├── k8s-install ├── kubeadm │ └── README.md ├── README.md ├── 1.7 │ ├── rbac.yaml │ └── canal.yaml ├── 1.6 │ ├── rbac.yaml │ └── canal.yaml ├── canal.yaml └── canal_etcd_tls.yaml ├── Canal Phase 1 Diagram.png ├── logos ├── Calico_Logo_Larger_Text.png ├── flannel-horizontal-color.png ├── canal-logo-type-full-color.png └── canal-logo-type-full-color 328x184.png ├── InstallGuide.md ├── OrchestratorIntegration.md ├── .github ├── PULL_REQUEST_TEMPLATE.md └── ISSUE_TEMPLATE.md └── README.md /k8s-install/kubeadm/README.md: -------------------------------------------------------------------------------- 1 | Please see the k8s-install [README](../README.md) -------------------------------------------------------------------------------- /Canal Phase 1 Diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/projectcalico/canal/HEAD/Canal Phase 1 Diagram.png -------------------------------------------------------------------------------- /logos/Calico_Logo_Larger_Text.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/projectcalico/canal/HEAD/logos/Calico_Logo_Larger_Text.png -------------------------------------------------------------------------------- /logos/flannel-horizontal-color.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/projectcalico/canal/HEAD/logos/flannel-horizontal-color.png -------------------------------------------------------------------------------- /logos/canal-logo-type-full-color.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/projectcalico/canal/HEAD/logos/canal-logo-type-full-color.png -------------------------------------------------------------------------------- /logos/canal-logo-type-full-color 328x184.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/projectcalico/canal/HEAD/logos/canal-logo-type-full-color 328x184.png -------------------------------------------------------------------------------- /InstallGuide.md: -------------------------------------------------------------------------------- 1 | # [Canal manifests and docs](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) have moved to [docs.projectcalico.org](https://docs.projectcalico.org/) 2 | 3 | Refer to [Canal/flannel Hosted Install](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) 4 | for up to date installation directions and manifests. 5 | This repo is deprecated and no further updates are expected here. 6 | -------------------------------------------------------------------------------- /k8s-install/README.md: -------------------------------------------------------------------------------- 1 | # [Canal manifests and docs](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) have moved to [docs.projectcalico.org](https://docs.projectcalico.org/) 2 | 3 | Refer to [Canal/flannel Hosted Install](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) 4 | for up to date installation directions and manifests. 5 | This repo is deprecated and no further updates are expected here. 6 | -------------------------------------------------------------------------------- /OrchestratorIntegration.md: -------------------------------------------------------------------------------- 1 | # [Canal manifests and docs](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) have moved to [docs.projectcalico.org](https://docs.projectcalico.org/) 2 | 3 | Refer to [Canal/flannel Hosted Install](https://docs.projectcalico.org/latest/getting-started/kubernetes/installation/flannel) 4 | for up to date installation directions and manifests. 5 | This repo is deprecated and no further updates are expected here. 6 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 10 | 11 | ## Todos 12 | - [ ] Tests 13 | - [ ] Documentation 14 | 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [Canal manifests and docs](https://docs.projectcalico.org/getting-started/kubernetes/flannel/flannel) have moved to [docs.projectcalico.org](https://docs.projectcalico.org/) 2 | 3 | Refer to the docs for [installing Calico for policy and flannel for networking](https://docs.projectcalico.org/getting-started/kubernetes/flannel/flannel) for up to date installation directions and manifests. 4 | This repo is deprecated and no further updates are expected here. 5 | 6 | ## Wasn't Canal supposed to be the new name for Calico? 7 | 8 | Canal was the name of Tigera and CoreOS’s project to integrate Calico and flannel. 9 | 10 | Originally, we thought we might more deeply integrate the two projects (possibly even going as far as a rebranding!). However, over time it became clear that that wasn't really necessary to fulfil our goal of making them work well together. Ultimately, we decided to focus on adding features to both projects rather than doing work just to combine them. 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Expected Behavior 4 | 5 | 6 | 7 | ## Current Behavior 8 | 9 | 10 | 11 | ## Possible Solution 12 | 13 | 14 | 15 | ## Steps to Reproduce (for bugs) 16 | 17 | 18 | 1. 19 | 2. 20 | 3. 21 | 4. 