部署文件:
[root@master calico-3.17.1]# more calico.yaml
---
# Source: calico/templates/calico-etcd-secrets.yaml
# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: calico-etcd-secrets
namespace: kube-system
data:
# Populate the following with etcd TLS configuration if desired, but leave blank if
# not using TLS for etcd.
# The keys below should be uncommented and the values populated with the base64
# encoded contents of each file that would be associated with the TLS data.
# Example command for encoding a file contents: cat | base64 -w 0
etcd-key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM1dIUDdzMFhrY0l3VW8rV1BaOThnVzVuSlVLUnRQRkN3N3k4ZU9nZDZxcnFsS3hyC
jFURC9yNXFjWXhpNi9UZDRSbGtSZ3BVeTRGOFlpSkxMQ0tOQmxoaCtqWWFmQ0MwWENpZGFIYUNvdGcxcmlNWFMKWWJsd1dTUkp6V3dySFhoa3NmbTE2WmhDMnhCRzBzNXl1MGlSamV4T0
xtTjgrSjlsZkRJUjN5azlxOEFXTEQwdwo5SUozYTJlWmNyS01tQTFncVd2d3dPdmFyNkRKME04aVVSQ1lUWU0veEVTVEFPUk1aNEpWb2Q1ZmtGME5XdnR2CnhqUVJDd1AwRGs5Z2NoNEl
WZ0tVU0VsSDlna2phTWovaC9OdUZzVEc4ajV0OElTeXkzYWo4a1M0SzRpUWE4MzMKSnRTWWVkdnhBZFBPT0xQQVhYT0lhRTdwV1pFeTJlQ250bktGVndJREFRQUJBb0lCQURmQ21qZ0F5
bTM1Sm1pMQpKOWR2bzFHS2VFcG5RUUg5UHA3RW5BZ3NGdFR6cGRBNnVaSmlIQlNqOGIzNERha1gzcUNCY0txZVg4a3B5cWtqCnFDWU4wTWc0ZFMrNmQ3WDhmWEFlUjFGdEZQRjk0ZGI2V
ktvdXBnQ2Q1a1RxZU5XY2JHaHppQUZGUzVtWHVPOEIKOXQzN1FrWW4vZTByTzkvM2JmMWhNeVV0WXc0dUJHN2JKb2pKY3BSeDdtWDMwWWlaV1FSbTUwYnZUaUtFaklaWApLTnpUWGFoV2
g3N1VrUnFEVThsOVJoN0JEdzJLSUJsVDJJeVUxL3g2M1B1dzg3WWVMTTZDSGdSMmtjNEVsK0g4Cm83bXlQZktWdXB6RVdFSG1xcWJUOFJEYlhYd1daL21TUzlNSmdQWSt1cklTWlFIZXF
YTGN0Y2dETlB6N29XdWkKTG9wUlM3a0NnWUVBM2VKcThORVF0cG8vbmtaMXFtLzlqVkdtQ1daRElwbXNJNWZLcWNSU3lTLzRUOVBrdmV0KwpZd2czM1RPeUdhck01MTdrYWUzQ0JxNDM1
cGFIMWNzUjlXQXZ2LzNEOS91S242QUJyYUdOeFlLV0tOd2dBd2N3CjU2M2s0bm1iMEFLdG9SbEE0VUlldXlBNm9oVUZlTGNKc2JlbUtyRWk3dzJOVVBNMHp1WnQwSVVDZ1lFQS8ydWUKO
VNmTmN4N29nY25zOWNDNjVCeU1DOVV5NGtXV1h6M2daUkk4VmdONFMyOFhEVGt2YU9ybDZ6MXBSWEFOUnZMcwoyMkJiUTl6K1J4YlNKS3JGWHlTdEZyaUhpcDl2N0RtOEpJZyt2TTRBeV
