├── .gitignore ├── LICENSE ├── README.md ├── Vagrantfile ├── calico ├── calico.yaml └── rbac-kdd.yaml └── ingress ├── nginx-ingress-svc.yaml └── nginx-ingress.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant/ 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes cluster 2 | A vagrant script for setting up a Kubernetes cluster using Kubeadm 3 | 4 | ## Pre-requisites 5 | 6 | * **[Vagrant 2.1.4+](https://www.vagrantup.com)** 7 | * **[Virtualbox 5.2.18+](https://www.virtualbox.org)** 8 | 9 | ## How to Run 10 | 11 | Execute the following vagrant command to start a new Kubernetes cluster, this will start one master and two nodes: 12 | 13 | ``` 14 | vagrant up 15 | ``` 16 | 17 | You can also start invidual machines by vagrant up k8s-head, vagrant up k8s-node-1 and vagrant up k8s-node-2 18 | 19 | If more than two nodes are required, you can edit the servers array in the Vagrantfile 20 | 21 | ``` 22 | servers = [ 23 | { 24 | :name => "k8s-node-3", 25 | :type => "node", 26 | :box => "ubuntu/xenial64", 27 | :box_version => "20180831.0.0", 28 | :eth1 => "192.168.205.13", 29 | :mem => "2048", 30 | :cpu => "2" 31 | } 32 | ] 33 | ``` 34 | 35 | As you can see above, you can also configure IP address, memory and CPU in the servers array. 36 | 37 | ## Clean-up 38 | 39 | Execute the following command to remove the virtual machines created for the Kubernetes cluster. 40 | ``` 41 | vagrant destroy -f 42 | ``` 43 | 44 | You can destroy individual machines by vagrant destroy k8s-node-1 -f 45 | 46 | ## Licensing 47 | 48 | [Apache License, Version 2.0](http://opensource.org/licenses/Apache-2.0). 49 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | servers = [ 5 | { 6 | :name => "k8s-head", 7 | :type => "master", 8 | :box => "ubuntu/xenial64", 9 | :box_version => "20180831.0.0", 10 | :eth1 => "192.168.205.10", 11 | :mem => "2048", 12 | :cpu => "2" 13 | }, 14 | { 15 | :name => "k8s-node-1", 16 | :type => "node", 17 | :box => "ubuntu/xenial64", 18 | :box_version => "20180831.0.0", 19 | :eth1 => "192.168.205.11", 20 | :mem => "2048", 21 | :cpu => "2" 22 | }, 23 | { 24 | :name => "k8s-node-2", 25 | :type => "node", 26 | :box => "ubuntu/xenial64", 27 | :box_version => "20180831.0.0", 28 | :eth1 => "192.168.205.12", 29 | :mem => "2048", 30 | :cpu => "2" 31 | } 32 | ] 33 | 34 | # This script to install k8s using kubeadm will get executed after a box is provisioned 35 | $configureBox = <<-SCRIPT 36 | 37 | # install docker v17.03 38 | # reason for not using docker provision is that it always installs latest version of the docker, but kubeadm requires 17.03 or older 39 | apt-get update 40 | apt-get install -y apt-transport-https ca-certificates curl software-properties-common 41 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - 42 | add-apt-repository "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" 43 | apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}') 44 | 45 | # run docker commands as vagrant user (sudo not required) 46 | usermod -aG docker vagrant 47 | 48 | # install kubeadm 49 | apt-get install -y apt-transport-https curl 50 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - 51 | cat </etc/apt/sources.list.d/kubernetes.list 52 | deb http://apt.kubernetes.io/ kubernetes-xenial main 53 | EOF 54 | apt-get update 55 | apt-get install -y kubelet kubeadm kubectl 56 | apt-mark hold kubelet kubeadm kubectl 57 | 58 | # kubelet requires swap off 59 | swapoff -a 60 | 61 | # keep swap off after reboot 62 | sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab 63 | 64 | # ip of this box 65 | IP_ADDR=`ifconfig enp0s8 | grep Mask | awk '{print $2}'| cut -f2 -d:` 66 | # set node-ip 67 | sudo sed -i "/^[^#]*KUBELET_EXTRA_ARGS=/c\KUBELET_EXTRA_ARGS=--node-ip=$IP_ADDR" /etc/default/kubelet 68 | sudo systemctl restart kubelet 