22 | 23 | ## Context 24 | 25 | 26 | 27 | ## Your Environment 28 | 29 | * Calico version: 30 | * Flannel version: 31 | * Orchestrator version: 32 | * Operating System and version: 33 | * Link to your project (optional): 34 | 35 | -------------------------------------------------------------------------------- /k8s-install/1.7/rbac.yaml: -------------------------------------------------------------------------------- 1 | # Calico Roles 2 | # Pulled from https://docs.projectcalico.org/v2.5/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1beta1 5 | metadata: 6 | name: calico 7 | rules: 8 | - apiGroups: [""] 9 | resources: 10 | - namespaces 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: [""] 16 | resources: 17 | - pods/status 18 | verbs: 19 | - update 20 | - apiGroups: [""] 21 | resources: 22 | - pods 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - apiGroups: [""] 28 | resources: 29 | - nodes 30 | verbs: 31 | - get 32 | - list 33 | - update 34 | - watch 35 | - apiGroups: ["extensions"] 36 | resources: 37 | - networkpolicies 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: ["crd.projectcalico.org"] 43 | resources: 44 | - globalfelixconfigs 45 | - bgppeers 46 | - globalbgpconfigs 47 | - ippools 48 | - globalnetworkpolicies 49 | verbs: 50 | - create 51 | - get 52 | - list 53 | - update 54 | - watch 55 | 56 | --- 57 | 58 | # Flannel roles 59 | # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml 60 | kind: ClusterRole 61 | apiVersion: rbac.authorization.k8s.io/v1beta1 62 | metadata: 63 | name: flannel 64 | rules: 65 | - apiGroups: 66 | - "" 67 | resources: 68 | - pods 69 | verbs: 70 | - get 71 | - apiGroups: 72 | - "" 73 | resources: 74 | - nodes 75 | verbs: 76 | - list 77 | - watch 78 | - apiGroups: 79 | - "" 80 | resources: 81 | - nodes/status 82 | verbs: 83 | - patch 84 | --- 85 | 86 | # Bind the flannel ClusterRole to the canal ServiceAccount. 87 | kind: ClusterRoleBinding 88 | apiVersion: rbac.authorization.k8s.io/v1beta1 89 | metadata: 90 | name: canal-flannel 91 | roleRef: 92 | apiGroup: rbac.authorization.k8s.io 93 | kind: ClusterRole 94 | name: flannel 95 | subjects: 96 | - kind: ServiceAccount 97 | name: canal 98 | namespace: kube-system 99 | 100 | --- 101 | 102 | # Bind the calico ClusterRole to the canal ServiceAccount. 103 | apiVersion: rbac.authorization.k8s.io/v1beta1 104 | kind: ClusterRoleBinding 105 | metadata: 106 | name: canal-calico 107 | roleRef: 108 | apiGroup: rbac.authorization.k8s.io 109 | kind: ClusterRole 110 | name: calico 111 | subjects: 112 | - kind: ServiceAccount 113 | name: canal 114 | namespace: kube-system 115 | -------------------------------------------------------------------------------- /k8s-install/1.6/rbac.yaml: -------------------------------------------------------------------------------- 1 | # Calico Roles 2 | # Pulled from https://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1beta1 5 | metadata: 6 | name: calico 7 | rules: 8 | - apiGroups: [""] 9 | resources: 10 | - namespaces 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: [""] 16 | resources: 17 | - pods/status 18 | verbs: 19 | - update 20 | - apiGroups: [""] 21 | resources: 22 | - pods 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - apiGroups: [""] 28 | resources: 29 | - nodes 30 | verbs: 31 | - get 32 | - list 33 | - update 34 | - watch 35 | - apiGroups: ["extensions"] 36 | resources: 37 | - thirdpartyresources 38 | verbs: 39 | - create 40 | - get 41 | - list 42 | - watch 43 | - apiGroups: ["extensions"] 44 | resources: 45 | - networkpolicies 46 | verbs: 47 | - get 48 | - list 49 | - watch 50 | - apiGroups: ["projectcalico.org"] 51 | resources: 52 | - globalbgppeers 53 | verbs: 54 | - get 55 | - list 56 | - apiGroups: ["projectcalico.org"] 57 | resources: 58 | - globalconfigs 59 | - globalbgpconfigs 60 | verbs: 61 | - create 62 | - get 63 | - list 64 | - update 65 | - watch 66 | - apiGroups: ["projectcalico.org"] 67 | resources: 68 | - ippools 69 | verbs: 70 | - create 71 | - get 72 | - list 73 | - update 74 | - watch 75 | - apiGroups: ["alpha.projectcalico.org"] 76 | resources: 77 | - systemnetworkpolicies 78 | verbs: 79 | - get 80 | - list 81 | - watch 82 | 83 | --- 84 | 85 | # Flannel roles 86 | # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml 87 | kind: ClusterRole 88 | apiVersion: rbac.authorization.k8s.io/v1beta1 89 | metadata: 90 | name: flannel 91 | rules: 92 | - apiGroups: 93 | - "" 94 | resources: 95 | - pods 96 | verbs: 97 | - get 98 | - apiGroups: 99 | - "" 100 | resources: 101 | - nodes 102 | verbs: 103 | - list 104 | - watch 105 | - apiGroups: 106 | - "" 107 | resources: 108 | - nodes/status 109 | verbs: 110 | - patch 111 | --- 112 | 113 | # Bind the flannel ClusterRole to the canal ServiceAccount. 114 | kind: ClusterRoleBinding 115 | apiVersion: rbac.authorization.k8s.io/v1beta1 116 | metadata: 117 | name: canal-flannel 118 | roleRef: 119 | apiGroup: rbac.authorization.k8s.io 120 | kind: ClusterRole 121 | name: flannel 122 | subjects: 123 | - kind: ServiceAccount 124 | name: canal 125 | namespace: kube-system 126 | 127 | --- 128 | 129 | # Bind the calico ClusterRole to the canal ServiceAccount. 130 | apiVersion: rbac.authorization.k8s.io/v1beta1 131 | kind: ClusterRoleBinding 132 | metadata: 133 | name: canal-calico 134 | roleRef: 135 | apiGroup: rbac.authorization.k8s.io 136 | kind: ClusterRole 137 | name: calico 138 | subjects: 139 | - kind: ServiceAccount 140 | name: canal 141 | namespace: kube-system 142 | -------------------------------------------------------------------------------- /k8s-install/canal.yaml: -------------------------------------------------------------------------------- 1 | # This ConfigMap can be used to configure a self-hosted Canal installation. 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: canal-config 6 | namespace: kube-system 7 | data: 8 | # The interface used by canal for host <-> host communication. 9 | # If left blank, then the interface is chosen using the node's 10 | # default route. 11 | canal_iface: "" 12 | 13 | # Whether or not to masquerade traffic to destinations not within 14 | # the pod network. 