calico.yaml

1. ---
2. # Source: calico/templates/calico-config.yaml
3. # This ConfigMap is used to configure a self-hosted Calico installation.
4. kind: ConfigMap
5. apiVersion: v1
6. metadata:
7.   name: calico-config
8.   namespace: kube-system
9. data:
10.  # Typha is disabled.
11.   typha_service_name: "none"
12.   # Configure the Calico backend to use.
13.   calico_backend: "bird"
14.  
15.   # Configure the MTU to use
16.   veth_mtu: "1440"
17.  
18.   # The CNI network configuration to install on each node.  The special
19.   # values in this config will be automatically populated.
20.   cni_network_config: |-
21.     {
22.       "name": "k8s-pod-network",
23.       "cniVersion": "0.3.0",
24.       "plugins": [
25.         {
26.           "type": "calico",
27.           "log_level": "info",
28.           "datastore_type": "kubernetes",
29.           "nodename": "__KUBERNETES_NODE_NAME__",
30.           "mtu": __CNI_MTU__,
31.           "ipam": {
32.               "type": "calico-ipam"
33.           },
34.           "policy": {
35.               "type": "k8s"
36.           },
37.           "kubernetes": {
38.               "kubeconfig": "__KUBECONFIG_FILEPATH__"
39.           }
40.         },
41.         {
42.           "type": "portmap",
43.           "snat": true,
44.           "capabilities": {"portMappings": true}
45.         }
46.       ]
47.     }
48.  
49. ---
50. # Source: calico/templates/kdd-crds.yaml
51. # Create all the CustomResourceDefinitions needed for
52. # Calico policy and networking mode.
53.  
54. apiVersion: apiextensions.k8s.io/v1beta1
55. kind: CustomResourceDefinition
56. metadata:
57.    name: felixconfigurations.crd.projectcalico.org
58. spec:
59.   scope: Cluster
60.   group: crd.projectcalico.org
61.   version: v1
62.   names:
63.     kind: FelixConfiguration
64.     plural: felixconfigurations
65.     singular: felixconfiguration
66. ---
67.  
68. apiVersion: apiextensions.k8s.io/v1beta1
69. kind: CustomResourceDefinition
70. metadata:
71.   name: ipamblocks.crd.projectcalico.org
72. spec:
73.   scope: Cluster
74.   group: crd.projectcalico.org
75.   version: v1
76.   names:
77.     kind: IPAMBlock
78.     plural: ipamblocks
79.     singular: ipamblock
80.  
81. ---
82.  
83. apiVersion: apiextensions.k8s.io/v1beta1
84. kind: CustomResourceDefinition
85. metadata:
86.   name: blockaffinities.crd.projectcalico.org
87. spec:
88.   scope: Cluster
89.   group: crd.projectcalico.org
90.   version: v1
91.   names:
92.     kind: BlockAffinity
93.     plural: blockaffinities
94.     singular: blockaffinity
95.  
96. ---
97.  
98. apiVersion: apiextensions.k8s.io/v1beta1
99. kind: CustomResourceDefinition
100. metadata:
101.   name: ipamhandles.crd.projectcalico.org
102. spec:
103.   scope: Cluster
104.   group: crd.projectcalico.org
105.   version: v1
106.   names:
107.     kind: IPAMHandle
108.     plural: ipamhandles
109.     singular: ipamhandle
110.  
111. ---
112.  
113. apiVersion: apiextensions.k8s.io/v1beta1
114. kind: CustomResourceDefinition
115. metadata:
116.   name: ipamconfigs.crd.projectcalico.org
117. spec:
118.   scope: Cluster
119.   group: crd.projectcalico.org
120.   version: v1
121.   names:
122.     kind: IPAMConfig
123.     plural: ipamconfigs
124.     singular: ipamconfig
125.  
126. ---
127.  