69 | SCRIPT 70 | 71 | $configureMaster = <<-SCRIPT 72 | echo "This is master" 73 | # ip of this box 74 | IP_ADDR=`ifconfig enp0s8 | grep Mask | awk '{print $2}'| cut -f2 -d:` 75 | 76 | # install k8s master 77 | HOST_NAME=$(hostname -s) 78 | kubeadm init --apiserver-advertise-address=$IP_ADDR --apiserver-cert-extra-sans=$IP_ADDR --node-name $HOST_NAME --pod-network-cidr=172.16.0.0/16 79 | 80 | #copying credentials to regular user - vagrant 81 | sudo --user=vagrant mkdir -p /home/vagrant/.kube 82 | cp -i /etc/kubernetes/admin.conf /home/vagrant/.kube/config 83 | chown $(id -u vagrant):$(id -g vagrant) /home/vagrant/.kube/config 84 | 85 | # install Calico pod network addon 86 | export KUBECONFIG=/etc/kubernetes/admin.conf 87 | kubectl apply -f https://raw.githubusercontent.com/ecomm-integration-ballerina/kubernetes-cluster/master/calico/rbac-kdd.yaml 88 | kubectl apply -f https://raw.githubusercontent.com/ecomm-integration-ballerina/kubernetes-cluster/master/calico/calico.yaml 89 | 90 | kubeadm token create --print-join-command >> /etc/kubeadm_join_cmd.sh 91 | chmod +x /etc/kubeadm_join_cmd.sh 92 | 93 | # required for setting up password less ssh between guest VMs 94 | sudo sed -i "/^[^#]*PasswordAuthentication[[:space:]]no/c\PasswordAuthentication yes" /etc/ssh/sshd_config 95 | sudo service sshd restart 96 | 97 | SCRIPT 98 | 99 | $configureNode = <<-SCRIPT 100 | echo "This is worker" 101 | apt-get install -y sshpass 102 | sshpass -p "vagrant" scp -o StrictHostKeyChecking=no vagrant@192.168.205.10:/etc/kubeadm_join_cmd.sh . 103 | sh ./kubeadm_join_cmd.sh 104 | SCRIPT 105 | 106 | Vagrant.configure("2") do |config| 107 | 108 | servers.each do |opts| 109 | config.vm.define opts[:name] do |config| 110 | 111 | config.vm.box = opts[:box] 112 | config.vm.box_version = opts[:box_version] 113 | config.vm.hostname = opts[:name] 114 | config.vm.network :private_network, ip: opts[:eth1] 115 | 116 | config.vm.provider "virtualbox" do |v| 117 | 118 | v.name = opts[:name] 119 | v.customize ["modifyvm", :id, "--groups", "/Ballerina Development"] 120 | v.customize ["modifyvm", :id, "--memory", opts[:mem]] 121 | v.customize ["modifyvm", :id, "--cpus", opts[:cpu]] 122 | 123 | end 124 | 125 | # we cannot use this because we can't install the docker version we want - https://github.com/hashicorp/vagrant/issues/4871 126 | #config.vm.provision "docker" 127 | 128 | config.vm.provision "shell", inline: $configureBox 129 | 130 | if opts[:type] == "master" 131 | config.vm.provision "shell", inline: $configureMaster 132 | else 133 | config.vm.provision "shell", inline: $configureNode 134 | end 135 | 136 | end 137 | 138 | end 139 | 140 | end -------------------------------------------------------------------------------- /calico/calico.yaml: -------------------------------------------------------------------------------- 1 | # Calico Version v3.1.3 2 | # https://docs.projectcalico.org/v3.1/releases#v3.1.3 3 | # This manifest includes the following component versions: 4 | # calico/node:v3.1.3 5 | # calico/cni:v3.1.3 6 | 7 | # This ConfigMap is used to configure a self-hosted Calico installation. 8 | kind: ConfigMap 9 | apiVersion: v1 10 | metadata: 11 | name: calico-config 12 | namespace: kube-system 13 | data: 14 | # To enable Typha, set this to "calico-typha" *and* set a non-zero value for Typha replicas 15 | # below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is 16 | # essential. 