15 | masquerade: "true" 16 | 17 | # The CNI network configuration to install on each node. 18 | cni_network_config: |- 19 | { 20 | "name": "k8s-pod-network", 21 | "cniVersion": "0.3.0", 22 | "plugins": [ 23 | { 24 | "type": "calico", 25 | "log_level": "info", 26 | "datastore_type": "kubernetes", 27 | "nodename": "__KUBERNETES_NODE_NAME__", 28 | "ipam": { 29 | "type": "host-local", 30 | "subnet": "usePodCidr" 31 | }, 32 | "policy": { 33 | "type": "k8s", 34 | "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" 35 | }, 36 | "kubernetes": { 37 | "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", 38 | "kubeconfig": "__KUBECONFIG_FILEPATH__" 39 | } 40 | }, 41 | { 42 | "type": "portmap", 43 | "capabilities": {"portMappings": true}, 44 | "snat": true 45 | } 46 | ] 47 | } 48 | 49 | # Flannel network configuration. Mounted into the flannel container. 50 | net-conf.json: | 51 | { 52 | "Network": "10.244.0.0/16", 53 | "Backend": { 54 | "Type": "vxlan" 55 | } 56 | } 57 | 58 | --- 59 | 60 | # This manifest installs the calico/node container, as well 61 | # as the Calico CNI plugins and network config on 62 | # each master and worker node in a Kubernetes cluster. 63 | kind: DaemonSet 64 | apiVersion: extensions/v1beta1 65 | metadata: 66 | name: canal 67 | namespace: kube-system 68 | labels: 69 | k8s-app: canal 70 | spec: 71 | selector: 72 | matchLabels: 73 | k8s-app: canal 74 | template: 75 | metadata: 76 | labels: 77 | k8s-app: canal 78 | annotations: 79 | scheduler.alpha.kubernetes.io/critical-pod: '' 80 | scheduler.alpha.kubernetes.io/tolerations: | 81 | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, 82 | {"key": "CriticalAddonsOnly", "operator": "Exists"}] 83 | spec: 84 | hostNetwork: true 85 | containers: 86 | # Runs calico/node container on each Kubernetes node. This 87 | # container programs network policy and routes on each 88 | # host. 89 | - name: calico-node 90 | image: quay.io/calico/node:v2.4.1 91 | env: 92 | # Use Kubernetes API as the backing datastore. 93 | - name: DATASTORE_TYPE 94 | value: "kubernetes" 95 | # Enable felix logging. 96 | - name: FELIX_LOGSEVERITYSYS 97 | value: "info" 98 | # Period, in seconds, at which felix re-applies all iptables state 99 | - name: FELIX_IPTABLESREFRESHINTERVAL 100 | value: "60" 101 | # Disable IPV6 support in Felix. 102 | - name: FELIX_IPV6SUPPORT 103 | value: "false" 104 | # Don't enable BGP. 105 | - name: CALICO_NETWORKING_BACKEND 106 | value: "none" 107 | # Cluster type to identify the deployment type 108 | - name: CLUSTER_TYPE 109 | value: "k8s,canal" 110 | # Disable file logging so `kubectl logs` works. 111 | - name: CALICO_DISABLE_FILE_LOGGING 112 | value: "true" 113 | - name: WAIT_FOR_DATASTORE 114 | value: "true" 115 | # No IP address needed. 116 | - name: IP 117 | value: "" 118 | - name: NODENAME 119 | valueFrom: 120 | fieldRef: 121 | fieldPath: spec.nodeName 122 | # Set Felix endpoint to host default action to ACCEPT. 123 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 124 | value: "ACCEPT" 125 | securityContext: 126 | privileged: true 127 | resources: 128 | requests: 129 | cpu: 250m 130 | volumeMounts: 131 | - mountPath: /lib/modules 132 | name: lib-modules 133 | readOnly: true 134 | - mountPath: /var/run/calico 135 | name: var-run-calico 136 | readOnly: false 137 | # This container installs the Calico CNI binaries 138 | # and CNI network config file on each node. 139 | - name: install-cni 140 | image: quay.io/calico/cni:v1.10.0 141 | command: ["/install-cni.sh"] 142 | env: 143 | - name: CNI_CONF_NAME 144 | value: "10-calico.conflist" 145 | # The CNI network config to install on each node. 146 | - name: CNI_NETWORK_CONFIG 147 | valueFrom: 148 | configMapKeyRef: 149 | name: canal-config 150 | key: cni_network_config 151 | - name: KUBERNETES_NODE_NAME 152 | valueFrom: 153 | fieldRef: 154 | fieldPath: spec.nodeName 155 | volumeMounts: 156 | - mountPath: /host/opt/cni/bin 157 | name: cni-bin-dir 158 | - mountPath: /host/etc/cni/net.d 159 | name: cni-net-dir 160 | # This container runs flannel using the kube-subnet-mgr backend 161 | # for allocating subnets. 162 | - name: kube-flannel 163 | image: quay.io/coreos/flannel:v0.9.1 164 | command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] 165 | securityContext: 166 | privileged: true 167 | env: 168 | - name: POD_NAME 169 | valueFrom: 170 | fieldRef: 171 | fieldPath: metadata.name 172 | - name: POD_NAMESPACE 173 | valueFrom: 174 | fieldRef: 175 | fieldPath: metadata.namespace 176 | - name: FLANNELD_IFACE 177 | valueFrom: 178 | configMapKeyRef: 179 | name: canal-config 180 | key: canal_iface 181 | - name: FLANNELD_IP_MASQ 182 | valueFrom: 183 | configMapKeyRef: 184 | name: canal-config 185 | key: masquerade 186 | volumeMounts: 187 | - name: run 188 | mountPath: /run 189 | - name: flannel-cfg 190 | mountPath: /etc/kube-flannel/ 191 | volumes: 192 | # Used by calico/node. 193 | - name: lib-modules 194 | hostPath: 195 | path: /lib/modules 196 | - name: var-run-calico 197 | hostPath: 198 | path: /var/run/calico 199 | # Used to install CNI. 200 | - name: cni-bin-dir 201 | hostPath: 202 | path: /opt/cni/bin 203 | - name: cni-net-dir 204 | hostPath: 205 | path: /etc/cni/net.d 206 | # Used by flannel. 207 | - name: run 208 | hostPath: 209 | path: /run 210 | - name: flannel-cfg 211 | configMap: 212 | name: canal-config 213 | -------------------------------------------------------------------------------- /k8s-install/1.6/canal.yaml: -------------------------------------------------------------------------------- 1 | # This ConfigMap can be used to configure a self-hosted Canal installation. 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: canal-config 6 | namespace: kube-system 7 | data: 8 | # The interface used by canal for host <-> host communication. 9 | # If left blank, then the interface is chosen using the node's 10 | # default route. 