128. apiVersion: apiextensions.k8s.io/v1beta1
129. kind: CustomResourceDefinition
130. metadata:
131.   name: bgppeers.crd.projectcalico.org
132. spec:
133.   scope: Cluster
134.   group: crd.projectcalico.org
135.   version: v1
136.   names:
137.     kind: BGPPeer
138.     plural: bgppeers
139.     singular: bgppeer
140.  
141. ---
142.  
143. apiVersion: apiextensions.k8s.io/v1beta1
144. kind: CustomResourceDefinition
145. metadata:
146.   name: bgpconfigurations.crd.projectcalico.org
147. spec:
148.   scope: Cluster
149.   group: crd.projectcalico.org
150.   version: v1
151.   names:
152.     kind: BGPConfiguration
153.     plural: bgpconfigurations
154.     singular: bgpconfiguration
155.  
156. ---
157.  
158. apiVersion: apiextensions.k8s.io/v1beta1
159. kind: CustomResourceDefinition
160. metadata:
161.   name: ippools.crd.projectcalico.org
162. spec:
163.   scope: Cluster
164.   group: crd.projectcalico.org
165.   version: v1
166.   names:
167.     kind: IPPool
168.     plural: ippools
169.     singular: ippool
170.  
171. ---
172.  
173. apiVersion: apiextensions.k8s.io/v1beta1
174. kind: CustomResourceDefinition
175. metadata:
176.   name: hostendpoints.crd.projectcalico.org
177. spec:
178.   scope: Cluster
179.   group: crd.projectcalico.org
180.   version: v1
181.   names:
182.     kind: HostEndpoint
183.     plural: hostendpoints
184.     singular: hostendpoint
185.  
186. ---
187.  
188. apiVersion: apiextensions.k8s.io/v1beta1
189. kind: CustomResourceDefinition
190. metadata:
191.   name: clusterinformations.crd.projectcalico.org
192. spec:
193.   scope: Cluster
194.   group: crd.projectcalico.org
195.   version: v1
196.   names:
197.     kind: ClusterInformation
198.     plural: clusterinformations
199.     singular: clusterinformation
200.  
201. ---
202.  
203. apiVersion: apiextensions.k8s.io/v1beta1
204. kind: CustomResourceDefinition
205. metadata:
206.   name: globalnetworkpolicies.crd.projectcalico.org
207. spec:
208.   scope: Cluster
209.   group: crd.projectcalico.org
210.   version: v1
211.   names:
212.     kind: GlobalNetworkPolicy
213.     plural: globalnetworkpolicies
214.     singular: globalnetworkpolicy
215.  
216. ---
217.  
218. apiVersion: apiextensions.k8s.io/v1beta1
219. kind: CustomResourceDefinition
220. metadata:
221.   name: globalnetworksets.crd.projectcalico.org
222. spec:
223.   scope: Cluster
224.   group: crd.projectcalico.org
225.   version: v1
226.   names:
227.     kind: GlobalNetworkSet
228.     plural: globalnetworksets
229.     singular: globalnetworkset
230.  
231. ---
232.  
233. apiVersion: apiextensions.k8s.io/v1beta1
234. kind: CustomResourceDefinition
235. metadata:
236.   name: networkpolicies.crd.projectcalico.org
237. spec:
238.   scope: Namespaced
239.   group: crd.projectcalico.org
240.   version: v1
241.   names:
242.     kind: NetworkPolicy
243.     plural: networkpolicies
244.     singular: networkpolicy
245. ---
246. # Source: calico/templates/rbac.yaml
247.  
248. # Include a clusterrole for the kube-controllers component,
249. # and bind it to the calico-kube-controllers serviceaccount.
250. kind: ClusterRole
251. apiVersion: rbac.authorization.k8s.io/v1beta1
252. metadata:
253.   name: calico-kube-controllers
254. rules:
255.  # Nodes are watched to monitor for deletions.
256.   - apiGroups: [""]
257.     resources:
258.      - nodes
259.     verbs:
260.      - watch
261.       - list
262.       - get
263.   # Pods are queried to check for existence.