dEdXpsRk1SMWpWZTd0K3U5ZzJXMTc4Ckd2R3JwUDd3MWxGa3FFbURTOTRNb1kzblZqYWFqclYvOElCK015c0NnWUJvbmJ5MlZweCt2RE9LdU1YNTJsdSsKS2VVVFFYZ2Q5RDdKZVdSQXJ
5UXBYOGpBT3JQN0ovR3JWOUNmSnlTdUhXNEhHU0t4SHowQVVWeGlDRTk3YWdmSgpuZFJsdll5TWU3bGNrZUM0c1JkYkxMc0lBT0hIQzdqdlEzcExuZkx0SEpZcEF2TW9RamlqR2dzTEtN
WXZxSDJWCm9YVmpZNm1JOU9iUWFCdGFBaU44MFFLQmdRQ0YvNkgvSDRpTFVyWE1FWEY5WkVVb0UwbnRrMFlFcTFrK1VpbjkKSEZvSERmNzRKQ25GeURCMUxIYSt1Uk1YV0xlK2R3ZUg5N
zhwbFREWmZzRjBkeHJnMVU3eFVwSFpTZGZmNkZJcQpJRWc1cVNHRWhKUUVMV2FGTDdlZ0dEZGV1UW1iV2ZPTTl5aURnVFE4VzZzaEZxQUpGMDh0R2xNNVNhQkFLandhCm9tNlN6UUtCZ0
Rsb0I0d0JMazR3Wk9nYXE3bXg2NXZ2WWRMdkszSGpuL1AySEFOVm9NL0drbDBkMmtpTmpEUmIKdlJQVnptUzFZS0hpalVYSC9OT2NVUDV4cURTQ09GYTlYL2ZVYzgySG9GdHhzVFk3Tzc
3aVdNYklTRGVXUWFvegpDbDM5VWVxcVZNSEwvemJYQ21sN0xBZXoxUnYvdHIzZ25IZ3Nla2ozckFhOFYvaktZZWcwCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
etcd-cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lJYzQ3bzA0WmR5N3N3RFFZSktvWklodmNOQVFFTEJRQXdFakVRTUE0R0ExVUUKQXhN
SFpYUmpaQzFqWVRBZUZ3MHlNVEV4TURreU16TTNNVEphRncwek1URXhNRGN5TXpNM01USmFNRUF4RnpBVgpCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVNVd0l3WURWUVFERXh4c
mRXSmxMV1YwWTJRdGFHVmhiSFJvClkyaGxZMnN0WTJ4cFpXNTBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNXSFAKN3MwWGtjSXdVbytXUFo5OGdXNW
5KVUtSdFBGQ3c3eThlT2dkNnFycWxLeHIxVEQvcjVxY1l4aTYvVGQ0UmxrUgpncFV5NEY4WWlKTExDS05CbGhoK2pZYWZDQzBYQ2lkYUhhQ290ZzFyaU1YU1libHdXU1JKeld3ckhYaGt
zZm0xCjZaaEMyeEJHMHM1eXUwaVJqZXhPTG1OOCtKOWxmRElSM3lrOXE4QVdMRDB3OUlKM2EyZVpjcktNbUExZ3FXdncKd092YXI2REowTThpVVJDWVRZTS94RVNUQU9STVo0SlZvZDVm
a0YwTld2dHZ4alFSQ3dQMERrOWdjaDRJVmdLVQpTRWxIOWdramFNai9oL051RnNURzhqNXQ4SVN5eTNhajhrUzRLNGlRYTgzM0p0U1llZHZ4QWRQT09MUEFYWE9JCmFFN3BXWkV5MmVDb
nRuS0ZWd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3cKQ2dZSUt3WUJCUVVIQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFId25KMjZSZzNUQX
k2UHRoQ25zOXgzVApxTnBYTW5JbEhjSDk5c29rNnNTM3pmbERJM2pNRjJjVVFvbC96a2ZrTjN1blgwQytZZ2pnNFJqZklWaFlvdlJrCmIxWWJHUm5BMU9CUGhjZlR1ejFuM2lEQXc4TFp