11 | canal_iface: "" 12 | 13 | # Whether or not to masquerade traffic to destinations not within 14 | # the pod network. 15 | masquerade: "true" 16 | 17 | # The CNI network configuration to install on each node. 18 | cni_network_config: |- 19 | { 20 | "name": "k8s-pod-network", 21 | "cniVersion": "0.3.0", 22 | "plugins": [ 23 | { 24 | "type": "calico", 25 | "log_level": "info", 26 | "datastore_type": "kubernetes", 27 | "nodename": "__KUBERNETES_NODE_NAME__", 28 | "ipam": { 29 | "type": "host-local", 30 | "subnet": "usePodCidr" 31 | }, 32 | "policy": { 33 | "type": "k8s", 34 | "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" 35 | }, 36 | "kubernetes": { 37 | "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", 38 | "kubeconfig": "__KUBECONFIG_FILEPATH__" 39 | } 40 | }, 41 | { 42 | "type": "portmap", 43 | "capabilities": {"portMappings": true}, 44 | "snat": true 45 | } 46 | ] 47 | } 48 | 49 | # Flannel network configuration. Mounted into the flannel container. 50 | net-conf.json: | 51 | { 52 | "Network": "10.244.0.0/16", 53 | "Backend": { 54 | "Type": "vxlan" 55 | } 56 | } 57 | 58 | --- 59 | 60 | # This manifest installs the calico/node container, as well 61 | # as the Calico CNI plugins and network config on 62 | # each master and worker node in a Kubernetes cluster. 63 | kind: DaemonSet 64 | apiVersion: extensions/v1beta1 65 | metadata: 66 | name: canal 67 | namespace: kube-system 68 | labels: 69 | k8s-app: canal 70 | spec: 71 | selector: 72 | matchLabels: 73 | k8s-app: canal 74 | template: 75 | metadata: 76 | labels: 77 | k8s-app: canal 78 | annotations: 79 | scheduler.alpha.kubernetes.io/critical-pod: '' 80 | spec: 81 | hostNetwork: true 82 | serviceAccountName: canal 83 | tolerations: 84 | # this taint is set by all kubelets running `--cloud-provider=external` 85 | # so we should tolerate it to schedule the canal pods 86 | - key: node.cloudprovider.kubernetes.io/uninitialized 87 | value: "true" 88 | effect: NoSchedule 89 | # Allow the pod to run on the master. This is required for 90 | # the master to communicate with pods. 91 | - key: node-role.kubernetes.io/master 92 | effect: NoSchedule 93 | # Mark the pod as a critical add-on for rescheduling. 94 | - key: "CriticalAddonsOnly" 95 | operator: "Exists" 96 | containers: 97 | # Runs calico/node container on each Kubernetes node. This 98 | # container programs network policy and routes on each 99 | # host. 100 | - name: calico-node 101 | image: quay.io/calico/node:v2.4.1 102 | env: 103 | # Use Kubernetes API as the backing datastore. 104 | - name: DATASTORE_TYPE 105 | value: "kubernetes" 106 | # Enable felix logging. 107 | - name: FELIX_LOGSEVERITYSYS 108 | value: "info" 109 | # Period, in seconds, at which felix re-applies all iptables state 110 | - name: FELIX_IPTABLESREFRESHINTERVAL 111 | value: "60" 112 | # Disable IPV6 support in Felix. 113 | - name: FELIX_IPV6SUPPORT 114 | value: "false" 115 | # Don't enable BGP. 116 | - name: CALICO_NETWORKING_BACKEND 117 | value: "none" 118 | # Cluster type to identify the deployment type 119 | - name: CLUSTER_TYPE 120 | value: "k8s,canal" 121 | # Disable file logging so `kubectl logs` works. 122 | - name: CALICO_DISABLE_FILE_LOGGING 123 | value: "true" 124 | - name: WAIT_FOR_DATASTORE 125 | value: "true" 126 | # No IP address needed. 127 | - name: IP 128 | value: "" 129 | - name: NODENAME 130 | valueFrom: 131 | fieldRef: 132 | fieldPath: spec.nodeName 133 | # Set Felix endpoint to host default action to ACCEPT. 134 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 135 | value: "ACCEPT" 136 | securityContext: 137 | privileged: true 138 | resources: 139 | requests: 140 | cpu: 250m 141 | volumeMounts: 142 | - mountPath: /lib/modules 143 | name: lib-modules 144 | readOnly: true 145 | - mountPath: /var/run/calico 146 | name: var-run-calico 147 | readOnly: false 148 | # This container installs the Calico CNI binaries 149 | # and CNI network config file on each node. 150 | - name: install-cni 151 | image: quay.io/calico/cni:v1.10.0 152 | command: ["/install-cni.sh"] 153 | env: 154 | - name: CNI_CONF_NAME 155 | value: "10-calico.conflist" 156 | # The CNI network config to install on each node. 157 | - name: CNI_NETWORK_CONFIG 158 | valueFrom: 159 | configMapKeyRef: 160 | name: canal-config 161 | key: cni_network_config 162 | - name: KUBERNETES_NODE_NAME 163 | valueFrom: 164 | fieldRef: 165 | fieldPath: spec.nodeName 166 | volumeMounts: 167 | - mountPath: /host/opt/cni/bin 168 | name: cni-bin-dir 169 | - mountPath: /host/etc/cni/net.d 170 | name: cni-net-dir 171 | # This container runs flannel using the kube-subnet-mgr backend 172 | # for allocating subnets. 173 | - name: kube-flannel 174 | image: quay.io/coreos/flannel:v0.9.1 175 | command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] 176 | securityContext: 177 | privileged: true 178 | env: 179 | - name: POD_NAME 180 | valueFrom: 181 | fieldRef: 182 | fieldPath: metadata.name 183 | - name: POD_NAMESPACE 184 | valueFrom: 185 | fieldRef: 186 | fieldPath: metadata.namespace 187 | - name: FLANNELD_IFACE 188 | valueFrom: 189 | configMapKeyRef: 190 | name: canal-config 191 | key: canal_iface 192 | - name: FLANNELD_IP_MASQ 193 | valueFrom: 194 | configMapKeyRef: 195 | name: canal-config 196 | key: masquerade 197 | volumeMounts: 198 | - name: run 199 | mountPath: /run 200 | - name: flannel-cfg 201 | mountPath: /etc/kube-flannel/ 202 | volumes: 203 | # Used by calico/node. 204 | - name: lib-modules 205 | hostPath: 206 | path: /lib/modules 207 | - name: var-run-calico 208 | hostPath: 209 | path: /var/run/calico 210 | # Used to install CNI. 211 | - name: cni-bin-dir 212 | hostPath: 213 | path: /opt/cni/bin 214 | - name: cni-net-dir 215 | hostPath: 216 | path: /etc/cni/net.d 217 | # Used by flannel. 