264.   - apiGroups: [""]
265.     resources:
266.      - pods
267.     verbs:
268.      - get
269.   # IPAM resources are manipulated when nodes are deleted.
270.   - apiGroups: ["crd.projectcalico.org"]
271.     resources:
272.      - ippools
273.     verbs:
274.      - list
275.   - apiGroups: ["crd.projectcalico.org"]
276.     resources:
277.      - blockaffinities
278.       - ipamblocks
279.       - ipamhandles
280.     verbs:
281.      - get
282.       - list
283.       - create
284.       - update
285.       - delete
286.   # Needs access to update clusterinformations.
287.   - apiGroups: ["crd.projectcalico.org"]
288.     resources:
289.      - clusterinformations
290.     verbs:
291.      - get
292.       - create
293.       - update
294. ---
295. kind: ClusterRoleBinding
296. apiVersion: rbac.authorization.k8s.io/v1beta1
297. metadata:
298.   name: calico-kube-controllers
299. roleRef:
300.   apiGroup: rbac.authorization.k8s.io
301.   kind: ClusterRole
302.   name: calico-kube-controllers
303. subjects:
304. - kind: ServiceAccount
305.   name: calico-kube-controllers
306.   namespace: kube-system
307. ---
308. # Include a clusterrole for the calico-node DaemonSet,
309. # and bind it to the calico-node serviceaccount.
310. kind: ClusterRole
311. apiVersion: rbac.authorization.k8s.io/v1beta1
312. metadata:
313.   name: calico-node
314. rules:
315.  # The CNI plugin needs to get pods, nodes, and namespaces.
316.   - apiGroups: [""]
317.     resources:
318.      - pods
319.       - nodes
320.       - namespaces
321.     verbs:
322.      - get
323.   - apiGroups: [""]
324.     resources:
325.      - endpoints
326.       - services
327.     verbs:
328.      # Used to discover service IPs for advertisement.
329.       - watch
330.       - list
331.       # Used to discover Typhas.
332.       - get
333.   - apiGroups: [""]
334.     resources:
335.      - nodes/status
336.     verbs:
337.      # Needed for clearing NodeNetworkUnavailable flag.
338.       - patch
339.       # Calico stores some configuration information in node annotations.
340.       - update
341.   # Watch for changes to Kubernetes NetworkPolicies.
342.   - apiGroups: ["networking.k8s.io"]
343.     resources:
344.      - networkpolicies
345.     verbs:
346.      - watch
347.       - list
348.   # Used by Calico for policy information.
349.   - apiGroups: [""]
350.     resources:
351.      - pods
352.       - namespaces
353.       - serviceaccounts
354.     verbs:
355.      - list
356.       - watch
357.   # The CNI plugin patches pods/status.
358.   - apiGroups: [""]
359.     resources:
360.      - pods/status
361.     verbs:
362.      - patch
363.   # Calico monitors various CRDs for config.
364.   - apiGroups: ["crd.projectcalico.org"]
365.     resources:
366.      - globalfelixconfigs
367.       - felixconfigurations
368.       - bgppeers
369.       - globalbgpconfigs
370.       - bgpconfigurations
371.       - ippools
372.       - ipamblocks
373.       - globalnetworkpolicies
374.       - globalnetworksets
375.       - networkpolicies
376.       - clusterinformations
377.       - hostendpoints
378.     verbs:
379.      - get
380.       - list
381.       - watch
382.   # Calico must create and update some CRDs on startup.
383.   - apiGroups: ["crd.projectcalico.org"]
384.     resources:
385.      - ippools
386.       - felixconfigurations
387.       - clusterinformations
388.     verbs:
389.      - create
390.       - update
391.   # Calico stores some configuration information on the node.
392.   - apiGroups: [""]
393.     resources:
394.      - nodes
395.     verbs:
396.      - get
397.       - list
398.       - watch
399.   # These permissions are only requried for upgrade from v2.6, and can
400.   # be removed after upgrade or on fresh installations.