xWEJRYmJhNkxkY1dzQ3Fkais4T0E3bkpZdWxKUmoxTUlWdmsKV1p6WFZrQ2JQRExPYUFrMnVmZ3F0UVFEbEswTHBOeFJ3MzhTTnhqMnVrOVJHeVBRVUVYVnBKVTcxMXArTkJ3aApYODVO
STBwajRhWXowSHVDYzRvNjB0VXFlTVBKMTVHWXYwYWtwUjlQMlI2QmxYV3JIUHVWVFZyQ2lIbEY3cVV3ClNGUTRwYVY1b2haditvOXdVMk9XNGZLMVJkQjVTYUhuc2c4a3djMHFZbEN3L
0phejJFRUI1NGtzL1pJQk9CVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
etcd-ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWFxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbGRHTmsKTFdOaE
1CNFhEVEl4TVRFd09USXpNemN4TWxvWERUTXhNVEV3TnpJek16Y3hNbG93RWpFUU1BNEdBMVVFQXhNSApaWFJqWkMxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0F
Rb0NnZ0VCQUtHZWg4VDJ5RFJZCnd4MnIwNWZxcFJ4dXJONGo0Z0xmWnhlTlVzN2lxY1Q4OStPM3dIWVNMTXJhSnlLQTgzUWx3cnBKMWpFckF0Y3cKdFpJbzVJaWJSWUVqWkdPbzdoTW1W
TkI0UkJpUm1EbEJkSm5JT3ZRV2MzYnVEOWE2ek9FRFEzY1VGWER5VmZXMgp4elI1aTd5dFdSSnBjaG45YkN0TTgyN3ZaVjJXaFptRC9ZUlVXSVR4RU5TU2RZaXVQWm9UTWxGb1BnSlFZL
3FhClZCVWpqN0M2T0oxc2hONnFjSWg0ZjRxOWNGKzZYU3N1WmlhRjJIY2hBZU9qZ0RqaXM2dUVrYVJRaUlud0hiZCsKMmpWcHFqcEt5QVYvR2VtZHNkNXJJK2Y5QW9zdW8rRXR5VHB1K3
JHRm9RYUZhL0dMQnJGRlgxcXRhNUg2bUJKMQo3ZFg2REwwNDFOa0NBd0VBQWFNak1DRXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CCkFmOHdEUVlKS29aSWh
2Y05BUUVMQlFBRGdnRUJBQkFoekxUY0JYVjFXb25ueVFMcjVlWDhjQWxUdUY2VUZxR1AKQmNXRDhXaStTQWIxNzVUdVlBd1hsSUExcDIzNWIwMzFveGJPZ3NEVjlGMVZCNG84a2V6bFVK
M0dXZXYrWnJiaApMYzVEV2ZxazYxbm9Fblp4S0wxVEJXbzBHM0xnWVloaWlaWXNIRFlZanZYZU1wMFZGM1pSUTNuSVJidU1Tc0htCnE5YmFxREQ4WmhOTE5keDRMSUdxVnpSV0NJOTgwc
m9rVW5hdFZmNWZjMlpBaGF1NUM1QUlhWGoyOWpPZzdHSUYKK1A5ZmJpN0hUaGJ0ZXJyVmhVZUxXWTVWaEZUOHZSRFlxMDYwVWJQS0VjbXcwNmpwTjJNbkc1WitpbHZ0TlBDZwoxVFRYTT
Q1ZGt6TmxqVUJKRE9BeFYrRC9YU3k0N3IrR3pOQlpOVExsTkJaWFZKNW1QRFE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
---
# Source: calico/templates/calico-config.yaml
# This ConfigMap is used to configure a self-hosted Calico installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
namespace: kube-system
data:
# Configure this with the location of your etcd cluster.
etcd_endpoints: "https://6.6.6.8:2379"
