Merge pull request #26017 from caseydavenport/cd-calico-policy

Automatic merge from submit-queue Add Calico as policy provider in GCE Adds Calico as policy provider to GCE, enforcing the extensions/v1beta1 NetworkPolicy API. Still to do: - [x] Enable NetworkPolicy API when POLICY_PROVIDER is provided. - [x] Fix CNI plugin, policy controller versions. CC @thockin - does this general approach look good?
2016-06-25 03:43:59 -07:00 · 2016-06-25 03:43:59 -07:00 · 272042f3e6
parent 4e6e4ee1f9 35289c7649
commit 272042f3e6
11 changed files with 151 additions and 2 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -475,8 +475,19 @@ function yaml-quote {
 # Builds the RUNTIME_CONFIG var from other feature enable options (such as
 # features in alpha)
 function build-runtime-config() {
-  # There is nothing to do here for now. Just using this function as a placeholder.
-  :
+  # If a policy provider is specified, enable NetworkPolicy API.
+  if [[ -n "${NETWORK_POLICY_PROVIDER}" ]]; then
+    appends="extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true"
+  fi
+
+  # Generate the RUNTIME_CONFIG.
+  if [[ -n ${appends} ]]; then
+    if [[ -n ${RUNTIME_CONFIG} ]]; then
+      RUNTIME_CONFIG="${RUNTIME_CONFIG},${appends}"
+    else 
+      RUNTIME_CONFIG="${appends}"
+    fi
+  fi
 }

 # Writes the cluster name into a temporary file.
@ -553,6 +564,7 @@ HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-})
 OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-})
 OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-})
 OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-})
+NETWORK_POLICY_PROVIDER: $(yaml-quote ${NETWORK_POLICY_PROVIDER:-})
 E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-})
 KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-})
 KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-})
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -140,6 +140,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

+# Network Policy plugin specific settings.
+NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico
+
 # How should the kubelet configure hairpin mode?
 HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none
 # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -162,6 +162,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

+# Network Policy plugin specific settings.
+NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico
+
 # How should the kubelet configure hairpin mode?
 HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none