401.   - apiGroups: ["crd.projectcalico.org"]
402.     resources:
403.      - bgpconfigurations
404.       - bgppeers
405.     verbs:
406.      - create
407.       - update
408.   # These permissions are required for Calico CNI to perform IPAM allocations.
409.   - apiGroups: ["crd.projectcalico.org"]
410.     resources:
411.      - blockaffinities
412.       - ipamblocks
413.       - ipamhandles
414.     verbs:
415.      - get
416.       - list
417.       - create
418.       - update
419.       - delete
420.   - apiGroups: ["crd.projectcalico.org"]
421.     resources:
422.      - ipamconfigs
423.     verbs:
424.      - get
425.   # Block affinities must also be watchable by confd for route aggregation.
426.   - apiGroups: ["crd.projectcalico.org"]
427.     resources:
428.      - blockaffinities
429.     verbs:
430.      - watch
431.   # The Calico IPAM migration needs to get daemonsets. These permissions can be
432.   # removed if not upgrading from an installation using host-local IPAM.
433.   - apiGroups: ["apps"]
434.     resources:
435.      - daemonsets
436.     verbs:
437.      - get
438. ---
439. apiVersion: rbac.authorization.k8s.io/v1beta1
440. kind: ClusterRoleBinding
441. metadata:
442.   name: calico-node
443. roleRef:
444.   apiGroup: rbac.authorization.k8s.io
445.   kind: ClusterRole
446.   name: calico-node
447. subjects:
448. - kind: ServiceAccount
449.   name: calico-node
450.   namespace: kube-system
451. ---
452.  
453. ---
454. # Source: calico/templates/calico-node.yaml
455. # This manifest installs the node container, as well
456. # as the Calico CNI plugins and network config on
457. # each master and worker node in a Kubernetes cluster.
458. kind: DaemonSet
459. apiVersion: extensions/v1beta1
460. metadata:
461.   name: calico-node
462.   namespace: kube-system
463.   labels:
464.     k8s-app: calico-node
465. spec:
466.   selector:
467.     matchLabels:
468.       k8s-app: calico-node
469.   updateStrategy:
470.     type: RollingUpdate
471.     rollingUpdate:
472.       maxUnavailable: 1
473.   template:
474.     metadata:
475.       labels:
476.         k8s-app: calico-node
477.       annotations:
478.        # This, along with the CriticalAddonsOnly toleration below,
479.         # marks the pod as a critical add-on, ensuring it gets
480.         # priority scheduling and that its resources are reserved
481.         # if it ever gets evicted.
482.         scheduler.alpha.kubernetes.io/critical-pod: ''
483.     spec:
484.       nodeSelector:
485.         beta.kubernetes.io/os: linux
486.       hostNetwork: true
487.       tolerations:
488.        # Make sure calico-node gets scheduled on all nodes.
489.         - effect: NoSchedule
490.           operator: Exists
491.         # Mark the pod as a critical add-on for rescheduling.
492.         - key: CriticalAddonsOnly
493.           operator: Exists
494.         - effect: NoExecute
495.           operator: Exists
496.       serviceAccountName: calico-node
497.       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
498.       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
499.       terminationGracePeriodSeconds: 0
500.       initContainers:
501.        # This container performs upgrade from host-local IPAM to calico-ipam.
502.         # It can be deleted if this is a fresh installation, or if you have already
503.         # upgraded to use calico-ipam.
504.         - name: upgrade-ipam
505.           image: calico/cni:v3.6.1
506.           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
507.           env:
508.             - name: KUBERNETES_NODE_NAME
509.               valueFrom:
510.                 fieldRef:
511.                   fieldPath: spec.nodeName
512.             - name: CALICO_NETWORKING_BACKEND
513.               valueFrom:
514.                 configMapKeyRef:
515.                   name: calico-config
516.                   key: calico_backend
517.           volumeMounts:
518.             - mountPath: /var/lib/cni/networks
519.               name: host-local-net-dir
520.             - mountPath: /host/opt/cni/bin
521.               name: cni-bin-dir
522.         # This container installs the Calico CNI binaries
523.         # and CNI network config file on each node.