# If you're using TLS enabled etcd uncomment the following.
# You must also populate the Secret below with these files.
etcd_ca: "/calico-secrets/etcd-ca"
etcd_cert: "/calico-secrets/etcd-cert"
etcd_key: "/calico-secrets/etcd-key"
typha_service_name: "none"
# Configure the backend to use.
calico_backend: "bird"
# Configure the MTU to use for workload interfaces and tunnels.
# By default, MTU is auto-detected, and explicitly setting this field should not be required.
# You can override auto-detection by providing a non-zero value.
veth_mtu: "1440"
# The CNI network configuration to install on each node. The special
# values in this config will be automatically populated.
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "calico",
"log_level": "info",
"log_file_path": "/var/log/calico/cni/cni.log",
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"etcd_key_file": "__ETCD_KEY_FILE__",
"etcd_cert_file": "__ETCD_CERT_FILE__",
"etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
---
# Source: calico/templates/calico-kube-controllers-rbac.yaml
# Include a clusterrole for the kube-controllers component,
# and bind it to the calico-kube-controllers serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
rules:
# Pods are monitored for changing labels.
# The node controller monitors Kubernetes nodes.
# Namespace and serviceaccount labels are used for policy.
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
- serviceaccounts
verbs:
- watch
- list
- get
# Watch for changes to Kubernetes NetworkPolicies.
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-kube-controllers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-kube-controllers
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: kube-system
---
---
# Source: calico/templates/calico-node-rbac.yaml
# Include a clusterrole for the calico-node DaemonSet,
# and bind it to the calico-node serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
rules:
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
# EndpointSlices are used for Service-based network policy rule
# enforcement.
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- watch
- list
- apiGroups: [""]
resources:
- endpoints
- services
verbs:
# Used to discover service IPs for advertisement.
- watch
- list
# Pod CIDR auto-detection on kubeadm needs access to config maps.
- apiGroups: [""]
resources:
- configmaps
verbs:
- get
- apiGroups: [""]
resources:
- nodes/status
verbs:
# Needed for clearing NodeNetworkUnavailable flag.
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-node
subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system
---
# Source: calico/templates/calico-node.yaml
# This manifest installs the calico-node container, as well
# as the CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
spec:
selector:
matchLabels:
k8s-app: calico-node
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: calico-node
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
priorityClassName: system-node-critical
initContainers:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: docker.io/calico/cni:v3.17.0
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
name: kubernetes-services-endpoint
optional: true
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-config
key: cni_network_config
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# CNI MTU Config variable
- name: CNI_MTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# Prevents the container from sleeping forever.
- name: SLEEP
value: "false"
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
- mountPath: /calico-secrets
name: etcd-certs
securityContext:
privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: docker.io/calico/pod2daemon-flexvol:v3.17.0
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
securityContext:
privileged: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
containers:
# Runs calico-node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
image: docker.io/calico/node:v3.17.0
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
name: kubernetes-services-endpoint
optional: true
env:
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_cert
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# Choose the backend to use.
- name: CALICO_NETWORKING_BACKEND
valueFrom:
configMapKeyRef:
name: calico-config
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,bgp"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
- name: IP_AUTODETECTION_METHOD
value: "interface=^e.*"
# Enable IPIP
- name: CALICO_IPV4POOL_IPIP
value: "Always"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
value: "Never"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# Set MTU for the VXLAN tunnel device.
- name: FELIX_VXLANMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# Set MTU for the Wireguard tunnel device.
- name: FELIX_WIREGUARDMTU
valueFrom:
configMapKeyRef:
name: calico-config
key: veth_mtu
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
- name: CALICO_IPV4POOL_CIDR
value: "10.244.0.0/16"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
- name: FELIX_HEALTHENABLED
value: "true"
securityContext:
privileged: true
resources:
requests:
cpu: 250m
lifecycle:
preStop:
exec:
command:
- /bin/calico-node
- -shutdown
livenessProbe:
exec:
command:
- /bin/calico-node
- -felix-live
- -bird-live
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /bin/calico-node
- -felix-ready
- -bird-ready
periodSeconds: 10
timeoutSeconds: 10
volumeMounts:
# For maintaining CNI plugin API credentials.
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: false
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- mountPath: /calico-secrets
name: etcd-certs
- name: policysync
mountPath: /var/run/nodeagent
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory.