218 | - name: run 219 | hostPath: 220 | path: /run 221 | - name: flannel-cfg 222 | configMap: 223 | name: canal-config 224 | 225 | --- 226 | 227 | apiVersion: v1 228 | kind: ServiceAccount 229 | metadata: 230 | name: canal 231 | namespace: kube-system 232 | -------------------------------------------------------------------------------- /k8s-install/1.7/canal.yaml: -------------------------------------------------------------------------------- 1 | # This ConfigMap can be used to configure a self-hosted Canal installation. 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: canal-config 6 | namespace: kube-system 7 | data: 8 | # The interface used by canal for host <-> host communication. 9 | # If left blank, then the interface is chosen using the node's 10 | # default route. 11 | canal_iface: "" 12 | 13 | # Whether or not to masquerade traffic to destinations not within 14 | # the pod network. 15 | masquerade: "true" 16 | 17 | # The CNI network configuration to install on each node. 18 | cni_network_config: |- 19 | { 20 | "name": "k8s-pod-network", 21 | "cniVersion": "0.3.0", 22 | "plugins": [ 23 | { 24 | "type": "calico", 25 | "log_level": "info", 26 | "datastore_type": "kubernetes", 27 | "nodename": "__KUBERNETES_NODE_NAME__", 28 | "ipam": { 29 | "type": "host-local", 30 | "subnet": "usePodCidr" 31 | }, 32 | "policy": { 33 | "type": "k8s", 34 | "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" 35 | }, 36 | "kubernetes": { 37 | "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", 38 | "kubeconfig": "__KUBECONFIG_FILEPATH__" 39 | } 40 | }, 41 | { 42 | "type": "portmap", 43 | "capabilities": {"portMappings": true}, 44 | "snat": true 45 | } 46 | ] 47 | } 48 | 49 | # Flannel network configuration. Mounted into the flannel container. 50 | net-conf.json: | 51 | { 52 | "Network": "10.244.0.0/16", 53 | "Backend": { 54 | "Type": "vxlan" 55 | } 56 | } 57 | 58 | --- 59 | 60 | # This manifest installs the calico/node container, as well 61 | # as the Calico CNI plugins and network config on 62 | # each master and worker node in a Kubernetes cluster. 63 | kind: DaemonSet 64 | apiVersion: extensions/v1beta1 65 | metadata: 66 | name: canal 67 | namespace: kube-system 68 | labels: 69 | k8s-app: canal 70 | spec: 71 | selector: 72 | matchLabels: 73 | k8s-app: canal 74 | template: 75 | metadata: 76 | labels: 77 | k8s-app: canal 78 | annotations: 79 | scheduler.alpha.kubernetes.io/critical-pod: '' 80 | spec: 81 | hostNetwork: true 82 | serviceAccountName: canal 83 | tolerations: 84 | # this taint is set by all kubelets running `--cloud-provider=external` 85 | # so we should tolerate it to schedule the canal pods 86 | - key: node.cloudprovider.kubernetes.io/uninitialized 87 | value: "true" 88 | effect: NoSchedule 89 | # Allow the pod to run on the master. This is required for 90 | # the master to communicate with pods. 91 | - key: node-role.kubernetes.io/master 92 | effect: NoSchedule 93 | # Mark the pod as a critical add-on for rescheduling. 94 | - key: "CriticalAddonsOnly" 95 | operator: "Exists" 96 | # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 97 | # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 98 | terminationGracePeriodSeconds: 0 99 | containers: 100 | # Runs calico/node container on each Kubernetes node. This 101 | # container programs network policy and routes on each 102 | # host. 103 | - name: calico-node 104 | image: quay.io/calico/node:v2.6.2 105 | env: 106 | # Use Kubernetes API as the backing datastore. 107 | - name: DATASTORE_TYPE 108 | value: "kubernetes" 109 | # Enable felix logging. 110 | - name: FELIX_LOGSEVERITYSYS 111 | value: "info" 112 | # Don't enable BGP. 113 | - name: CALICO_NETWORKING_BACKEND 114 | value: "none" 115 | # Cluster type to identify the deployment type 116 | - name: CLUSTER_TYPE 117 | value: "k8s,canal" 118 | # Disable file logging so `kubectl logs` works. 119 | - name: CALICO_DISABLE_FILE_LOGGING 120 | value: "true" 121 | # Period, in seconds, at which felix re-applies all iptables state 122 | - name: FELIX_IPTABLESREFRESHINTERVAL 123 | value: "60" 124 | # Disable IPV6 support in Felix. 125 | - name: FELIX_IPV6SUPPORT 126 | value: "false" 127 | # Wait for the datastore. 128 | - name: WAIT_FOR_DATASTORE 129 | value: "true" 130 | # No IP address needed. 131 | - name: IP 132 | value: "" 133 | - name: NODENAME 134 | valueFrom: 135 | fieldRef: 136 | fieldPath: spec.nodeName 137 | # Set Felix endpoint to host default action to ACCEPT. 138 | - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 139 | value: "ACCEPT" 140 | - name: FELIX_HEALTHENABLED 141 | value: "true" 142 | securityContext: 143 | privileged: true 144 | resources: 145 | requests: 146 | cpu: 250m 147 | livenessProbe: 148 | httpGet: 149 | path: /liveness 150 | port: 9099 151 | periodSeconds: 10 152 | initialDelaySeconds: 10 153 | failureThreshold: 6 154 | readinessProbe: 155 | httpGet: 156 | path: /readiness 157 | port: 9099 158 | periodSeconds: 10 159 | volumeMounts: 160 | - mountPath: /lib/modules 161 | name: lib-modules 162 | readOnly: true 163 | - mountPath: /var/run/calico 164 | name: var-run-calico 165 | readOnly: false 166 | # This container installs the Calico CNI binaries 167 | # and CNI network config file on each node. 168 | - name: install-cni 169 | image: quay.io/calico/cni:v1.11.0 170 | command: ["/install-cni.sh"] 171 | env: 172 | - name: CNI_CONF_NAME 173 | value: "10-calico.conflist" 174 | # The CNI network config to install on each node. 175 | - name: CNI_NETWORK_CONFIG 176 | valueFrom: 177 | configMapKeyRef: 178 | name: canal-config 179 | key: cni_network_config 180 | - name: KUBERNETES_NODE_NAME 181 | valueFrom: 182 | fieldRef: 183 | fieldPath: spec.nodeName 184 | volumeMounts: 185 | - mountPath: /host/opt/cni/bin 186 | name: cni-bin-dir 187 | - mountPath: /host/etc/cni/net.d 188 | name: cni-net-dir 189 | # This container runs flannel using the kube-subnet-mgr backend 190 | # for allocating subnets. 