524.         - name: install-cni
525.           image: calico/cni:v3.6.1
526.           command: ["/install-cni.sh"]
527.           env:
528.            # Name of the CNI config file to create.
529.             - name: CNI_CONF_NAME
530.               value: "10-calico.conflist"
531.             # The CNI network config to install on each node.
532.             - name: CNI_NETWORK_CONFIG
533.               valueFrom:
534.                 configMapKeyRef:
535.                   name: calico-config
536.                   key: cni_network_config
537.             # Set the hostname based on the k8s node name.
538.             - name: KUBERNETES_NODE_NAME
539.               valueFrom:
540.                 fieldRef:
541.                   fieldPath: spec.nodeName
542.             # CNI MTU Config variable
543.             - name: CNI_MTU
544.               valueFrom:
545.                 configMapKeyRef:
546.                   name: calico-config
547.                   key: veth_mtu
548.             # Prevents the container from sleeping forever.
549.             - name: SLEEP
550.               value: "false"
551.           volumeMounts:
552.             - mountPath: /host/opt/cni/bin
553.               name: cni-bin-dir
554.             - mountPath: /host/etc/cni/net.d
555.               name: cni-net-dir
556.       containers:
557.        # Runs node container on each Kubernetes node.  This
558.         # container programs network policy and routes on each
559.         # host.
560.         - name: calico-node
561.           image: calico/node:v3.6.1
562.           env:
563.            # Use Kubernetes API as the backing datastore.
564.             - name: DATASTORE_TYPE
565.               value: "kubernetes"
566.             # Wait for the datastore.
567.             - name: WAIT_FOR_DATASTORE
568.               value: "true"
569.             # Set based on the k8s node name.
570.             - name: NODENAME
571.               valueFrom:
572.                 fieldRef:
573.                   fieldPath: spec.nodeName
574.             # Choose the backend to use.
575.             - name: CALICO_NETWORKING_BACKEND
576.               valueFrom:
577.                 configMapKeyRef:
578.                   name: calico-config
579.                   key: calico_backend
580.             # Cluster type to identify the deployment type
581.             - name: CLUSTER_TYPE
582.               value: "k8s,bgp"
583.             # Auto-detect the BGP IP address.
584.             - name: IP
585.               value: "autodetect"
586.             # Enable IPIP
587.             - name: CALICO_IPV4POOL_IPIP
588.               value: "Always"
589.             # Set MTU for tunnel device used if ipip is enabled
590.             - name: FELIX_IPINIPMTU
591.               valueFrom:
592.                 configMapKeyRef:
593.                   name: calico-config
594.                   key: veth_mtu
595.             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
596.             # chosen from this range. Changing this value after installation will have
597.             # no effect. This should fall within `--cluster-cidr`.
598.             - name: CALICO_IPV4POOL_CIDR
599.               value: "192.168.0.0/16"
600.             # Disable file logging so `kubectl logs` works.
601.             - name: CALICO_DISABLE_FILE_LOGGING
602.               value: "true"
603.             # Set Felix endpoint to host default action to ACCEPT.
604.             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
605.               value: "ACCEPT"
606.             # Disable IPv6 on Kubernetes.
