--- # Source: calico/templates/calico-node.yaml # This manifest installs the canal container, as well # as the CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .Release.Name | quote }} namespace: kube-system labels: k8s-app: canal spec: selector: matchLabels: k8s-app: canal updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: canal annotations: # This, along with the CriticalAddonsOnly toleration below, # marks the pod as a critical add-on, ensuring it gets # priority scheduling and that its resources are reserved # if it ever gets evicted. scheduler.alpha.kubernetes.io/critical-pod: '' spec: nodeSelector: kubernetes.io/os: linux hostNetwork: true tolerations: # Make sure canal gets scheduled on all nodes. - effect: NoSchedule operator: Exists # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - effect: NoExecute operator: Exists serviceAccountName: canal # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 priorityClassName: system-node-critical initContainers: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni image: {{ template "system_default_registry" . }}{{ .Values.calico.cniImage.repository }}:{{ .Values.calico.cniImage.tag }} command: ["/opt/cni/bin/install"] env: # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-canal.conflist" # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: {{ .Release.Name }}-config key: cni_network_config # Set the hostname based on the k8s node name. - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName # CNI MTU Config variable - name: CNI_MTU valueFrom: configMapKeyRef: name: {{ .Release.Name }}-config key: veth_mtu # Prevents the container from sleeping forever. - name: SLEEP value: "false" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir securityContext: privileged: true # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver image: {{ template "system_default_registry" . }}{{ .Values.calico.flexvolImage.repository }}:{{ .Values.calico.flexvolImage.tag }} command: ['/usr/local/bin/flexvol.sh', '-s', '/usr/local/bin/flexvol', '-i', 'flexvoldriver'] volumeMounts: - name: flexvol-driver-host mountPath: /host/driver securityContext: privileged: true containers: # Runs canal container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node command: - "start_runit" image: {{ template "system_default_registry" . }}{{ .Values.calico.nodeImage.repository }}:{{ .Values.calico.nodeImage.tag }} env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: {{ .Values.calico.datastoreType | quote }} # Configure route aggregation based on pod CIDR. - name: USE_POD_CIDR value: {{ .Values.calico.usePodCIDR | quote }} # Wait for the datastore. - name: WAIT_FOR_DATASTORE value: {{ .Values.calico.waitForDatastore | quote }} # Set based on the k8s node name. - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName # Don't enable BGP. - name: CALICO_NETWORKING_BACKEND value: {{ .Values.calico.networkingBackend | quote }} # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: {{ .Values.calico.clusterType | quote}} # Period, in seconds, at which felix re-applies all iptables state - name: FELIX_IPTABLESREFRESHINTERVAL value: {{ .Values.calico.felixIptablesRefreshInterval | quote}} - name: FELIX_IPTABLESBACKEND value: {{ .Values.calico.felixIptablesBackend | quote}} # No IP address needed. - name: IP value: "" # The default IPv4 pool to create on startup if none exists. Pod IPs will be # chosen from this range. Changing this value after installation will have # no effect. This should fall within `--cluster-cidr`. # - name: CALICO_IPV4POOL_CIDR # value: "192.168.0.0/16" # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: {{ .Values.calico.felixDefaultEndpointToHostAction | quote }} # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: {{ .Values.calico.felixIpv6Support | quote }} # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: {{ .Values.calico.felixLogSeverityScreen | quote }} - name: FELIX_HEALTHENABLED value: {{ .Values.calico.felixHealthEnabled | quote }} # enable promentheus metrics - name: FELIX_PROMETHEUSMETRICSENABLED value: {{ .Values.calico.felixPrometheusMetricsEnabled | quote }} - name: FELIX_XDPENABLED value: {{ .Values.calico.felixXDPEnabled | quote }} - name: FELIX_FAILSAFEINBOUNDHOSTPORTS value: {{ .Values.calico.felixFailsafeInboundHostPorts | quote }} - name: FELIX_FAILSAFEOUTBOUNDHOSTPORTS value: {{ .Values.calico.felixFailsafeOutboundHostPorts | quote }} securityContext: privileged: true resources: requests: cpu: 250m livenessProbe: exec: command: - /bin/calico-node - -felix-live periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 readinessProbe: httpGet: path: /readiness port: 9099 host: localhost periodSeconds: 10 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock readOnly: false - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - name: policysync mountPath: /var/run/nodeagent # This container runs flannel using the kube-subnet-mgr backend # for allocating subnets. - name: kube-flannel image: {{ template "system_default_registry" . }}{{ .Values.flannel.image.repository }}:{{ .Values.flannel.image.tag }} command: - "/opt/bin/flanneld" {{- range .Values.flannel.args }} - {{ . | quote }} {{- end }} securityContext: privileged: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: FLANNELD_IFACE valueFrom: configMapKeyRef: name: {{ .Release.Name }}-config key: canal_iface - name: FLANNELD_IP_MASQ valueFrom: configMapKeyRef: name: {{ .Release.Name }}-config key: masquerade volumeMounts: - mountPath: /run/xtables.lock name: xtables-lock readOnly: false - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: # Used by canal. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate # Used by flannel. - name: flannel-cfg configMap: name: {{ .Release.Name }}-config # Used to install CNI. - name: cni-bin-dir hostPath: path: /opt/cni/bin - name: cni-net-dir hostPath: path: /etc/cni/net.d # Used to create per-pod Unix Domain Sockets - name: policysync hostPath: type: DirectoryOrCreate path: /var/run/nodeagent # Used to install Flex Volume Driver - name: flexvol-driver-host hostPath: type: DirectoryOrCreate path: {{ .Values.calico.flexVolumePluginDir }}/nodeagent~uds