191 | - name: kube-flannel 192 | image: quay.io/coreos/flannel:v0.9.1 193 | command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] 194 | securityContext: 195 | privileged: true 196 | env: 197 | - name: POD_NAME 198 | valueFrom: 199 | fieldRef: 200 | fieldPath: metadata.name 201 | - name: POD_NAMESPACE 202 | valueFrom: 203 | fieldRef: 204 | fieldPath: metadata.namespace 205 | - name: FLANNELD_IFACE 206 | valueFrom: 207 | configMapKeyRef: 208 | name: canal-config 209 | key: canal_iface 210 | - name: FLANNELD_IP_MASQ 211 | valueFrom: 212 | configMapKeyRef: 213 | name: canal-config 214 | key: masquerade 215 | volumeMounts: 216 | - name: run 217 | mountPath: /run 218 | - name: flannel-cfg 219 | mountPath: /etc/kube-flannel/ 220 | volumes: 221 | # Used by calico/node. 222 | - name: lib-modules 223 | hostPath: 224 | path: /lib/modules 225 | - name: var-run-calico 226 | hostPath: 227 | path: /var/run/calico 228 | # Used to install CNI. 229 | - name: cni-bin-dir 230 | hostPath: 231 | path: /opt/cni/bin 232 | - name: cni-net-dir 233 | hostPath: 234 | path: /etc/cni/net.d 235 | # Used by flannel. 236 | - name: run 237 | hostPath: 238 | path: /run 239 | - name: flannel-cfg 240 | configMap: 241 | name: canal-config 242 | 243 | 244 | # Create all the CustomResourceDefinitions needed for 245 | # Calico policy-only mode. 246 | --- 247 | 248 | apiVersion: apiextensions.k8s.io/v1beta1 249 | description: Calico Global Felix Configuration 250 | kind: CustomResourceDefinition 251 | metadata: 252 | name: globalfelixconfigs.crd.projectcalico.org 253 | spec: 254 | scope: Cluster 255 | group: crd.projectcalico.org 256 | version: v1 257 | names: 258 | kind: GlobalFelixConfig 259 | plural: globalfelixconfigs 260 | singular: globalfelixconfig 261 | 262 | --- 263 | 264 | apiVersion: apiextensions.k8s.io/v1beta1 265 | description: Calico Global BGP Configuration 266 | kind: CustomResourceDefinition 267 | metadata: 268 | name: globalbgpconfigs.crd.projectcalico.org 269 | spec: 270 | scope: Cluster 271 | group: crd.projectcalico.org 272 | version: v1 273 | names: 274 | kind: GlobalBGPConfig 275 | plural: globalbgpconfigs 276 | singular: globalbgpconfig 277 | 278 | --- 279 | 280 | apiVersion: apiextensions.k8s.io/v1beta1 281 | description: Calico IP Pools 282 | kind: CustomResourceDefinition 283 | metadata: 284 | name: ippools.crd.projectcalico.org 285 | spec: 286 | scope: Cluster 287 | group: crd.projectcalico.org 288 | version: v1 289 | names: 290 | kind: IPPool 291 | plural: ippools 292 | singular: ippool 293 | 294 | --- 295 | 296 | apiVersion: apiextensions.k8s.io/v1beta1 297 | description: Calico Global Network Policies 298 | kind: CustomResourceDefinition 299 | metadata: 300 | name: globalnetworkpolicies.crd.projectcalico.org 301 | spec: 302 | scope: Cluster 303 | group: crd.projectcalico.org 304 | version: v1 305 | names: 306 | kind: GlobalNetworkPolicy 307 | plural: globalnetworkpolicies 308 | singular: globalnetworkpolicy 309 | 310 | --- 311 | 312 | apiVersion: v1 313 | kind: ServiceAccount 314 | metadata: 315 | name: canal 316 | namespace: kube-system 317 | -------------------------------------------------------------------------------- /k8s-install/canal_etcd_tls.yaml: -------------------------------------------------------------------------------- 1 | # This ConfigMap can be used to configure a self-hosted Canal installation. 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: canal-config 6 | namespace: kube-system 7 | data: 8 | # Configure this with the location of your etcd cluster. 9 | etcd_endpoints: "https://127.0.0.1:2379" 10 | 11 | # The interface used by canal for host <-> host communication. 12 | # If left blank, then the interface is chosing using the node's 13 | # default route. 14 | canal_iface: "" 15 | 16 | # Whether or not to masquerade traffic to destinations not within 17 | # the pod network. 18 | masquerade: "true" 19 | 20 | # The CNI network configuration to install on each node. The special 21 | # values in this config will be automatically populated. 22 | cni_network_config: |- 23 | { 24 | "name": "canal", 25 | "cniVersion": "0.3.0", 26 | "plugins": [ 27 | { 28 | "type": "flannel", 29 | "delegate": { 30 | "type": "calico", 31 | "etcd_endpoints": "__ETCD_ENDPOINTS__", 32 | "etcd_key_file": "__ETCD_KEY_FILE__", 33 | "etcd_cert_file": "__ETCD_CERT_FILE__", 34 | "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", 35 | "log_level": "info", 36 | "policy": { 37 | "type": "k8s", 38 | "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", 39 | "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" 40 | }, 41 | "kubernetes": { 42 | "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" 43 | } 44 | } 45 | }, 46 | { 47 | "type": "portmap", 48 | "capabilities": {"portMappings": true}, 49 | "snat": true 50 | } 51 | ] 52 | } 53 | 54 | # If you're using TLS enabled etcd uncomment the following. 55 | # You must also populate the Secret below with these files. 56 | etcd_ca: "" # "/calico-secrets/etcd-ca" 57 | etcd_cert: "" # "/calico-secrets/etcd-cert" 58 | etcd_key: "" # "/calico-secrets/etcd-key" 59 | 60 | --- 61 | # The following contains k8s Secrets for use with a TLS enabled etcd cluster. 