17 | typha_service_name: "none" 18 | 19 | # The CNI network configuration to install on each node. 20 | cni_network_config: |- 21 | { 22 | "name": "k8s-pod-network", 23 | "cniVersion": "0.3.0", 24 | "plugins": [ 25 | { 26 | "type": "calico", 27 | "log_level": "info", 28 | "datastore_type": "kubernetes", 29 | "nodename": "__KUBERNETES_NODE_NAME__", 30 | "mtu": 1500, 31 | "ipam": { 32 | "type": "host-local", 33 | "subnet": "usePodCidr" 34 | }, 35 | "policy": { 36 | "type": "k8s" 37 | }, 38 | "kubernetes": { 39 | "kubeconfig": "__KUBECONFIG_FILEPATH__" 40 | } 41 | }, 42 | { 43 | "type": "portmap", 44 | "snat": true, 45 | "capabilities": {"portMappings": true} 46 | } 47 | ] 48 | } 49 | 50 | --- 51 | 52 | # This manifest creates a Service, which will be backed by Calico's Typha daemon. 53 | # Typha sits in between Felix and the API server, reducing Calico's load on the API server. 54 | 55 | apiVersion: v1 56 | kind: Service 57 | metadata: 58 | name: calico-typha 59 | namespace: kube-system 60 | labels: 61 | k8s-app: calico-typha 62 | spec: 63 | ports: 64 | - port: 5473 65 | protocol: TCP 66 | targetPort: calico-typha 67 | name: calico-typha 68 | selector: 69 | k8s-app: calico-typha 70 | 71 | --- 72 | 73 | # This manifest creates a Deployment of Typha to back the above service. 74 | 75 | apiVersion: apps/v1beta1 76 | kind: Deployment 77 | metadata: 78 | name: calico-typha 79 | namespace: kube-system 80 | labels: 81 | k8s-app: calico-typha 82 | spec: 83 | # Number of Typha replicas. To enable Typha, set this to a non-zero value *and* set the 84 | # typha_service_name variable in the calico-config ConfigMap above. 85 | # 86 | # We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is essential 87 | # (when using the Kubernetes datastore). Use one replica for every 100-200 nodes. In 88 | # production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade. 89 | replicas: 0 90 | revisionHistoryLimit: 2 91 | template: 92 | metadata: 93 | labels: 94 | k8s-app: calico-typha 95 | annotations: 96 | # This, along with the CriticalAddonsOnly toleration below, marks the pod as a critical 97 | # add-on, ensuring it gets priority scheduling and that its resources are reserved 98 | # if it ever gets evicted. 99 | scheduler.alpha.kubernetes.io/critical-pod: '' 100 | spec: 101 | hostNetwork: true 102 | tolerations: 103 | # Mark the pod as a critical add-on for rescheduling. 104 | - key: CriticalAddonsOnly 105 | operator: Exists 106 | # Since Calico can't network a pod until Typha is up, we need to run Typha itself 107 | # as a host-networked pod. 108 | serviceAccountName: calico-node 109 | containers: 110 | - image: quay.io/calico/typha:v0.7.4 111 | name: calico-typha 112 | ports: 113 | - containerPort: 5473 114 | name: calico-typha 115 | protocol: TCP 116 | env: 117 | # Enable "info" logging by default. Can be set to "debug" to increase verbosity. 118 | - name: TYPHA_LOGSEVERITYSCREEN 119 | value: "info" 120 | # Disable logging to file and syslog since those don't make sense in Kubernetes. 121 | - name: TYPHA_LOGFILEPATH 122 | value: "none" 123 | - name: TYPHA_LOGSEVERITYSYS 124 | value: "none" 125 | # Monitor the Kubernetes API to find the number of running instances and rebalance 126 | # connections. 127 | - name: TYPHA_CONNECTIONREBALANCINGMODE 128 | value: "kubernetes" 129 | - name: TYPHA_DATASTORETYPE 130 | value: "kubernetes" 131 | - name: TYPHA_HEALTHENABLED 132 | value: "true" 133 | # Uncomment these lines to enable prometheus metrics. Since Typha is host-networked, 134 | # this opens a port on the host, which may need to be secured. 135 | #- name: TYPHA_PROMETHEUSMETRICSENABLED 136 | # value: "true" 137 | #- name: TYPHA_PROMETHEUSMETRICSPORT 138 | # value: "9093" 139 | livenessProbe: 140 | httpGet: 141 | path: /liveness 142 | port: 9098 143 | periodSeconds: 30 144 | initialDelaySeconds: 30 145 | readinessProbe: 146 | httpGet: 147 | path: /readiness 148 | port: 9098 149 | periodSeconds: 10 150 | 151 | --- 152 | 153 | # This manifest installs the calico/node container, as well 154 | # as the Calico CNI plugins and network config on 155 | # each master and worker node in a Kubernetes cluster. 