- name: sysfs
mountPath: /sys/fs/
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
volumes:
# Used by calico-node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: sysfs
hostPath:
path: /sys/fs/
type: DirectoryOrCreate
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Used to access CNI logs.
- name: cni-log-dir
hostPath:
path: /var/log/calico/cni
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
defaultMode: 0400
# Used to create per-pod Unix Domain Sockets
- name: policysync
hostPath:
type: DirectoryOrCreate
path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system
---
# Source: calico/templates/calico-kube-controllers.yaml
# See https://github.com/projectcalico/kube-controllers
apiVersion: apps/v1
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
# The controllers can only have a single active instance.
replicas: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
strategy:
type: Recreate
template:
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
nodeSelector:
kubernetes.io/os: linux
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: calico-kube-controllers
priorityClassName: system-cluster-critical
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node.kubernetes.io/not-ready
operator: Exists
effect: NoSchedule
containers:
- name: calico-kube-controllers
image: docker.io/calico/kube-controllers:v3.17.0
env:
# The location of the etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# Location of the CA certificate for etcd.
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_ca
# Location of the client key for etcd.
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_key
# Location of the client certificate for etcd.
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_cert
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
value: policy,namespace,serviceaccount,workloadendpoint,node
volumeMounts:
# Mount in the etcd TLS secrets.
- mountPath: /calico-secrets
name: etcd-certs
livenessProbe:
exec:
command:
- /usr/bin/check-status
- -r
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /usr/bin/check-status
- -r
periodSeconds: 10
volumes:
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
defaultMode: 0440
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
namespace: kube-system
---
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: calico-kube-controllers
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: calico-kube-controllers
---
# Source: calico/templates/calico-typha.yaml
---
# Source: calico/templates/configure-canal.yaml
---
# Source: calico/templates/kdd-crds.yaml
CRD资源:
[root@master calico-3.17.1]# cat crds.yaml
---
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: felixconfigurations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: FelixConfiguration
plural: felixconfigurations
singular: felixconfiguration
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ipamblocks.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: IPAMBlock
plural: ipamblocks
singular: ipamblock
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: blockaffinities.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: BlockAffinity
plural: blockaffinities
singular: blockaffinity
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ipamhandles.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: IPAMHandle
plural: ipamhandles
singular: ipamhandle
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ipamconfigs.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: IPAMConfig
plural: ipamconfigs
singular: ipamconfig
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: bgppeers.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: BGPPeer
plural: bgppeers
singular: bgppeer
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: bgpconfigurations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: BGPConfiguration
plural: bgpconfigurations
singular: bgpconfiguration
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ippools.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: IPPool
plural: ippools
singular: ippool
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: hostendpoints.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: HostEndpoint
plural: hostendpoints
singular: hostendpoint
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterinformations.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: ClusterInformation
plural: clusterinformations
singular: clusterinformation
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: globalnetworkpolicies.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: GlobalNetworkPolicy
plural: globalnetworkpolicies
singular: globalnetworkpolicy
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: globalnetworksets.crd.projectcalico.org
spec:
scope: Cluster
group: crd.projectcalico.org
version: v1
names:
kind: GlobalNetworkSet
plural: globalnetworksets
singular: globalnetworkset
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: networkpolicies.crd.projectcalico.org
spec:
scope: Namespaced
group: crd.projectcalico.org
version: v1
names:
kind: NetworkPolicy
plural: networkpolicies
singular: networkpolicy
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: networksets.crd.projectcalico.org
spec:
scope: Namespaced
group: crd.projectcalico.org
version: v1
names:
kind: NetworkSet
plural: networksets
singular: networkset```