62 | # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ 63 | apiVersion: v1 64 | kind: Secret 65 | type: Opaque 66 | metadata: 67 | name: calico-etcd-secrets 68 | namespace: kube-system 69 | data: 70 | # Populate the following files with etcd TLS configuration if desired, but leave blank if 71 | # not using TLS for etcd. 72 | # This self-hosted install expects three files with the following names. The values 73 | # should be base64 encoded strings of the entire contents of each file. 74 | # etcd-key: "" 75 | # etcd-cert: "" 76 | # etcd-ca: "" 77 | 78 | --- 79 | 80 | # This manifest installs the per-node agents, as well 81 | # as the CNI plugins and network config on 82 | # each master and worker node in a Kubernetes cluster. 83 | kind: DaemonSet 84 | apiVersion: extensions/v1beta1 85 | metadata: 86 | name: canal-node 87 | namespace: kube-system 88 | labels: 89 | k8s-app: canal-node 90 | spec: 91 | selector: 92 | matchLabels: 93 | k8s-app: canal-node 94 | template: 95 | metadata: 96 | annotations: 97 | scheduler.alpha.kubernetes.io/critical-pod: '' 98 | scheduler.alpha.kubernetes.io/tolerations: | 99 | [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, 100 | {"key": "CriticalAddonsOnly", "operator": "Exists"}] 101 | labels: 102 | k8s-app: canal-node 103 | spec: 104 | hostNetwork: true 105 | serviceAccountName: canal 106 | containers: 107 | # Runs the flannel daemon to enable vxlan networking between 108 | # container hosts. 109 | - name: flannel 110 | image: quay.io/coreos/flannel:v0.9.1 111 | env: 112 | # The location of the etcd cluster. 113 | - name: FLANNELD_ETCD_ENDPOINTS 114 | valueFrom: 115 | configMapKeyRef: 116 | name: canal-config 117 | key: etcd_endpoints 118 | # Location of the CA certificate for etcd. 119 | - name: ETCD_CA_CERT_FILE 120 | valueFrom: 121 | configMapKeyRef: 122 | name: canal-config 123 | key: etcd_ca 124 | # Location of the client key for etcd. 125 | - name: ETCD_KEY_FILE 126 | valueFrom: 127 | configMapKeyRef: 128 | name: canal-config 129 | key: etcd_key 130 | # Location of the client certificate for etcd. 131 | - name: ETCD_CERT_FILE 132 | valueFrom: 133 | configMapKeyRef: 134 | name: canal-config 135 | key: etcd_cert 136 | # Location of the CA certificate for etcd. 137 | - name: FLANNELD_ETCD_CAFILE 138 | valueFrom: 139 | configMapKeyRef: 140 | name: canal-config 141 | key: etcd_ca 142 | # Location of the client key for etcd. 143 | - name: FLANNELD_ETCD_KEYFILE 144 | valueFrom: 145 | configMapKeyRef: 146 | name: canal-config 147 | key: etcd_key 148 | # Location of the client certificate for etcd. 149 | - name: FLANNELD_ETCD_CERTFILE 150 | valueFrom: 151 | configMapKeyRef: 152 | name: canal-config 153 | key: etcd_cert 154 | # The interface flannel should run on. 155 | - name: FLANNELD_IFACE 156 | valueFrom: 157 | configMapKeyRef: 158 | name: canal-config 159 | key: canal_iface 160 | # Perform masquerade on traffic leaving the pod cidr. 161 | - name: FLANNELD_IP_MASQ 162 | valueFrom: 163 | configMapKeyRef: 164 | name: canal-config 165 | key: masquerade 166 | # Write the subnet.env file to the mounted directory. 167 | - name: FLANNELD_SUBNET_FILE 168 | value: "/run/flannel/subnet.env" 169 | securityContext: 170 | privileged: true 171 | volumeMounts: 172 | - mountPath: /etc/resolv.conf 173 | name: resolv 174 | - mountPath: /run/flannel 175 | name: run-flannel 176 | - mountPath: /calico-secrets 177 | name: etcd-certs 178 | # Runs calico/node container on each Kubernetes node. This 179 | # container programs network policy and local routes on each 180 | # host. 181 | - name: calico-node 182 | image: quay.io/calico/node:v2.4.1 183 | env: 184 | # The location of the etcd cluster. 185 | - name: ETCD_ENDPOINTS 186 | valueFrom: 187 | configMapKeyRef: 188 | name: canal-config 189 | key: etcd_endpoints 190 | # Location of the CA certificate for etcd. 191 | - name: ETCD_CA_CERT_FILE 192 | valueFrom: 193 | configMapKeyRef: 194 | name: canal-config 195 | key: etcd_ca 196 | # Location of the client key for etcd. 197 | - name: ETCD_KEY_FILE 198 | valueFrom: 199 | configMapKeyRef: 200 | name: canal-config 201 | key: etcd_key 202 | # Location of the client certificate for etcd. 203 | - name: ETCD_CERT_FILE 204 | valueFrom: 205 | configMapKeyRef: 206 | name: canal-config 207 | key: etcd_cert 208 | # Disable Calico BGP. Calico is simply enforcing policy. 209 | - name: CALICO_NETWORKING_BACKEND 210 | value: "none" 211 | # Cluster type to identify the deployment type 212 | - name: CLUSTER_TYPE 213 | value: "k8s,canal" 214 | # Disable file logging so `kubectl logs` works. 215 | - name: CALICO_DISABLE_FILE_LOGGING 216 | value: "true" 217 | securityContext: 218 | privileged: true 219 | resources: 220 | requests: 221 | cpu: 250m 222 | volumeMounts: 223 | - mountPath: /lib/modules 224 | name: lib-modules 225 | readOnly: true 226 | - mountPath: /var/run/calico 227 | name: var-run-calico 228 | readOnly: false 229 | - mountPath: /calico-secrets 230 | name: etcd-certs 231 | # This container installs the Calico CNI binaries 232 | # and CNI network config file on each node. 233 | - name: install-calico-cni 234 | image: quay.io/calico/cni:v1.10.0 235 | imagePullPolicy: Always 236 | command: ["/install-cni.sh"] 237 | env: 238 | # The name of the CNI network config file to install. 239 | - name: CNI_CONF_NAME 240 | value: "10-canal.conflist" 241 | # The location of the etcd cluster. 