156 | kind: DaemonSet 157 | apiVersion: extensions/v1beta1 158 | metadata: 159 | name: calico-node 160 | namespace: kube-system 161 | labels: 162 | k8s-app: calico-node 163 | spec: 164 | selector: 165 | matchLabels: 166 | k8s-app: calico-node 167 | updateStrategy: 168 | type: RollingUpdate 169 | rollingUpdate: 170 | maxUnavailable: 1 171 | template: 172 | metadata: 173 | labels: 174 | k8s-app: calico-node 175 | annotations: 176 | # This, along with the CriticalAddonsOnly toleration below, 177 | # marks the pod as a critical add-on, ensuring it gets 178 | # priority scheduling and that its resources are reserved 179 | # if it ever gets evicted. 180 | scheduler.alpha.kubernetes.io/critical-pod: '' 181 | spec: 182 | hostNetwork: true 183 | tolerations: 184 | # Make sure calico/node gets scheduled on all nodes. 185 | - effect: NoSchedule 186 | operator: Exists 187 | # Mark the pod as a critical add-on for rescheduling. 188 | - key: CriticalAddonsOnly 189 | operator: Exists 190 | - effect: NoExecute 191 | operator: Exists 192 | serviceAccountName: calico-node 193 | # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 194 | # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 195 | terminationGracePeriodSeconds: 0 196 | containers: 197 | # Runs calico/node container on each Kubernetes node. This 198 | # container programs network policy and routes on each 199 | # host. 200 | - name: calico-node 201 | image: quay.io/calico/node:v3.1.3 202 | env: 203 | # Use Kubernetes API as the backing datastore. 204 | - name: DATASTORE_TYPE 205 | value: "kubernetes" 206 | # Enable felix info logging. 207 | - name: FELIX_LOGSEVERITYSCREEN 208 | value: "info" 209 | # Cluster type to identify the deployment type 210 | - name: CLUSTER_TYPE 211 | value: "k8s,bgp" 212 | # Disable file logging so `kubectl logs` works. 213 | - name: CALICO_DISABLE_FILE_LOGGING 214 | value: "true" 215 | # Set Felix endpoint to host default action to ACCEPT. 216 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 217 | value: "ACCEPT" 218 | # Disable IPV6 on Kubernetes. 219 | - name: FELIX_IPV6SUPPORT 220 | value: "false" 221 | # Set MTU for tunnel device used if ipip is enabled 222 | - name: FELIX_IPINIPMTU 223 | value: "1440" 224 | # Wait for the datastore. 225 | - name: WAIT_FOR_DATASTORE 226 | value: "true" 227 | # The default IPv4 pool to create on startup if none exists. Pod IPs will be 228 | # chosen from this range. Changing this value after installation will have 229 | # no effect. This should fall within `--cluster-cidr`. 230 | - name: CALICO_IPV4POOL_CIDR 231 | value: "172.16.0.0/16" 232 | # Enable IPIP 233 | - name: CALICO_IPV4POOL_IPIP 234 | value: "Always" 235 | # Enable IP-in-IP within Felix. 236 | - name: FELIX_IPINIPENABLED 237 | value: "true" 238 | # Typha support: controlled by the ConfigMap. 239 | - name: FELIX_TYPHAK8SSERVICENAME 240 | valueFrom: 241 | configMapKeyRef: 242 | name: calico-config 243 | key: typha_service_name 244 | # Set based on the k8s node name. 245 | - name: NODENAME 246 | valueFrom: 247 | fieldRef: 248 | fieldPath: spec.nodeName 249 | # Auto-detect the BGP IP address. 250 | - name: IP 251 | value: "autodetect" 252 | - name: FELIX_HEALTHENABLED 253 | value: "true" 254 | securityContext: 255 | privileged: true 256 | resources: 257 | requests: 258 | cpu: 250m 259 | livenessProbe: 260 | httpGet: 261 | path: /liveness 262 | port: 9099 263 | periodSeconds: 10 264 | initialDelaySeconds: 10 265 | failureThreshold: 6 266 | readinessProbe: 267 | httpGet: 268 | path: /readiness 269 | port: 9099 270 | periodSeconds: 10 271 | volumeMounts: 272 | - mountPath: /lib/modules 273 | name: lib-modules 274 | readOnly: true 275 | - mountPath: /var/run/calico 276 | name: var-run-calico 277 | readOnly: false 278 | - mountPath: /var/lib/calico 279 | name: var-lib-calico 280 | readOnly: false 281 | # This container installs the Calico CNI binaries 282 | # and CNI network config file on each node. 283 | - name: install-cni 284 | image: quay.io/calico/cni:v3.1.3 285 | command: ["/install-cni.sh"] 286 | env: 287 | # Name of the CNI config file to create. 