico-etcd | |
spec: | |
template: | |
metadata: | |
labels: | |
k8s-app: calico-etcd | |
annotations: | |
scheduler.alpha.kubernetes.io/critical-pod: '' | |
spec: | |
# Only run this pod on the master. | |
tolerations: | |
- key: node-role.kubernetes.io/master | |
effect: NoSchedule | |
nodeSelector: | |
node-role.kubernetes.io/master: "" | |
hostNetwork: true | |
containers: | |
- name: calico-etcd | |
image: gcr.io/google_containers/etcd:2.2.1 | |
env: | |
- name: CALICO_ETCD_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
command: ["/bin/sh","-c"] | |
args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] | |
volumeMounts: | |
- name: var-etcd | |
mountPath: /var/etcd | |
volumes: | |
- name: var-etcd | |
hostPath: | |
path: /var/etcd | |
--- | |
# This manfiest installs the Service which gets traffic to the Calico | |
# etcd. | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
k8s-app: calico-etcd | |
name: calico-etcd | |
namespace: kube-system | |
spec: | |
# Select the calico-etcd pod running on the master. | |
selector: | |
k8s-app: calico-etcd | |
# This ClusterIP needs to be known in advance, since we cannot rely | |
# on DNS to get access to etcd. | |
clusterIP: 10.96.232.136 | |
ports: | |
- port: 6666 | |
--- | |
# This manifest installs the calico/node container, as well | |
# as the Calico CNI plugins and network config on | |
# each master and worker node in a Kubernetes cluster. | |
kind: DaemonSet | |
apiVersion: extensions/v1beta1 | |
metadata: | |
name: calico-node | |
namespace: kube-system | |
labels: | |
k8s-app: calico-node | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: calico-node | |
template: | |
metadata: | |
labels: | |
k8s-app: calico-node | |
annotations: | |
scheduler.alpha.kubernetes.io/critical-pod: '' | |
spec: | |
hostNetwork: true | |
tolerations: | |
- key: node-role.kubernetes.io/master | |
effect: NoSchedule | |
serviceAccountName: calico-cni-plugin | |
containers: | |
# Runs calico/node container on each Kubernetes node. This | |
# container programs network policy and routes on each | |
# host. | |
- name: calico-node | |
image: quay.io/calico/node:v1.1.1 | |
env: | |
# The location of the Calico etcd cluster. | |
- name: ETCD_ENDPOINTS | |
valueFrom: | |
configMapKeyRef: | |
name: calico-config | |
key: etcd_endpoints | |
# Enable BGP. Disable to enforce policy only. | |
- name: CALICO_NETWORKING_BACKEND | |
valueFrom: | |
configMapKeyRef: | |
name: calico-config | |
key: calico_backend | |
# Disable file logging so `kubectl logs` works. | |
- name: CALICO_DISABLE_FILE_LOGGING | |
value: "true" | |
# Set Felix endpoint to host default action to ACCEPT. | |
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION | |
value: "ACCEPT" | |
# Configure the IP Pool from which Pod IPs will be chosen. | |
- name: CALICO_IPV4POOL_CIDR | |
value: "192.168.0.0/16" | |
- name: CALICO_IPV4POOL_IPIP | |
value: "off" | |
# Disable IPv6 on Kubernetes. | |
- name: FELIX_IPV6SUPPORT | |
value: "false" | |
# Set Felix logging to "info" | |
- name: FELIX_LOGSEVERITYSCREEN | |
value: "info" | |
# Auto-detect the BGP IP address. | |
- name: IP | |
value: "" | |
securityContext: | |
privileged: true | |
resources: | |
requests: | |
cpu: 250m | |
volumeMounts: | |
- mountPath: /lib/modules | |
name: lib-modules | |
readOnly: true | |
- mountPath: /var/run/calico | |
name: var-run-calico | |
readOnly: false | |
# This container installs the Calico CNI binaries | |
# and CNI network config file on each node. | |
- name: install-cni | |
image: quay.io/calico/cni:v1.6.1 | |
command: ["/install-cni.sh"] | |
env: | |
# The location of the Calico etcd cluster. | |
- name: ETCD_ENDPOINTS | |
valueFrom: | |
configMapKeyRef: | |
name: calico-config | |
key: etcd_endpoints | |
# The CNI network config to install on each node. | |
- name: CNI_NETWORK_CONFIG | |
valueFrom: | |
configMapKeyRef: | |
name: calico-config | |
key: cni_network_config | |
volumeMounts: | |
- mountPath: /host/opt/cni/bin | |
name: cni-bin-dir | |
- mountPath: /host/etc/cni/net.d | |
name: cni-net-dir | |
volumes: | |
# Used by calico/node. | |
- name: lib-modules | |
hostPath: | |
path: /lib/modules | |
- name: var-run-calico | |
hostPath: | |
path: /var/run/calico | |
# Used to install CNI. | |
- name: cni-bin-dir | |
hostPath: | |
path: /opt/cni/bin | |
- name: cni-net-dir | |
hostPath: | |
path: /etc/cni/net.d | |
--- | |
# This manifest deploys the Calico policy controller on Kubernetes. | |
# See https://github.com/projectcalico/k8s-policy | |
apiVersion: extensions/v1beta1 | |
kind: Deployment | |
metadata: | |
name: calico-policy-controller | |
namespace: kube-system | |
labels: | |
k8s-app: calico-policy | |
spec: | |
# The policy controller can only have a single active instance. | |
replicas: 1 | |
strategy: | |
type: Recreate | |
template: | |
metadata: | |
name: calico-policy-controller | |
namespace: kube-system | |
labels: | |
k8s-app: calico-policy-controller | |
annotations: | |
scheduler.alpha.kubernetes.io/critical-pod: '' | |
spec: | |
# The policy controller must run in the host network namespace so that | |
# it isn't governed by policy that would prevent it from working. | |
hostNetwork: true | |
tolerations: | |
- key: node-role.kubernetes.io/master | |
effect: NoSchedule | |
serviceAccountName: calico-policy-controller | |
containers: | |
- name: calico-policy-controller | |
image: quay.io/calico/kube-policy-controller:v0.5.4 | |
env: | |
# The location of the Calico etcd cluster. | |
- name: ETCD_ENDPOINTS | |
valueFrom: | |
configMapKeyRef: | |
name: calico-config | |
key: etcd_endpoints | |
# The location of the Kubernetes API. Use the default Kubernetes | |
# service for API access. | |
- name: K8S_API | |
value: "https://kubernetes.default:443" | |
# Since we're running in the host namespace and might not have KubeDNS | |
# access, configure the container's /etc/hosts to resolve | |
# kubernetes.default to the correct service clusterIP. | |
- name: CONFIGURE_ETC_HOSTS | |
value: "true" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: calico-cni-plugin | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: calico-cni-plugin | |
subjects: | |
- kind: ServiceAccount | |
name: calico-cni-plugin | |
namespace: kube-system | |
--- | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: calico-cni-plugin | |
namespace: kube-system | |
rules: | |
- apiGroups: [""] | |
resources: | |
- pods | |
- nodes | |
verbs: | |
- get | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: calico-cni-plugin | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: calico-policy-controller | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: calico-policy-controller | |
subjects: | |
- kind: ServiceAccount | |
name: calico-policy-controller | |
namespace: kube-system | |
--- | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: calico-policy-controller | |
namespace: kube-system | |
rules: | |
- apiGroups: | |
- "" | |
- extensions | |
resources: | |
- pods | |
- namespaces | |
- networkpolicies | |
verbs: | |
- watch | |
- list | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: calico-policy-controller | |
namespace: kube-system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment