From 19be49124b15b32a60940e67e84fa263154f1bec Mon Sep 17 00:00:00 2001 From: Matt Dupre Date: Wed, 4 May 2016 10:54:57 -0700 Subject: [PATCH 1/2] Add new policy_provider option to Salt; supporting Calico installation --- cluster/aws/config-default.sh | 3 + cluster/aws/templates/configure-vm-aws.sh | 2 +- cluster/common.sh | 1 + cluster/gce/config-default.sh | 3 + cluster/gce/configure-vm.sh | 3 +- cluster/saltbase/salt/calico/10-calico.conf | 16 +++++ .../salt/calico/calico-policy-agent.manifest | 20 ++++++ cluster/saltbase/salt/calico/master.sls | 43 +++++++++++++ cluster/saltbase/salt/calico/node.sls | 62 +++++++++++++++++++ cluster/saltbase/salt/kubelet/default | 2 + cluster/saltbase/salt/top.sls | 9 +++ cluster/vagrant/config-default.sh | 4 ++ cluster/vagrant/provision-utils.sh | 1 + 13 files changed, 167 insertions(+), 2 deletions(-) create mode 100644 cluster/saltbase/salt/calico/10-calico.conf create mode 100644 cluster/saltbase/salt/calico/calico-policy-agent.manifest create mode 100644 cluster/saltbase/salt/calico/master.sls create mode 100644 cluster/saltbase/salt/calico/node.sls diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 827be7cae7..49e237cd21 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -153,5 +153,8 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" +# Network Policy plugin specific settings +POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico + # Optional: if set to true, kube-up will configure the cluster to run e2e tests. E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} diff --git a/cluster/aws/templates/configure-vm-aws.sh b/cluster/aws/templates/configure-vm-aws.sh index f24e551ccf..9cd09fd286 100755 --- a/cluster/aws/templates/configure-vm-aws.sh +++ b/cluster/aws/templates/configure-vm-aws.sh @@ -91,7 +91,7 @@ EOF if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then cat <>/etc/salt/minion.d/grains.conf kubelet_api_servers: '${KUBELET_APISERVER}' - cbr-cidr: 10.123.45.0/30 + cbr-cidr: 10.123.45.0/29 EOF else # If the kubelet is running disconnected from a master, give it a fixed diff --git a/cluster/common.sh b/cluster/common.sh index 1ca2736afd..7a95ed144b 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -523,6 +523,7 @@ HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-}) OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-}) OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-}) OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-}) +POLICY_PROVIDER: $(yaml-quote ${POLICY_PROVIDER:-}) E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-}) KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-}) KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-}) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 2abf41882f..24599a47a0 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -131,6 +131,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" +# Network Policy plugin specific settings. +POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico + # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none # Optional: if set to true, kube-up will configure the cluster to run e2e tests. diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 93bb7a1698..9d7de63d54 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -445,6 +445,7 @@ hairpin_mode: '$(echo "$HAIRPIN_MODE" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")' +policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")' enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")' manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")' manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")' @@ -859,7 +860,7 @@ EOF if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then cat <>/etc/salt/minion.d/grains.conf kubelet_api_servers: '${KUBELET_APISERVER}' - cbr-cidr: 10.123.45.0/30 + cbr-cidr: 10.123.45.0/29 EOF else # If the kubelet is running disconnected from a master, give it a fixed diff --git a/cluster/saltbase/salt/calico/10-calico.conf b/cluster/saltbase/salt/calico/10-calico.conf new file mode 100644 index 0000000000..0c6d3284f3 --- /dev/null +++ b/cluster/saltbase/salt/calico/10-calico.conf @@ -0,0 +1,16 @@ +{ + "name": "calico-k8s-network", + "type": "calico", + "etcd_authority": "{{ grains.api_servers }}:6666", + "log_level": "info", + "ipam": { + "type": "host-local", + "subnet": "CBR0_CIDR" + }, + "policy": { + "type": "k8s", + "k8s_api_root": "https://{{ grains.api_servers }}:443/api/v1", + "k8s_client_certificate": "/path/to/client/cert", + "k8s_client_key": "/path/to/client/key" + } +} diff --git a/cluster/saltbase/salt/calico/calico-policy-agent.manifest b/cluster/saltbase/salt/calico/calico-policy-agent.manifest new file mode 100644 index 0000000000..19ed8cd00c --- /dev/null +++ b/cluster/saltbase/salt/calico/calico-policy-agent.manifest @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: calico-policy-agent + namespace: calico-system + labels: + version: latest + projectcalico.org/app: "policy-agent" +spec: + hostNetwork: true + containers: + - name: policycontroller + image: caseydavenport/calico-policy-controller:latest + env: + - name: ETCD_AUTHORITY + value: "127.0.0.1:6666" + - name: K8S_API + value: "http://127.0.0.1:8080" + - name: LOG_LEVEL + value: "info" diff --git a/cluster/saltbase/salt/calico/master.sls b/cluster/saltbase/salt/calico/master.sls new file mode 100644 index 0000000000..e4d093f0ee --- /dev/null +++ b/cluster/saltbase/salt/calico/master.sls @@ -0,0 +1,43 @@ +{% if pillar.get('policy_provider', '').lower() == 'calico' %} + +calicoctl: + file.managed: + - name: /usr/bin/calicoctl + - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl + - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96 + - makedirs: True + - mode: 744 + +calico-etcd: + cmd.run: + - unless: docker ps | grep calico-etcd + - name: > + docker run --name calico-etcd -d --restart=always -p 6666:6666 + -v /varetcd:/var/etcd + gcr.io/google_containers/etcd:2.2.1 + /usr/local/bin/etcd --name calico + --data-dir /var/etcd/calico-data + --advertise-client-urls http://{{ grains.id }}:6666 + --listen-client-urls http://0.0.0.0:6666 + --listen-peer-urls http://0.0.0.0:6667 + --initial-advertise-peer-urls http://{{ grains.id }}:6667 + --initial-cluster calico=http://{{ grains.id }}:6667 + +calico-policy-agent: + file.managed: + - name: /etc/kubernetes/manifests/calico-policy-agent.manifest + - source: salt://calico/calico-policy-agent.manifest + - template: jinja + - user: root + - group: root + - mode: 644 + - makedirs: true + - dir_mode: 755 + - context: + cpurequest: '20m' + - require: + - service: docker + - service: kubelet + - cmd: calico-etcd + +{% endif -%} diff --git a/cluster/saltbase/salt/calico/node.sls b/cluster/saltbase/salt/calico/node.sls new file mode 100644 index 0000000000..5995c47345 --- /dev/null +++ b/cluster/saltbase/salt/calico/node.sls @@ -0,0 +1,62 @@ +{% if pillar.get('policy_provider', '').lower() == 'calico' %} + +calicoctl: + file.managed: + - name: /usr/bin/calicoctl + - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl + - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96 + - makedirs: True + - mode: 744 + +calico-node: + cmd.run: + - name: calicoctl node + - unless: docker ps | grep calico-node + - env: + - ETCD_AUTHORITY: "{{ grains.api_servers }}:6666" + - CALICO_NETWORKING: "false" + - require: + - kmod: ip6_tables + - kmod: xt_set + - service: docker + - file: calicoctl + +calico-cni: + file.managed: + - name: /opt/cni/bin/calico + - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.0/calico + - source_hash: sha256=2f65616cfca7d7b8967a62f179508d30278bcc72cef9d122ce4a5f6689fc6577 + - makedirs: True + - mode: 744 + +calico-cni-config: + file.managed: + - name: /etc/cni/net.d/10-calico.conf + - source: salt://calico/10-calico.conf + - makedirs: True + - mode: 644 + - template: jinja + +calico-update-cbr0: + cmd.run: + - name: sed -i "s#CBR0_CIDR#$(ip addr list cbr0 | grep -o 'inet [^ ]*' | awk '{print $2}')#" /etc/cni/net.d/10-calico.conf + - require: + - file: calico-cni + - file: calico-cni-config + - cmd: calico-node + - service: kubelet + - service: docker + +calico-restart-kubelet: + cmd.run: + - name: service kubelet restart + - require: + - cmd: calico-update-cbr0 + +ip6_tables: + kmod.present + +xt_set: + kmod.present + +{% endif -%} diff --git a/cluster/saltbase/salt/kubelet/default b/cluster/saltbase/salt/kubelet/default index 255faeb59d..549531e7a4 100644 --- a/cluster/saltbase/salt/kubelet/default +++ b/cluster/saltbase/salt/kubelet/default @@ -151,6 +151,8 @@ {% set network_plugin = "--network-plugin=opencontrail" %} {% elif pillar.get('network_provider', '').lower() == 'cni' %} {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %} +{%elif pillar.get('policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%} + {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %} {% elif pillar.get('network_provider', '').lower() == 'kubenet' %} {% set network_plugin = "--network-plugin=kubenet" -%} {% if reconcile_cidr_args == '' -%} diff --git a/cluster/saltbase/salt/top.sls b/cluster/saltbase/salt/top.sls index 000bbd9a9e..02b9eb9c3a 100644 --- a/cluster/saltbase/salt/top.sls +++ b/cluster/saltbase/salt/top.sls @@ -15,6 +15,9 @@ base: - docker {% if pillar.get('network_provider', '').lower() == 'flannel' %} - flannel +{% endif %} +{% if pillar.get('policy_provider', '').lower() == 'calico' %} + - cni {% elif pillar.get('network_provider', '').lower() == 'kubenet' %} - cni {% elif pillar.get('network_provider', '').lower() == 'cni' %} @@ -44,6 +47,9 @@ base: {% endif %} - logrotate - supervisor +{% if pillar.get('policy_provider', '').lower() == 'calico' %} + - calico.node +{% endif %} 'roles:kubernetes-master': - match: grain @@ -88,3 +94,6 @@ base: {% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %} - cluster-autoscaler {% endif %} +{% if pillar.get('policy_provider', '').lower() == 'calico' %} + - calico.master +{% endif %} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index 954b6ad17f..ad0be54207 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -109,6 +109,10 @@ fi OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" + +# Network Policy plugin specific settings +POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico + # Optional: if set to true, kube-up will configure the cluster to run e2e tests. E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} diff --git a/cluster/vagrant/provision-utils.sh b/cluster/vagrant/provision-utils.sh index 846d9c505c..70dbbe599a 100755 --- a/cluster/vagrant/provision-utils.sh +++ b/cluster/vagrant/provision-utils.sh @@ -67,6 +67,7 @@ cluster_cidr: '$(echo "$CLUSTER_IP_RANGE" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG" | sed -e "s/'/''/g")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET" | sed -e "s/'/''/g")' +policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")' e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")' EOF From 35289c764954011e69d289a20ccb26fd3b0f1062 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Sat, 21 May 2016 09:14:38 -0700 Subject: [PATCH 2/2] Update salt to use latest Calico --- cluster/aws/config-default.sh | 3 -- cluster/aws/templates/configure-vm-aws.sh | 2 +- cluster/common.sh | 17 +++++++-- cluster/gce/config-default.sh | 2 +- cluster/gce/config-test.sh | 3 ++ cluster/gce/configure-vm.sh | 5 +-- cluster/saltbase/salt/calico/10-calico.conf | 12 +++---- .../salt/calico/calico-policy-agent.manifest | 20 ----------- .../calico/calico-policy-controller.manifest | 36 +++++++++++++++++++ cluster/saltbase/salt/calico/master.sls | 32 +++-------------- cluster/saltbase/salt/calico/node.sls | 22 ++---------- cluster/saltbase/salt/kubelet/default | 2 +- cluster/saltbase/salt/top.sls | 6 ++-- cluster/vagrant/config-default.sh | 3 -- cluster/vagrant/provision-utils.sh | 1 - 15 files changed, 75 insertions(+), 91 deletions(-) delete mode 100644 cluster/saltbase/salt/calico/calico-policy-agent.manifest create mode 100644 cluster/saltbase/salt/calico/calico-policy-controller.manifest diff --git a/cluster/aws/config-default.sh b/cluster/aws/config-default.sh index 49e237cd21..827be7cae7 100644 --- a/cluster/aws/config-default.sh +++ b/cluster/aws/config-default.sh @@ -153,8 +153,5 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" -# Network Policy plugin specific settings -POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico - # Optional: if set to true, kube-up will configure the cluster to run e2e tests. E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} diff --git a/cluster/aws/templates/configure-vm-aws.sh b/cluster/aws/templates/configure-vm-aws.sh index 9cd09fd286..f24e551ccf 100755 --- a/cluster/aws/templates/configure-vm-aws.sh +++ b/cluster/aws/templates/configure-vm-aws.sh @@ -91,7 +91,7 @@ EOF if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then cat <>/etc/salt/minion.d/grains.conf kubelet_api_servers: '${KUBELET_APISERVER}' - cbr-cidr: 10.123.45.0/29 + cbr-cidr: 10.123.45.0/30 EOF else # If the kubelet is running disconnected from a master, give it a fixed diff --git a/cluster/common.sh b/cluster/common.sh index 7a95ed144b..ffedc8c64a 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -446,8 +446,19 @@ function yaml-quote { # Builds the RUNTIME_CONFIG var from other feature enable options (such as # features in alpha) function build-runtime-config() { - # There is nothing to do here for now. Just using this function as a placeholder. - : + # If a policy provider is specified, enable NetworkPolicy API. + if [[ -n "${NETWORK_POLICY_PROVIDER}" ]]; then + appends="extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true" + fi + + # Generate the RUNTIME_CONFIG. + if [[ -n ${appends} ]]; then + if [[ -n ${RUNTIME_CONFIG} ]]; then + RUNTIME_CONFIG="${RUNTIME_CONFIG},${appends}" + else + RUNTIME_CONFIG="${appends}" + fi + fi } # Writes the cluster name into a temporary file. @@ -523,7 +534,7 @@ HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-}) OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-}) OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-}) OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-}) -POLICY_PROVIDER: $(yaml-quote ${POLICY_PROVIDER:-}) +NETWORK_POLICY_PROVIDER: $(yaml-quote ${NETWORK_POLICY_PROVIDER:-}) E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-}) KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-}) KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-}) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 24599a47a0..5d34c662db 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -132,7 +132,7 @@ OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" # Network Policy plugin specific settings. -POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico +NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 8153915ad6..9ca74a17e0 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -158,6 +158,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" +# Network Policy plugin specific settings. +NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico + # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 9d7de63d54..b84d8bae4e 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -445,7 +445,7 @@ hairpin_mode: '$(echo "$HAIRPIN_MODE" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")' -policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")' +network_policy_provider: '$(echo "$NETWORK_POLICY_PROVIDER" | sed -e "s/'/''/g")' enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")' manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")' manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")' @@ -645,6 +645,7 @@ users: clusters: - name: local cluster: + server: https://kubernetes-master certificate-authority-data: ${KUBELET_CA_CERT} contexts: - context: @@ -860,7 +861,7 @@ EOF if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then cat <>/etc/salt/minion.d/grains.conf kubelet_api_servers: '${KUBELET_APISERVER}' - cbr-cidr: 10.123.45.0/29 + cbr-cidr: 10.123.45.0/30 EOF else # If the kubelet is running disconnected from a master, give it a fixed diff --git a/cluster/saltbase/salt/calico/10-calico.conf b/cluster/saltbase/salt/calico/10-calico.conf index 0c6d3284f3..ae273c1d0e 100644 --- a/cluster/saltbase/salt/calico/10-calico.conf +++ b/cluster/saltbase/salt/calico/10-calico.conf @@ -1,16 +1,16 @@ { - "name": "calico-k8s-network", + "name": "k8s-pod-network", "type": "calico", "etcd_authority": "{{ grains.api_servers }}:6666", "log_level": "info", "ipam": { "type": "host-local", - "subnet": "CBR0_CIDR" + "subnet": "usePodCidr" }, "policy": { - "type": "k8s", - "k8s_api_root": "https://{{ grains.api_servers }}:443/api/v1", - "k8s_client_certificate": "/path/to/client/cert", - "k8s_client_key": "/path/to/client/key" + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/var/lib/kubelet/kubeconfig" } } diff --git a/cluster/saltbase/salt/calico/calico-policy-agent.manifest b/cluster/saltbase/salt/calico/calico-policy-agent.manifest deleted file mode 100644 index 19ed8cd00c..0000000000 --- a/cluster/saltbase/salt/calico/calico-policy-agent.manifest +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: calico-policy-agent - namespace: calico-system - labels: - version: latest - projectcalico.org/app: "policy-agent" -spec: - hostNetwork: true - containers: - - name: policycontroller - image: caseydavenport/calico-policy-controller:latest - env: - - name: ETCD_AUTHORITY - value: "127.0.0.1:6666" - - name: K8S_API - value: "http://127.0.0.1:8080" - - name: LOG_LEVEL - value: "info" diff --git a/cluster/saltbase/salt/calico/calico-policy-controller.manifest b/cluster/saltbase/salt/calico/calico-policy-controller.manifest new file mode 100644 index 0000000000..13413d0a6d --- /dev/null +++ b/cluster/saltbase/salt/calico/calico-policy-controller.manifest @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + k8s-app: calico-policy +spec: + hostNetwork: true + containers: + - name: policy-controller + image: calico/kube-policy-controller:v0.2.0 + env: + - name: ETCD_AUTHORITY + value: "127.0.0.1:6666" + - name: K8S_API + value: "http://127.0.0.1:8080" + - name: calico-etcd + image: gcr.io/google_containers/etcd:2.2.1 + command: + - /usr/local/bin/etcd + - --name=calico + - --data-dir=/var/etcd/calico-data + - --advertise-client-urls=http://{{ grains.id }}:6666 + - --listen-client-urls=http://0.0.0.0:6666 + - --listen-peer-urls=http://0.0.0.0:6667 + - --initial-advertise-peer-urls=http://{{ grains.id }}:6667 + - --initial-cluster=calico=http://{{ grains.id }}:6667 + volumeMounts: + - name: varetcd + mountPath: /var/etcd + volumes: + - name: varetcd + hostPath: + path: /var/calico/etcd diff --git a/cluster/saltbase/salt/calico/master.sls b/cluster/saltbase/salt/calico/master.sls index e4d093f0ee..79ac253828 100644 --- a/cluster/saltbase/salt/calico/master.sls +++ b/cluster/saltbase/salt/calico/master.sls @@ -1,32 +1,9 @@ -{% if pillar.get('policy_provider', '').lower() == 'calico' %} +{% if pillar.get('network_policy_provider', '').lower() == 'calico' %} -calicoctl: +calico-policy-controller: file.managed: - - name: /usr/bin/calicoctl - - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl - - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96 - - makedirs: True - - mode: 744 - -calico-etcd: - cmd.run: - - unless: docker ps | grep calico-etcd - - name: > - docker run --name calico-etcd -d --restart=always -p 6666:6666 - -v /varetcd:/var/etcd - gcr.io/google_containers/etcd:2.2.1 - /usr/local/bin/etcd --name calico - --data-dir /var/etcd/calico-data - --advertise-client-urls http://{{ grains.id }}:6666 - --listen-client-urls http://0.0.0.0:6666 - --listen-peer-urls http://0.0.0.0:6667 - --initial-advertise-peer-urls http://{{ grains.id }}:6667 - --initial-cluster calico=http://{{ grains.id }}:6667 - -calico-policy-agent: - file.managed: - - name: /etc/kubernetes/manifests/calico-policy-agent.manifest - - source: salt://calico/calico-policy-agent.manifest + - name: /etc/kubernetes/manifests/calico-policy-controller.manifest + - source: salt://calico/calico-policy-controller.manifest - template: jinja - user: root - group: root @@ -38,6 +15,5 @@ calico-policy-agent: - require: - service: docker - service: kubelet - - cmd: calico-etcd {% endif -%} diff --git a/cluster/saltbase/salt/calico/node.sls b/cluster/saltbase/salt/calico/node.sls index 5995c47345..b586f487b2 100644 --- a/cluster/saltbase/salt/calico/node.sls +++ b/cluster/saltbase/salt/calico/node.sls @@ -1,4 +1,4 @@ -{% if pillar.get('policy_provider', '').lower() == 'calico' %} +{% if pillar.get('network_policy_provider', '').lower() == 'calico' %} calicoctl: file.managed: @@ -24,8 +24,8 @@ calico-node: calico-cni: file.managed: - name: /opt/cni/bin/calico - - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.0/calico - - source_hash: sha256=2f65616cfca7d7b8967a62f179508d30278bcc72cef9d122ce4a5f6689fc6577 + - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico + - source_hash: sha256=ac05cb9254b5aaa5822cf10325983431bd25489147f2edf9dec7e43d99c43e77 - makedirs: True - mode: 744 @@ -37,22 +37,6 @@ calico-cni-config: - mode: 644 - template: jinja -calico-update-cbr0: - cmd.run: - - name: sed -i "s#CBR0_CIDR#$(ip addr list cbr0 | grep -o 'inet [^ ]*' | awk '{print $2}')#" /etc/cni/net.d/10-calico.conf - - require: - - file: calico-cni - - file: calico-cni-config - - cmd: calico-node - - service: kubelet - - service: docker - -calico-restart-kubelet: - cmd.run: - - name: service kubelet restart - - require: - - cmd: calico-update-cbr0 - ip6_tables: kmod.present diff --git a/cluster/saltbase/salt/kubelet/default b/cluster/saltbase/salt/kubelet/default index 549531e7a4..50afefa3d8 100644 --- a/cluster/saltbase/salt/kubelet/default +++ b/cluster/saltbase/salt/kubelet/default @@ -151,7 +151,7 @@ {% set network_plugin = "--network-plugin=opencontrail" %} {% elif pillar.get('network_provider', '').lower() == 'cni' %} {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %} -{%elif pillar.get('policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%} +{%elif pillar.get('network_policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%} {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %} {% elif pillar.get('network_provider', '').lower() == 'kubenet' %} {% set network_plugin = "--network-plugin=kubenet" -%} diff --git a/cluster/saltbase/salt/top.sls b/cluster/saltbase/salt/top.sls index 02b9eb9c3a..83e03fbc9d 100644 --- a/cluster/saltbase/salt/top.sls +++ b/cluster/saltbase/salt/top.sls @@ -16,7 +16,7 @@ base: {% if pillar.get('network_provider', '').lower() == 'flannel' %} - flannel {% endif %} -{% if pillar.get('policy_provider', '').lower() == 'calico' %} +{% if pillar.get('network_policy_provider', '').lower() == 'calico' %} - cni {% elif pillar.get('network_provider', '').lower() == 'kubenet' %} - cni @@ -47,7 +47,7 @@ base: {% endif %} - logrotate - supervisor -{% if pillar.get('policy_provider', '').lower() == 'calico' %} +{% if pillar.get('network_policy_provider', '').lower() == 'calico' %} - calico.node {% endif %} @@ -94,6 +94,6 @@ base: {% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %} - cluster-autoscaler {% endif %} -{% if pillar.get('policy_provider', '').lower() == 'calico' %} +{% if pillar.get('network_policy_provider', '').lower() == 'calico' %} - calico.master {% endif %} diff --git a/cluster/vagrant/config-default.sh b/cluster/vagrant/config-default.sh index ad0be54207..3dc2ea1e42 100755 --- a/cluster/vagrant/config-default.sh +++ b/cluster/vagrant/config-default.sh @@ -110,9 +110,6 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" -# Network Policy plugin specific settings -POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico - # Optional: if set to true, kube-up will configure the cluster to run e2e tests. E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} diff --git a/cluster/vagrant/provision-utils.sh b/cluster/vagrant/provision-utils.sh index 70dbbe599a..846d9c505c 100755 --- a/cluster/vagrant/provision-utils.sh +++ b/cluster/vagrant/provision-utils.sh @@ -67,7 +67,6 @@ cluster_cidr: '$(echo "$CLUSTER_IP_RANGE" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG" | sed -e "s/'/''/g")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET" | sed -e "s/'/''/g")' -policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")' e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")' EOF