288 | - name: CNI_CONF_NAME 289 | value: "10-calico.conflist" 290 | # The CNI network config to install on each node. 291 | - name: CNI_NETWORK_CONFIG 292 | valueFrom: 293 | configMapKeyRef: 294 | name: calico-config 295 | key: cni_network_config 296 | # Set the hostname based on the k8s node name. 297 | - name: KUBERNETES_NODE_NAME 298 | valueFrom: 299 | fieldRef: 300 | fieldPath: spec.nodeName 301 | volumeMounts: 302 | - mountPath: /host/opt/cni/bin 303 | name: cni-bin-dir 304 | - mountPath: /host/etc/cni/net.d 305 | name: cni-net-dir 306 | volumes: 307 | # Used by calico/node. 308 | - name: lib-modules 309 | hostPath: 310 | path: /lib/modules 311 | - name: var-run-calico 312 | hostPath: 313 | path: /var/run/calico 314 | - name: var-lib-calico 315 | hostPath: 316 | path: /var/lib/calico 317 | # Used to install CNI. 318 | - name: cni-bin-dir 319 | hostPath: 320 | path: /opt/cni/bin 321 | - name: cni-net-dir 322 | hostPath: 323 | path: /etc/cni/net.d 324 | 325 | # Create all the CustomResourceDefinitions needed for 326 | # Calico policy and networking mode. 327 | --- 328 | 329 | apiVersion: apiextensions.k8s.io/v1beta1 330 | kind: CustomResourceDefinition 331 | metadata: 332 | name: felixconfigurations.crd.projectcalico.org 333 | spec: 334 | scope: Cluster 335 | group: crd.projectcalico.org 336 | version: v1 337 | names: 338 | kind: FelixConfiguration 339 | plural: felixconfigurations 340 | singular: felixconfiguration 341 | 342 | --- 343 | 344 | apiVersion: apiextensions.k8s.io/v1beta1 345 | kind: CustomResourceDefinition 346 | metadata: 347 | name: bgppeers.crd.projectcalico.org 348 | spec: 349 | scope: Cluster 350 | group: crd.projectcalico.org 351 | version: v1 352 | names: 353 | kind: BGPPeer 354 | plural: bgppeers 355 | singular: bgppeer 356 | 357 | --- 358 | 359 | apiVersion: apiextensions.k8s.io/v1beta1 360 | kind: CustomResourceDefinition 361 | metadata: 362 | name: bgpconfigurations.crd.projectcalico.org 363 | spec: 364 | scope: Cluster 365 | group: crd.projectcalico.org 366 | version: v1 367 | names: 368 | kind: BGPConfiguration 369 | plural: bgpconfigurations 370 | singular: bgpconfiguration 371 | 372 | --- 373 | 374 | apiVersion: apiextensions.k8s.io/v1beta1 375 | kind: CustomResourceDefinition 376 | metadata: 377 | name: ippools.crd.projectcalico.org 378 | spec: 379 | scope: Cluster 380 | group: crd.projectcalico.org 381 | version: v1 382 | names: 383 | kind: IPPool 384 | plural: ippools 385 | singular: ippool 386 | 387 | --- 388 | 389 | apiVersion: apiextensions.k8s.io/v1beta1 390 | kind: CustomResourceDefinition 391 | metadata: 392 | name: hostendpoints.crd.projectcalico.org 393 | spec: 394 | scope: Cluster 395 | group: crd.projectcalico.org 396 | version: v1 397 | names: 398 | kind: HostEndpoint 399 | plural: hostendpoints 400 | singular: hostendpoint 401 | 402 | --- 403 | 404 | apiVersion: apiextensions.k8s.io/v1beta1 405 | kind: CustomResourceDefinition 406 | metadata: 407 | name: clusterinformations.crd.projectcalico.org 408 | spec: 409 | scope: Cluster 410 | group: crd.projectcalico.org 411 | version: v1 412 | names: 413 | kind: ClusterInformation 414 | plural: clusterinformations 415 | singular: clusterinformation 416 | 417 | --- 418 | 419 | apiVersion: apiextensions.k8s.io/v1beta1 420 | kind: CustomResourceDefinition 421 | metadata: 422 | name: globalnetworkpolicies.crd.projectcalico.org 423 | spec: 424 | scope: Cluster 425 | group: crd.projectcalico.org 426 | version: v1 