--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -447,6 +447,7 @@ hairpin_mode: '$(echo "$HAIRPIN_MODE" | sed -e "s/'/''/g")'
 opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")'
 opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")'
 opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")'
+network_policy_provider: '$(echo "$NETWORK_POLICY_PROVIDER" | sed -e "s/'/''/g")'
 enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")'
 manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")'
 manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")'
@ -650,6 +651,7 @@ users:
 clusters:
 - name: local
  cluster:
+    server: https://kubernetes-master
    certificate-authority-data: ${KUBELET_CA_CERT}
 contexts:
 - context:
--- a/cluster/saltbase/salt/calico/10-calico.conf
+++ b/cluster/saltbase/salt/calico/10-calico.conf
@ -0,0 +1,16 @@
+{
+    "name": "k8s-pod-network",
+    "type": "calico",
+    "etcd_authority": "{{ grains.api_servers }}:6666",
+    "log_level": "info",
+    "ipam": {
+        "type": "host-local",
+        "subnet": "usePodCidr"
+    },
+    "policy": {
+        "type": "k8s"
+    },
+    "kubernetes": {
+        "kubeconfig": "/var/lib/kubelet/kubeconfig"
+    }
+}
--- a/cluster/saltbase/salt/calico/calico-policy-controller.manifest
+++ b/cluster/saltbase/salt/calico/calico-policy-controller.manifest
@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    k8s-app: calico-policy
+spec:
+  hostNetwork: true
+  containers:
+    - name: policy-controller
+      image: calico/kube-policy-controller:v0.2.0
+      env:
+      - name: ETCD_AUTHORITY
+        value: "127.0.0.1:6666"
+      - name: K8S_API
+        value: "http://127.0.0.1:8080"
+    - name: calico-etcd
+      image: gcr.io/google_containers/etcd:2.2.1
+      command:
+        - /usr/local/bin/etcd
+        - --name=calico
+        - --data-dir=/var/etcd/calico-data
+        - --advertise-client-urls=http://{{ grains.id }}:6666
+        - --listen-client-urls=http://0.0.0.0:6666
+        - --listen-peer-urls=http://0.0.0.0:6667
+        - --initial-advertise-peer-urls=http://{{ grains.id }}:6667
+        - --initial-cluster=calico=http://{{ grains.id }}:6667
+      volumeMounts:
+        - name: varetcd
+          mountPath: /var/etcd
+  volumes:
+    - name: varetcd
+      hostPath:
+        path: /var/calico/etcd
--- a/cluster/saltbase/salt/calico/master.sls
+++ b/cluster/saltbase/salt/calico/master.sls
@ -0,0 +1,19 @@
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
+
+calico-policy-controller:
+  file.managed:
+    - name: /etc/kubernetes/manifests/calico-policy-controller.manifest
+    - source: salt://calico/calico-policy-controller.manifest
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    - dir_mode: 755
+    - context:
+        cpurequest: '20m'
+    - require:
+      - service: docker
+      - service: kubelet
+
+{% endif -%}
--- a/cluster/saltbase/salt/calico/node.sls
+++ b/cluster/saltbase/salt/calico/node.sls
@ -0,0 +1,46 @@
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
+
+calicoctl:
+  file.managed:
+    - name: /usr/bin/calicoctl
+    - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
+    - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
+    - makedirs: True
+    - mode: 744
+
+calico-node:
+  cmd.run:
+    - name: calicoctl node
+    - unless: docker ps | grep calico-node
+    - env:
+      - ETCD_AUTHORITY: "{{ grains.api_servers }}:6666"
+      - CALICO_NETWORKING: "false"
+    - require:
+      - kmod: ip6_tables
+      - kmod: xt_set
+      - service: docker
+      - file: calicoctl
+
+calico-cni:
+  file.managed:
+    - name: /opt/cni/bin/calico
+    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico 
+    - source_hash: sha256=ac05cb9254b5aaa5822cf10325983431bd25489147f2edf9dec7e43d99c43e77
+    - makedirs: True
+    - mode: 744
+
+calico-cni-config:
+  file.managed:
+    - name: /etc/cni/net.d/10-calico.conf
+    - source: salt://calico/10-calico.conf
+    - makedirs: True
+    - mode: 644
+    - template: jinja
+
+ip6_tables:
+  kmod.present
+
+xt_set:
+  kmod.present
+
+{% endif -%}
--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@ -151,6 +151,8 @@
  {% set network_plugin = "--network-plugin=opencontrail" %}
 {% elif pillar.get('network_provider', '').lower() == 'cni' %}
  {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
+{%elif pillar.get('network_policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%}
+  {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
  {% set network_plugin = "--network-plugin=kubenet" -%}
  {% if reconcile_cidr_args == '' -%}
--- a/cluster/saltbase/salt/top.sls
+++ b/cluster/saltbase/salt/top.sls
@ -15,6 +15,9 @@ base:
    - docker
 {% if pillar.get('network_provider', '').lower() == 'flannel' %}
    - flannel
+{% endif %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
+    - cni
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
    - cni
 {% elif pillar.get('network_provider', '').lower() == 'cni' %}
@ -44,6 +47,9 @@ base:
 {% endif %}
    - logrotate
    - supervisor
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
+    - calico.node
+{% endif %}

  'roles:kubernetes-master':
    - match: grain
@ -88,3 +94,6 @@ base:
 {% if pillar.get('enable_cluster_autoscaler', '').lower() == 'true' %}
    - cluster-autoscaler
 {% endif %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
+    - calico.master
+{% endif %}
--- a/cluster/vagrant/config-default.sh
+++ b/cluster/vagrant/config-default.sh
@ -109,6 +109,7 @@ fi
 OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
+
 # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
 E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false}