242 | - name: ETCD_ENDPOINTS 243 | valueFrom: 244 | configMapKeyRef: 245 | name: canal-config 246 | key: etcd_endpoints 247 | # Location of the CA certificate for etcd. 248 | - name: ETCD_CA_CERT_FILE 249 | valueFrom: 250 | configMapKeyRef: 251 | name: canal-config 252 | key: etcd_ca 253 | # Location of the client key for etcd. 254 | - name: ETCD_KEY_FILE 255 | valueFrom: 256 | configMapKeyRef: 257 | name: canal-config 258 | key: etcd_key 259 | # Location of the client certificate for etcd. 260 | - name: ETCD_CERT_FILE 261 | valueFrom: 262 | configMapKeyRef: 263 | name: canal-config 264 | key: etcd_cert 265 | # The CNI network config to install on each node. 266 | - name: CNI_NETWORK_CONFIG 267 | valueFrom: 268 | configMapKeyRef: 269 | name: canal-config 270 | key: cni_network_config 271 | volumeMounts: 272 | - mountPath: /host/opt/cni/bin 273 | name: cni-bin-dir 274 | - mountPath: /host/etc/cni/net.d 275 | name: cni-net-dir 276 | - mountPath: /calico-secrets 277 | name: etcd-certs 278 | volumes: 279 | # Used by calico/node. 280 | - name: lib-modules 281 | hostPath: 282 | path: /lib/modules 283 | - name: var-run-calico 284 | hostPath: 285 | path: /var/run/calico 286 | # Used to install CNI. 287 | - name: cni-bin-dir 288 | hostPath: 289 | path: /opt/cni/bin 290 | - name: cni-net-dir 291 | hostPath: 292 | path: /etc/cni/net.d 293 | # Used by flannel daemon. 294 | - name: run-flannel 295 | hostPath: 296 | path: /run/flannel 297 | - name: resolv 298 | hostPath: 299 | path: /etc/resolv.conf 300 | # Mount in the etcd TLS secrets. 301 | - name: etcd-certs 302 | secret: 303 | secretName: calico-etcd-secrets 304 | 305 | --- 306 | 307 | # This manifest deploys a Job which performs one time 308 | # configuration of Canal. 309 | apiVersion: batch/v1 310 | kind: Job 311 | metadata: 312 | name: configure-canal 313 | namespace: kube-system 314 | labels: 315 | k8s-app: canal 316 | spec: 317 | template: 318 | metadata: 319 | name: configure-canal 320 | spec: 321 | hostNetwork: true 322 | restartPolicy: OnFailure 323 | containers: 324 | # Writes basic flannel configuration to etcd. 325 | - name: configure-flannel 326 | image: quay.io/coreos/etcd:v3.1.5 327 | command: 328 | - "etcdctl" 329 | - "--cert-file=/calico-secrets/etcd-cert" 330 | - "--key-file=/calico-secrets/etcd-key" 331 | - "--ca-file=/calico-secrets/etcd-ca" 332 | - "--no-sync" 333 | - "set" 334 | - "/coreos.com/network/config" 335 | - '{ "Network": "192.168.0.0/16", "Backend": {"Type": "vxlan"} }' 336 | env: 337 | # The location of the etcd cluster. 338 | - name: ETCDCTL_PEERS 339 | valueFrom: 340 | configMapKeyRef: 341 | name: canal-config 342 | key: etcd_endpoints 343 | # The location of the Calico etcd cluster. 344 | - name: ETCDCTL_CACERT 345 | valueFrom: 346 | configMapKeyRef: 347 | name: canal-config 348 | key: etcd_ca 349 | volumeMounts: 350 | # Mount in the etcd TLS secrets. 351 | - mountPath: /calico-secrets 352 | name: etcd-certs 353 | volumes: 354 | # Mount in the etcd TLS secrets. 355 | - name: etcd-certs 356 | secret: 357 | secretName: calico-etcd-secrets 358 | 359 | --- 360 | 361 | # This manifest deploys the Calico policy controller on Kubernetes. 362 | # See https://github.com/projectcalico/k8s-policy 363 | apiVersion: extensions/v1beta1 364 | kind: Deployment 365 | metadata: 366 | name: calico-policy-controller 367 | namespace: kube-system 368 | labels: 369 | k8s-app: calico-policy 370 | spec: 371 | # The policy controller can only have a single active instance. 372 | replicas: 1 373 | template: 374 | metadata: 375 | name: calico-policy-controller 376 | namespace: kube-system 377 | labels: 378 | k8s-app: calico-policy 379 | spec: 380 | # The policy controller must run in the host network namespace so that 381 | # it isn't governed by policy that would prevent it from working. 382 | hostNetwork: true 383 | containers: 384 | - name: calico-policy-controller 385 | image: quay.io/calico/kube-policy-controller:v0.7.0 386 | env: 387 | # The location of the Calico etcd cluster. 388 | - name: ETCD_ENDPOINTS 389 | valueFrom: 390 | configMapKeyRef: 391 | name: canal-config 392 | key: etcd_endpoints 393 | # Location of the CA certificate for etcd. 394 | - name: ETCD_CA_CERT_FILE 395 | valueFrom: 396 | configMapKeyRef: 397 | name: canal-config 398 | key: etcd_ca 399 | # Location of the client key for etcd. 400 | - name: ETCD_KEY_FILE 401 | valueFrom: 402 | configMapKeyRef: 403 | name: canal-config 404 | key: etcd_key 405 | # Location of the client certificate for etcd. 406 | - name: ETCD_CERT_FILE 407 | valueFrom: 408 | configMapKeyRef: 409 | name: canal-config 410 | key: etcd_cert 411 | # The location of the Kubernetes API. Use the default Kubernetes 412 | # service for API access. 413 | - name: K8S_API 414 | value: "https://kubernetes.default:443" 415 | # Since we're running in the host namespace and might not have KubeDNS 416 | # access, configure the container's /etc/hosts to resolve 417 | # kubernetes.default to the correct service clusterIP. 418 | - name: CONFIGURE_ETC_HOSTS 419 | value: "true" 420 | volumeMounts: 421 | # Mount in the etcd TLS secrets. 422 | - mountPath: /calico-secrets 423 | name: etcd-certs 424 | volumes: 425 | # Mount in the etcd TLS secrets. 426 | - name: etcd-certs 427 | secret: 428 | secretName: calico-etcd-secrets 429 | 430 | --- 431 | 432 | apiVersion: rbac.authorization.k8s.io/v1beta1 433 | kind: ClusterRoleBinding 434 | metadata: 435 | name: canal 436 | roleRef: 437 | apiGroup: rbac.authorization.k8s.io 438 | kind: ClusterRole 439 | name: canal 440 | subjects: 441 | - kind: ServiceAccount 442 | name: canal 443 | namespace: kube-system 444 | 445 | --- 446 | 447 | kind: ClusterRole 448 | apiVersion: rbac.authorization.k8s.io/v1beta1 449 | metadata: 450 | name: canal 451 | rules: 452 | - apiGroups: [""] 453 | resources: 454 | - pods 455 | - nodes 456 | verbs: 457 | - get 458 | 459 | --- 460 | 461 | apiVersion: v1 462 | kind: ServiceAccount 463 | metadata: 464 | name: canal 465 | namespace: kube-system 466 | --------------------------------------------------------------------------------