427 | names: 428 | kind: GlobalNetworkPolicy 429 | plural: globalnetworkpolicies 430 | singular: globalnetworkpolicy 431 | 432 | --- 433 | 434 | apiVersion: apiextensions.k8s.io/v1beta1 435 | kind: CustomResourceDefinition 436 | metadata: 437 | name: globalnetworksets.crd.projectcalico.org 438 | spec: 439 | scope: Cluster 440 | group: crd.projectcalico.org 441 | version: v1 442 | names: 443 | kind: GlobalNetworkSet 444 | plural: globalnetworksets 445 | singular: globalnetworkset 446 | 447 | --- 448 | 449 | apiVersion: apiextensions.k8s.io/v1beta1 450 | kind: CustomResourceDefinition 451 | metadata: 452 | name: networkpolicies.crd.projectcalico.org 453 | spec: 454 | scope: Namespaced 455 | group: crd.projectcalico.org 456 | version: v1 457 | names: 458 | kind: NetworkPolicy 459 | plural: networkpolicies 460 | singular: networkpolicy 461 | 462 | --- 463 | 464 | apiVersion: v1 465 | kind: ServiceAccount 466 | metadata: 467 | name: calico-node 468 | namespace: kube-system 469 | -------------------------------------------------------------------------------- /calico/rbac-kdd.yaml: -------------------------------------------------------------------------------- 1 | # Calico Version v3.1.3 2 | # https://docs.projectcalico.org/v3.1/releases#v3.1.3 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1beta1 5 | metadata: 6 | name: calico-node 7 | rules: 8 | - apiGroups: [""] 9 | resources: 10 | - namespaces 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: [""] 16 | resources: 17 | - pods/status 18 | verbs: 19 | - update 20 | - apiGroups: [""] 21 | resources: 22 | - pods 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - patch 28 | - apiGroups: [""] 29 | resources: 30 | - services 31 | verbs: 32 | - get 33 | - apiGroups: [""] 34 | resources: 35 | - endpoints 36 | verbs: 37 | - get 38 | - apiGroups: [""] 39 | resources: 40 | - nodes 41 | verbs: 42 | - get 43 | - list 44 | - update 45 | - watch 46 | - apiGroups: ["extensions"] 47 | resources: 48 | - networkpolicies 49 | verbs: 50 | - get 51 | - list 52 | - watch 53 | - apiGroups: ["networking.k8s.io"] 54 | resources: 55 | - networkpolicies 56 | verbs: 57 | - watch 58 | - list 59 | - apiGroups: ["crd.projectcalico.org"] 60 | resources: 61 | - globalfelixconfigs 62 | - felixconfigurations 63 | - bgppeers 64 | - globalbgpconfigs 65 | - bgpconfigurations 66 | - ippools 67 | - globalnetworkpolicies 68 | - globalnetworksets 69 | - networkpolicies 70 | - clusterinformations 71 | - hostendpoints 72 | verbs: 73 | - create 74 | - get 75 | - list 76 | - update 77 | - watch 78 | 79 | --- 80 | 81 | apiVersion: rbac.authorization.k8s.io/v1beta1 82 | kind: ClusterRoleBinding 83 | metadata: 84 | name: calico-node 85 | roleRef: 86 | apiGroup: rbac.authorization.k8s.io 87 | kind: ClusterRole 88 | name: calico-node 89 | subjects: 90 | - kind: ServiceAccount 91 | name: calico-node 92 | namespace: kube-system 93 | -------------------------------------------------------------------------------- /ingress/nginx-ingress-svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: "v1" 3 | kind: "Service" 4 | metadata: 5 | namespace: ingress-nginx 6 | annotations: {} 7 | finalizers: [] 8 | labels: 9 | app: "nginx-ingress" 10 | name: "nginx-ingress" 11 | ownerReferences: [] 12 | spec: 13 | externalIPs: [] 14 | loadBalancerSourceRanges: [] 15 | ports: 16 | - name: "http" 17 | port: 80 18 | protocol: "TCP" 19 | targetPort: 80 20 | - name: "https" 21 | port: 443 22 | protocol: "TCP" 23 | targetPort: 443 24 | selector: 25 | app.kubernetes.io/name: "ingress-nginx" 26 | type: "NodePort" 27 | -------------------------------------------------------------------------------- /ingress/nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: ingress-nginx 7 | --- 8 | 9 | apiVersion: extensions/v1beta1 10 | kind: Deployment 11 | metadata: 12 | name: default-http-backend 13 | labels: 14 | app.kubernetes.io/name: default-http-backend 15 | app.kubernetes.io/part-of: ingress-nginx 16 | namespace: ingress-nginx 17 | spec: 18 | replicas: 1 19 | selector: 20 | matchLabels: 21 | app.kubernetes.io/name: default-http-backend 22 | app.kubernetes.io/part-of: ingress-nginx 23 | template: 24 | metadata: 25 | labels: 26 | app.kubernetes.io/name: default-http-backend 27 | app.kubernetes.io/part-of: ingress-nginx 28 | spec: 29 | terminationGracePeriodSeconds: 60 30 | containers: 31 | - name: default-http-backend 32 | # Any image is permissible as long as: 33 | # 1. It serves a 404 page at / 34 | # 2. It serves 200 on a /healthz endpoint 35 | image: gcr.io/google_containers/defaultbackend:1.4 36 | livenessProbe: 37 | httpGet: 38 | path: /healthz 39 | port: 8080 40 | scheme: HTTP 41 | initialDelaySeconds: 30 42 | timeoutSeconds: 5 43 | ports: 44 | - containerPort: 8080 45 | resources: 46 | limits: 47 | cpu: 10m 48 | memory: 20Mi 49 | requests: 50 | cpu: 10m 51 | memory: 20Mi 52 | --- 53 | 54 | apiVersion: v1 55 | kind: Service 56 | metadata: 57 | name: default-http-backend 58 | namespace: ingress-nginx 59 | labels: 60 | app.kubernetes.io/name: default-http-backend 61 | app.kubernetes.io/part-of: ingress-nginx 62 | spec: 63 | ports: 64 | - port: 80 65 | targetPort: 8080 66 | selector: 67 | app.kubernetes.io/name: default-http-backend 68 | app.kubernetes.io/part-of: ingress-nginx 69 | --- 70 | 71 | kind: ConfigMap 72 | apiVersion: v1 73 | metadata: 74 | name: nginx-configuration 75 | namespace: ingress-nginx 76 | labels: 77 | app.kubernetes.io/name: ingress-nginx 78 | app.kubernetes.io/part-of: ingress-nginx 79 | --- 80 | 81 | kind: ConfigMap 82 | apiVersion: v1 83 | metadata: 84 | name: tcp-services 85 | namespace: ingress-nginx 86 | labels: 87 | app.kubernetes.io/name: ingress-nginx 88 | app.kubernetes.io/part-of: ingress-nginx 89 | --- 90 | 91 | kind: ConfigMap 92 | apiVersion: v1 93 | metadata: 94 | name: udp-services 95 | namespace: ingress-nginx 96 | labels: 97 | app.kubernetes.io/name: ingress-nginx 98 | app.kubernetes.io/part-of: ingress-nginx 99 | --- 100 | 101 | apiVersion: v1 102 | kind: ServiceAccount 103 | metadata: 104 | name: nginx-ingress-serviceaccount 105 | namespace: ingress-nginx 106 | labels: 107 | app.kubernetes.io/name: ingress-nginx 108 | app.kubernetes.io/part-of: ingress-nginx 109 | 110 | --- 111 | 112 | apiVersion: rbac.authorization.k8s.io/v1beta1 113 | kind: ClusterRole 114 | metadata: 115 | name: nginx-ingress-clusterrole 116 | labels: 117 | app.kubernetes.io/name: ingress-nginx 118 | app.kubernetes.io/part-of: ingress-nginx 119 | rules: 120 | - apiGroups: 121 | - "" 122 | resources: 123 | - configmaps 124 | - endpoints 125 | - nodes 126 | - pods 127 | - secrets 128 | verbs: 129 | - list 130 | - watch 131 | - apiGroups: 132 | - "" 133 | resources: 134 | - nodes 135 | verbs: 136 | - get 137 | - apiGroups: 138 | - "" 139 | resources: 140 | - services 141 | verbs: 142 | - get 143 | - list 144 | - watch 145 | - apiGroups: 146 | - "extensions" 147 | resources: 148 | - ingresses 149 | verbs: 150 | - get 151 | - list 152 | - watch 153 | - apiGroups: 154 | - "" 155 | resources: 156 | - events 157 | verbs: 158 | - create 159 | - patch 160 | - apiGroups: 161 | - "extensions" 162 | resources: 163 | - ingresses/status 164 | verbs: 165 | - update 166 | 167 | --- 168 | 169 | apiVersion: rbac.authorization.k8s.io/v1beta1 170 | kind: Role 171 | metadata: 172 | name: nginx-ingress-role 173 | namespace: ingress-nginx 174 | labels: 175 | app.kubernetes.io/name: ingress-nginx 176 | app.kubernetes.io/part-of: ingress-nginx 177 | rules: 178 | - apiGroups: 179 | - "" 180 | resources: 181 | - configmaps 182 | - pods 183 | - secrets 184 | - namespaces 185 | verbs: 186 | - get 187 | - apiGroups: 188 | - "" 189 | resources: 190 | - configmaps 191 | resourceNames: 192 | # Defaults to "-" 193 | # Here: "-" 194 | # This has to be adapted if you change either parameter 195 | # when launching the nginx-ingress-controller. 196 | - "ingress-controller-leader-nginx" 197 | verbs: 198 | - get 199 | - update 200 | - apiGroups: 201 | - "" 202 | resources: 203 | - configmaps 204 | verbs: 205 | - create 206 | - apiGroups: 207 | - "" 208 | resources: 209 | - endpoints 210 | verbs: 211 | - get 212 | 213 | --- 214 | 215 | apiVersion: rbac.authorization.k8s.io/v1beta1 216 | kind: RoleBinding 217 | metadata: 218 | name: nginx-ingress-role-nisa-binding 219 | namespace: ingress-nginx 220 | labels: 221 | app.kubernetes.io/name: ingress-nginx 222 | app.kubernetes.io/part-of: ingress-nginx 223 | roleRef: 224 | apiGroup: rbac.authorization.k8s.io 225 | kind: Role 226 | name: nginx-ingress-role 227 | subjects: 228 | - kind: ServiceAccount 229 | name: nginx-ingress-serviceaccount 230 | namespace: ingress-nginx 231 | 232 | --- 233 | 234 | apiVersion: rbac.authorization.k8s.io/v1beta1 235 | kind: ClusterRoleBinding 236 | metadata: 237 | name: nginx-ingress-clusterrole-nisa-binding 238 | labels: 239 | app.kubernetes.io/name: ingress-nginx 240 | app.kubernetes.io/part-of: ingress-nginx 241 | roleRef: 242 | apiGroup: rbac.authorization.k8s.io 243 | kind: ClusterRole 244 | name: nginx-ingress-clusterrole 245 | subjects: 246 | - kind: ServiceAccount 247 | name: nginx-ingress-serviceaccount 248 | namespace: ingress-nginx 249 | --- 250 | 251 | apiVersion: extensions/v1beta1 252 | kind: Deployment 253 | metadata: 254 | name: nginx-ingress-controller 255 | namespace: ingress-nginx 256 | labels: 257 | app.kubernetes.io/name: ingress-nginx 258 | app.kubernetes.io/part-of: ingress-nginx 259 | spec: 260 | replicas: 1 261 | selector: 262 | matchLabels: 263 | app.kubernetes.io/name: ingress-nginx 264 | app.kubernetes.io/part-of: ingress-nginx 265 | template: 266 | metadata: 267 | labels: 268 | app.kubernetes.io/name: ingress-nginx 269 | app.kubernetes.io/part-of: ingress-nginx 270 | annotations: 271 | prometheus.io/port: '10254' 272 | prometheus.io/scrape: 'true' 273 | spec: 274 | serviceAccountName: nginx-ingress-serviceaccount 275 | containers: 276 | - name: nginx-ingress-controller 277 | image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0 278 | args: 279 | - /nginx-ingress-controller 280 | - --default-backend-service=$(POD_NAMESPACE)/default-http-backend 281 | - --configmap=$(POD_NAMESPACE)/nginx-configuration 282 | - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services 283 | - --udp-services-configmap=$(POD_NAMESPACE)/udp-services 284 | - --publish-service=$(POD_NAMESPACE)/ingress-nginx 285 | - --annotations-prefix=nginx.ingress.kubernetes.io 286 | securityContext: 287 | capabilities: 288 | drop: 289 | - ALL 290 | add: 291 | - NET_BIND_SERVICE 292 | # www-data -> 33 293 | runAsUser: 33 294 | env: 295 | - name: POD_NAME 296 | valueFrom: 297 | fieldRef: 298 | fieldPath: metadata.name 299 | - name: POD_NAMESPACE 300 | valueFrom: 301 | fieldRef: 302 | fieldPath: metadata.namespace 303 | ports: 304 | - name: http 305 | containerPort: 80 306 | - name: https 307 | containerPort: 443 308 | livenessProbe: 309 | failureThreshold: 3 310 | httpGet: 311 | path: /healthz 312 | port: 10254 313 | scheme: HTTP 314 | initialDelaySeconds: 10 315 | periodSeconds: 10 316 | successThreshold: 1 317 | timeoutSeconds: 1 318 | readinessProbe: 319 | failureThreshold: 3 320 | httpGet: 321 | path: /healthz 322 | port: 10254 323 | scheme: HTTP 324 | periodSeconds: 10 325 | successThreshold: 1 326 | timeoutSeconds: 1 327 | --------------------------------------------------------------------------------