607.             - name: FELIX_IPV6SUPPORT
608.               value: "false"
609.             # Set Felix logging to "info"
610.             - name: FELIX_LOGSEVERITYSCREEN
611.               value: "info"
612.             - name: FELIX_HEALTHENABLED
613.               value: "true"
614.           securityContext:
615.             privileged: true
616.           resources:
617.             requests:
618.               cpu: 250m
619.           livenessProbe:
620.             httpGet:
621.               path: /liveness
622.               port: 9099
623.               host: localhost
624.             periodSeconds: 10
625.             initialDelaySeconds: 10
626.             failureThreshold: 6
627.           readinessProbe:
628.             exec:
629.               command:
630.              - /bin/calico-node
631.               - -bird-ready
632.               - -felix-ready
633.             periodSeconds: 10
634.           volumeMounts:
635.             - mountPath: /lib/modules
636.               name: lib-modules
637.               readOnly: true
638.             - mountPath: /run/xtables.lock
639.               name: xtables-lock
640.               readOnly: false
641.             - mountPath: /var/run/calico
642.               name: var-run-calico
643.               readOnly: false
644.             - mountPath: /var/lib/calico
645.               name: var-lib-calico
646.               readOnly: false
647.       volumes:
648.        # Used by node.
649.         - name: lib-modules
650.           hostPath:
651.             path: /lib/modules
652.         - name: var-run-calico
653.           hostPath:
654.             path: /var/run/calico
655.         - name: var-lib-calico
656.           hostPath:
657.             path: /var/lib/calico
658.         - name: xtables-lock
659.           hostPath:
660.             path: /run/xtables.lock
661.             type: FileOrCreate
662.         # Used to install CNI.
663.         - name: cni-bin-dir
664.           hostPath:
665.             path: /opt/cni/bin
666.         - name: cni-net-dir
667.           hostPath:
668.             path: /etc/cni/net.d
669.         # Mount in the directory for host-local IPAM allocations. This is
670.         # used when upgrading from host-local to calico-ipam, and can be removed
671.         # if not using the upgrade-ipam init container.
672.         - name: host-local-net-dir
673.           hostPath:
674.             path: /var/lib/cni/networks
675. ---
676.  
677. apiVersion: v1
678. kind: ServiceAccount
679. metadata:
680.   name: calico-node
681.   namespace: kube-system
682.  
683. ---
684. # Source: calico/templates/calico-kube-controllers.yaml
685. # This manifest deploys the Calico node controller.
686. # See https://github.com/projectcalico/kube-controllers
687. apiVersion: extensions/v1beta1
688. kind: Deployment
689. metadata:
690.   name: calico-kube-controllers
691.   namespace: kube-system
692.   labels:
693.     k8s-app: calico-kube-controllers
694.   annotations:
695.     scheduler.alpha.kubernetes.io/critical-pod: ''
696. spec:
697.  # The controller can only have a single active instance.
698.   replicas: 1
699.   strategy:
700.     type: Recreate
701.   template:
702.     metadata:
703.       name: calico-kube-controllers
704.       namespace: kube-system
705.       labels:
706.         k8s-app: calico-kube-controllers
707.     spec:
708.       nodeSelector:
709.         beta.kubernetes.io/os: linux
710.       tolerations:
711.        # Mark the pod as a critical add-on for rescheduling.
712.         - key: CriticalAddonsOnly
713.           operator: Exists
714.         - key: node-role.kubernetes.io/master
715.           effect: NoSchedule
716.       serviceAccountName: calico-kube-controllers
717.       containers:
718.         - name: calico-kube-controllers
719.           image: calico/kube-controllers:v3.6.1
720.           env:
721.            # Choose which controllers to run.
722.             - name: ENABLED_CONTROLLERS
723.               value: node
724.             - name: DATASTORE_TYPE
725.               value: kubernetes
726.           readinessProbe:
727.             exec:
728.               command:
729.              - /usr/bin/check-status
730.               - -r
731.  
732. ---
733.  
734. apiVersion: v1
735. kind: ServiceAccount
736. metadata:
737.   name: calico-kube-controllers
738.   namespace: kube-system
739. ---
740. # Source: calico/templates/calico-etcd-secrets.yaml
741.  
742. ---
743. # Source: calico/templates/calico-typha.yaml
744.  
745. ---
746. # Source: calico/templates/configure-canal.yaml